NSIS (Nullsoft Scriptable Install System) plugin that enables:
- Calculating a file's hash (SHA1, SHA2)
- Verifying a file's Authenticode code signature (including details)
- Obtaining a file's string version info
- Windows: Windows XP -> Windows 10
- NSIS: 3.0+ (ANSI or Unicode)
The resulting filecheck.dll:
- Does not have a dependency on the CRT, and should run on systems that do not yet have the VCRedist / CRT installed.
- Dynamically loads all libraries except
kernel32.dllanduser32.dll, and handles differing OS / patch-level support of the underlying Windows APIs used automatically.
filecheck::calcFileHash local_file ALGORITHM
If successful, this call returns the ALGORITHM hash of the contents of the file local_file as a hex-encoded string; otherwise, it returns an error description string.
- ALGORITHM
- Must be one of:
sha1,sha256,sha384,sha512
- Must be one of:
Note: SHA-2 algorithms (
sha256,sha384,sha512) require Windows XP SP3+.
- Calculate a file's SHA-256 hash
filecheck::calcFileHash "path_to_file" sha256
Pop $R0 ; Get the return valuefilecheck::verifyFileSignature local_file [/ROOT microsoft] [/CERTNAME NAME] [/CERTISSUERNAME ISSUERNAME]
This call returns "OK" if the file's Authenticode signature is valid (and passes any additional checks); otherwise, it returns an error description string.
- /ROOT microsoft
- Specify the requirement for a particular root. The only supported value is
microsoftwhich checks for a Microsoft root certificate.
- Specify the requirement for a particular root. The only supported value is
- /CERTNAME
- Check that the first valid signature is associated with a certificate with name NAME.
- /CERTISSUERNAME
- Check that the first valid signature is associated with a certificate with issuer name ISSUERNAME.
- Check for any valid code signature
NOTE: This simply checks that the file has a valid code signature. It does not perform any additional validation on what code signature it has. You should not use this as the only check for file authenticity, or any file with a valid code signature could be substituted and pass the check.
filecheck::verifyFileSignature "path_to_file"
Pop $R0 ; Get the return value
${If} $R0 == "OK"
; Verification succeeded
${Else}
MessageBox MB_OK|MB_ICONSTOP "Code signature verification failed: $R0"
${EndIf}- Check for a valid Microsoft code-signature
filecheck::verifyFileSignature "path_to_file" /ROOT "microsoft" /CERTNAME "Microsoft Corporation" /CERTISSUERNAME "Microsoft Code Signing PCA"
Pop $R0 ; Get the return value
${If} $R0 == "OK"
; Verification succeeded
${Else}
MessageBox MB_OK|MB_ICONSTOP "Code signature verification failed: $R0"
${EndIf}filecheck::getFileVersionInfoString local_file STRINGNAME [/LANGUAGE LANGNUM=1033] [/CODEPAGE CODEPAGENUM=1252]
This call returns returns the string info value corresponding to STRINGNAME in local_file's version information (specifically, at the path: \StringFileInfo\LANGNUM-CODEPAGENUM\STRINGNAME). If there is an error, it returns an error description string.
- Get the FileDescription from a file's version info
filecheck::getFileVersionInfoString "path_to_file" "FileDescription" /LANGUAGE 1033 /CODEPAGE 1252
Pop $R0 ; Get the return valueThis plugin supports SHA-2 on Windows XP SP3 and above. For almost all cases, there is zero reason to use SHA-1.
Time of check to time of use (TOCTOU / TOCTTOU) bugs can lead to security vulnerabilities.
Do not assume that a file that has been checked has not been modified between the time of the check and the time of the use. Use proper security permissions on any containing / temporary folders to ensure that nothing unprivileged can modify a file between a check and any use.
- Visual Studio 2017-2019
- CMake 3.5+ (3.15+ recommended)