Skip to content

Add command to show details about a signed object #307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add command to show details about a signed object #307

wants to merge 1 commit into from

Conversation

@JohnAZoidberg
Copy link
Contributor

@JohnAZoidberg JohnAZoidberg commented Jul 14, 2025

It's useful to know whether an executable is already signed and by whom. Either to make sure that you have properly signed it or to check if somebody else has signed it.

Example:

> java -jar jsign/target/jsign-7.2-SNAPSHOT.jar show foo.exe
  jsign show foo.exe
  Signature 0
  Digest Algorithm:   SHA256
  Digest Value:       c481bb3892d066ffacba0650adaa4c252580b776b1dd6026cf4a8bea6c813939
  Is Timestamped?     false
  Certificate
    Subject:          CN=net.jsign.signing-cert
    Issuer:           CN=net.jsign.issuing-cert
    Not Before:       Fri Dec 03 14:34:46 CST 2021
    Not After:        Wed May 24 14:34:46 CST 2119
    Expired:          false
    Serial:           148957645726085760686199624248870688956

@JohnAZoidberg
Copy link
Contributor Author

JohnAZoidberg commented Jul 14, 2025

I'm adding support for this because sometimes I have some old binaries and need to check whether they were signed and with which certificates.

Additionally it would be useful to be able to verify if the signature is valid: #59
As mentioned in that PR, I use osslsigncode for viewing details about existing signature and verifying them.

@ebourg
Copy link
Owner

ebourg commented Sep 22, 2025

Thank you for the PR. Verification is long overdue, I haven't got the time to complete the work unfortunately. I wonder if a show command would be redundant with verify, or if it would be legitimate to have both.

@JohnAZoidberg
Add command to show details about a signed object
134cdea 
It's useful to know whether an executable is already signed and by whom.
Either to make sure that you have properly signed it or to check if
somebody else has signed it.

Example:

```
> java -jar jsign/target/jsign-7.2-SNAPSHOT.jar show foo.exe
  jsign show foo.exe
  Signature 0
  Digest Algorithm:   SHA256
  Digest Value:       c481bb3892d066ffacba0650adaa4c252580b776b1dd6026cf4a8bea6c813939
  Is Timestamped?     false
  Certificate
    Subject:          CN=net.jsign.signing-cert
    Issuer:           CN=net.jsign.issuing-cert
    Not Before:       Fri Dec 03 14:34:46 CST 2021
    Not After:        Wed May 24 14:34:46 CST 2119
    Expired:          false
    Serial:           148957645726085760686199624248870688956
```

Signed-off-by: Daniel Schaefer <[email protected]>
@JohnAZoidberg
Copy link
Contributor Author

JohnAZoidberg commented Oct 14, 2025

I wonder if a show command would be redundant with verify, or if it would be legitimate to have both.

Sometimes I don't have the signing certificate and I just want to check the signer's subject and timestamp/expiration.

@ebourg
Copy link
Owner

ebourg commented Oct 17, 2025

Verifying a signature implies computing the hash of the file and checking the revocation of the certificates. This can take some time, and that makes the "show" command interesting to quickly see the signatures.

ebourg
ebourg reviewed Oct 17, 2025
View reviewed changes
jsign-core/src/main/java/net/jsign/SignerHelper.java
SignerId signerId = signerInformation.getSID();
X509CertificateHolder cert = (X509CertificateHolder) signature.getCertificates().getMatches(signerId).iterator().next();

byte[] digest = signable.computeDigest(DigestAlgorithm.of(signerInformation.getDigestAlgorithmID().getAlgorithm()));
Copy link
Owner

@ebourg ebourg Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the hash of the file, I think it should be the hash of the message signed

ebourg
ebourg reviewed Oct 17, 2025
View reviewed changes
jsign-core/src/main/java/net/jsign/SignerHelper.java
printSignatures(signable);
} catch (UnsupportedOperationException | IllegalArgumentException e) {
throw new SignerException(e.getMessage(), e);
} catch (Exception e) {
Copy link
Owner

@ebourg ebourg Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one catch should be enough

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ebourg ebourg ebourg left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JohnAZoidberg @ebourg