How to verify X.509 signatures?

adrelanos adrelanos at
Sun Mar 24 13:37:51 CET 2013

Peter Lebbing:
> On 23/03/13 21:06, adrelanos wrote:
>> says [1] they are signing "TrueCrypt Setup
>> 7.1a.exe" [2] with a X.509 signature. How can I verify such a
>> signature?
> This is probably a "Microsoft Authenticode" signature on a
> Microsoft PE executable. It's very specifically a Microsoft thing,
> and you'll need a program with specific support for this format.
> It's X.509 wrapped inside an executable.

Ah. Ok. Will google that up.

> If you Google for it, you'll probably find a lot of references to a
> heated discussion between Matthew Garret and Linus Torvalds about
> including a parser in the Linux kernel :).


> The best I could come up with through Googling was [1]. You might
> be able to write something up in Python with the pefile module.
> Alternatively, just either - verify on Windows, by checking the
> "Properties" of the executable - verify using the OpenPGP signature
> they also provide

Ok, got that. I primarily looking for some mechanism built into
mainstream Linux distributions, making it much easier to verify a file
comes from a specific entity. This thing sounds much too complicated.

Thanks! :)

More information about the Gnupg-users mailing list