SignatureInfo

SignatureInfo is a Total Commander content plugin (WDX) that provides various pieces of information about digital signatures embedded in files like EXE, DLL, MSI, MSU and so on (Authenticode). It can also find and process signatures stored in external catalog (CAT) files.

Just like any content plugin it can be used in TC's custom columns, search function, tooltips and so on. See TC Wiki for more information.

Contents

1. Features
2. System Requirements
3. Plugin settings
   1. Location of plugin settings files
   2. Detect string
   3. The settings in detail
4. Signature verification
5. Known Issues and limitations
   1. Known issues
   2. Limitations
6. Frequently Asked Questions
7. License
8. Thanks to
9. Contact

---

1. Features

• Provides various pieces of information about digital signatures embedded in files like EXE, DLL, SYS, OCX, CPL, MUI, MSI, MSU, CAB and CAT
• Determines number of signatures per file
• Supports multiple signatures per file, including multiple nested signatures
• Supports embedded and external catalog signatures
• Show if a file is signed by embedded signatures and/or an external catalog file
• Provides over a dozen information fields for each signature including Subject, Issuer, Valid from/to, Signature algorithm, Pubkey Length, Serial, Thumbprint, Signing Time, and many more
• Show which catalog file signs a file, e.g. for drivers and Windows system files
• Check if a signature is considered valid by the system the check is run on
• Supports Unicode and long paths (> 259 characters)

2. System Requirements

• Windows 2000 or later, 32 or 64-bit
• Total Commander 7.50 or later, 32 or 64-bit

3. Plugin settings

3.1. Location of plugin settings files

Since this plugin is a content plugin, it returns a so-called detect string to TC. This string is saved in wincmd.ini and can be edited and customized if necessary. See next section below.

The plugin has additional settings which are saved in a different file. If you want to change any plugin settings you can do so in either

• SignatureInfo.ini in the plugin's directory, or
• contplug.ini in the directory where wincmd.ini is located (default).

The first option is good for portable mode, the latter option is useful on systems where Total Commander is installed in a directory where users can't write to (like %ProgramFiles%).

Important: If SignatureInfo.ini exists in the plugin's directory it takes precedence over contplug.ini!

3.2. Detect string

TC calls plugin functions depending on a detect string which consists of any combination of various file properties like file extensions, sizes and others. By default this plugin's detect string contains file extensions only. Exemplary detect string:

n_detect="EXT = "EXE" | EXT="DLL" | EXT="SYS" ..."

where n is the number assigned by TC to the plugin. If you need to add or remove file extensions, you can do so in wincmd.ini. Open wincmd.ini in your favorite editor, look for the plugin number assigned by TC in section [ContentPlugins], then look for the detect string starting with that same number, and make changes to the plugin's detect string as you see fit. Note that opening a new TC instance (or a TC restart) is required to apply any changes.
The TC Wiki article ContentGetDetectString is a good starting point if you need to make major changes to the detect string.

3.3. The settings in detail

The settings are explained in the SignatureInfo.sample.ini file, but they're also listed here for reference.

Section [SignatureInfo]

Setting and default	Description
SignatureCount = 3	Defines the number of signatures to provide in TC's interface. Values smaller than 1 are internally reset to 1. The plugin doesn't enforce an upper limit currently. Setting this to a larger value allows access to more signatures contained in files, but it may also make the field selection in TC cumbersome and/or confusing since there are more than a dozen content fields for each signature.
SerialCase = 0	0 - Don't change the case of the certificate's serial, i.e. leave it to the OS or plugin functions (usually uppercase) 1 - Always show the certificate's serial in uppercase characters -1 - Always show the certificate's serial in lowercase characters
ThumbprintCase = 0	Set Thumbprint case. Same values as for SerialCase setting, see above.
CacheSize = 4000	Set the maximum number of items to cache in memory to allow TC fast access to the plugin field values. Values equal to or smaller than 0 are ignored.
ClearCacheOnRefresh = 1	1 - Flush the cache when the cm_RereadSource command is issued in TC, e.g. by pressing Ctrl+R. This forces a refresh on all plugin field values, including the signature's verification status if such a field is present in a custom column. 0 - Don't clear the cache on cm_RereadSource. Note that, even with cache flushing disabled, items will still be removed from the cache once CacheSize is reached.
CriticalExtensionPrefix = "(!)"	Sets the prefix that is shown for the "Cert Extensions" fields if an extension's critical flag is set. By default the value is an exclamation mark in parentheses, more or less a textual representationn of the warning icon shown by Windows in the certificate properties. Set to an empty string to disable the prefix completely.
VerificationOnDemandOnly = 0	This setting defines the behavior of the "Verification" plugin field/column. 0 - Verification is done automatically in a background thread for every file requested by TC. 1 - Verification is done on user request only, i.e. if a user presses the space bar on a file.
MaxFileSizeToHash = 20480	This setting needs some explanation. To be able to find an external catalog signature a file must be read and hashed. The hash is then used to try to find a catalog which signs the file. Reading and hashing files is slow, especially for large files! This setting specifies the maximum size, in KiB, of files to be considered to be hashed. Files larger than this size won't be hashed, and the "Catalog File" field will indicate if this limit is hit (by setting it to "File Size!"). Set the value to -1 to disable the limit and hash files regardless of size. Note that hashing every file is slow, especially for large and/or huge files! This setting doesn't affect finding embedded signatures, it's only about catalog signatures.
CheckFilesWithEmbeddedSigsForCatalogs = 1	1 - Try to find catalog signatures for a file even if it has embedded signatures. 0 - Don't try to find external catalog signatures for files with embedded signatures. Note: This setting doesn't affect files without an embedded signature. If no embedded signature was found, the plugin will try to find an external catalog signature (limited only by MaxFileSizeToHash setting).

