Skip to content

Add command to show details about a signed object #307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add command to show details about a signed object #307

wants to merge 1 commit into from

Conversation

JohnAZoidberg
Copy link
Contributor

It's useful to know whether an executable is already signed and by whom. Either to make sure that you have properly signed it or to check if somebody else has signed it.

Example:

> java -jar jsign/target/jsign-7.2-SNAPSHOT.jar show foo.exe
  jsign show foo.exe
  Signature 0
  Digest Algorithm:   SHA256
  Digest Value:       c481bb3892d066ffacba0650adaa4c252580b776b1dd6026cf4a8bea6c813939
  Is Timestamped?     false
  Certificate
    Subject:          CN=net.jsign.signing-cert
    Issuer:           CN=net.jsign.issuing-cert
    Not Before:       Fri Dec 03 14:34:46 CST 2021
    Not After:        Wed May 24 14:34:46 CST 2119
    Expired:          false
    Serial:           148957645726085760686199624248870688956

@JohnAZoidberg
Copy link
Contributor Author

I'm adding support for this because sometimes I have some old binaries and need to check whether they were signed and with which certificates.

Additionally it would be useful to be able to verify if the signature is valid: #59
As mentioned in that PR, I use osslsigncode for viewing details about existing signature and verifying them.

@ebourg
Copy link
Owner

ebourg commented Sep 22, 2025

Thank you for the PR. Verification is long overdue, I haven't got the time to complete the work unfortunately. I wonder if a show command would be redundant with verify, or if it would be legitimate to have both.

@JohnAZoidberg
Add command to show details about a signed object
134cdea 
It's useful to know whether an executable is already signed and by whom.
Either to make sure that you have properly signed it or to check if
somebody else has signed it.

Example:

```
> java -jar jsign/target/jsign-7.2-SNAPSHOT.jar show foo.exe
  jsign show foo.exe
  Signature 0
  Digest Algorithm:   SHA256
  Digest Value:       c481bb3892d066ffacba0650adaa4c252580b776b1dd6026cf4a8bea6c813939
  Is Timestamped?     false
  Certificate
    Subject:          CN=net.jsign.signing-cert
    Issuer:           CN=net.jsign.issuing-cert
    Not Before:       Fri Dec 03 14:34:46 CST 2021
    Not After:        Wed May 24 14:34:46 CST 2119
    Expired:          false
    Serial:           148957645726085760686199624248870688956
```

Signed-off-by: Daniel Schaefer <[email protected]>
@JohnAZoidberg
Copy link
Contributor Author

I wonder if a show command would be redundant with verify, or if it would be legitimate to have both.

Sometimes I don't have the signing certificate and I just want to check the signer's subject and timestamp/expiration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JohnAZoidberg @ebourg