4. Signature verification

Signature verification can take a long time in some cases, especially when that verification requires an internet connection. Thus, the values of the verification fields are returned to TC in a background thread.

The hex error codes given by the plugin are system error codes, and as such, are defined in the Windows API header file winerror.h. This header file isn't particularly user-friendly because it's meant for software developers. Here's an example of this file at GitHub, where you can look up the error codes if you really want to.

Unfortunately, I haven't found a Microsoft source listing the error codes in a user-friendly way. But I have found a third-party source. All error codes related to signatures/certificates should be listed on the following two pages:
FACILITY_SSPI: the Security API layer.
FACILITY_CERT: a certificate client or server?

5. Known issues and limitations

5.1. Known Issues

• Currently there are no known issues.

5.2. Limitations

• On some Windows systems the field "Pubkey Len2" is empty. Officially, it's supposed to work on Windows 8 and later. In my tests it worked just fine on Windows 7 SP1, but not on WinXP or older.
• If a file contains only SHA-2 signatures, the plugin will not be able to find and list any signatures on Windows systems that don't support SHA-2 (definitely WinXP and older, perhaps Vista/Win7 without SHA-2 update installed). This is an OS limitation.
• On Windows systems that don't support multiple embedded signatures per file (definitely XP and older, perhaps Vista/Win7 without SHA-2 support) the plugin can find and show information about the first (primary) signature only. This is an OS limitation, not a plugin limitation. The plugin field "Nested Signature" might help in such situations; it shows whether or not a file contains more than one signature.

6. Frequently Asked Questions

Why is the plugin showing a different value for the Public Key Length, e.g. 4208 instead of 4096 or 2160 instead of 2048?

There are some good explanations in the answers of the following thread on StackExchange: RSA public key and private key lengths.

The gist of it is this: A public key consists of a so-called modulus, an exponent and some other values. What is usually called a "4096 bit key" is a key having a 4096 bit modulus, and some additional bytes. That's why most (if not all) of the keys are longer in reality.
To show the traditional value, the plugin provides an additional field "Pubkey Len2". However, that field has its own limitations, see Limitations for more information.

Why is the field "Pubkey Len2" empty, not providing any value?

See Limitations in section "Known issues and limitations" above.

The field "Catalog File" shows "File Size!". What does it mean?

See setting MaxFileSizeToHash in section "Plugin settings" above.

7. License

This software is provided "as is". No warranty provided. You use this program at your own risk. The author will not be responsible for data loss, damages, etc. while using or misusing this software.

The software must not be modified, you may not decompile or disassemble it.

This plugin is copyrighted freeware.

8. Thanks to

• Christian Ghisler, the author of Total Commander, for developing this great program that I use every day
• The members of the Delphi-PRAXiS forum that helped me understand and fix and optimize some things
• Project JEDI for translating the Windows API header files to Delphi
• Daniel Sie (StackOverflow) for the key detail about where to find nested signatures
• Rashid Abzalov (StackOverflow) for example code on how to read and process nested signatures and how to get a signature's signing time
• MikeF (StackOverflow) for example code on how to read nested signatures and process the different kinds of signing timestamps
• leeqwind (GitHub), the author of PESignAnalyzer, for writing and publishing code that is able to read multiple nested signatures, and shows how to find which catalog file signs a file
• Jared Atkinson (GitHub) for example code that shows how to find SHA256 hashes in external catalog files

9. Contact

If you have found a bug, have a suggestion, improvement, criticism, translation, you can contact me, Dalai, in English or German, at:
Mail: dalai82@gmx.net

Please put "SignatureInfo" somewhere in the subject.

There is a discussion thread in the official TC forum which can be used, too: https://ghisler.ch/board/viewtopic.php?t=???