FastSigCheck is a console application that verifies the embedded digital signature of a file in Windows as efficiently as possible. It returns basic result types via exit codes so no parsing is required, making it suitable for integration with other programs that can't handle return data.
It works by querying the Windows API which handles all the checking natively (specifically using the WinVerifyTrust function).
0
: The file is signed and the signature is valid.1
: The file is not signed.2
: The file's signature is invalid or other signature-related errors occurred.3
: A result signifying the file type or signature is not supported by the API in some way.-1
: A usage error or system-level error occurred, or the API returned an unknown result code. See the "Receiving an Error?" section for more info.
FastSigCheck.exe <file-path> [--debug]
FastSigCheck demonstrates significant performance improvements over both Signtool and Sigcheck in all tested scenarios. This makes it a more efficient choice for signature verification tasks, particularly for unsigned files.
Below are some benchmarking results using the "Hyperfine" command line benchmarking tool.
Signature Type | FastSigCheck | Signtool (Windows SDK) | Sigcheck64 (Sysinternals) |
---|---|---|---|
Signed |
|
65.1 ms ± 5.2 ms |
67.4 ms ± 4.4 ms |
Unsigned |
|
38.4 ms ± 5.5 ms |
57.7 ms ± 4.8 ms |
Untrusted Signature |
|
67.7 ms ± 4.4 ms |
75.0 ms ± 3.8 ms |
Click for raw data from Hyperfine benchmarks, including commands:
hyperfine "FastSigCheck.exe Signed.exe" --warmup 10
Time (mean ± σ): 48.1 ms ± 3.7 ms [User: 17.5 ms, System: 25.2 ms]
Range (min … max): 41.5 ms … 57.7 ms 41 runs
hyperfine "FastSigCheck.exe Unsigned.exe" -i --warmup 10
Time (mean ± σ): 25.1 ms ± 2.8 ms [User: 10.8 ms, System: 11.6 ms]
Range (min … max): 18.5 ms … 32.3 ms 65 runs
hyperfine "FastSigCheck.exe BadSignature.cat" -i --warmup 10
Time (mean ± σ): 50.7 ms ± 3.8 ms [User: 16.8 ms, System: 26.7 ms]
Range (min … max): 43.2 ms … 58.4 ms 38 runs
---------------------------------------------------------------------------------
hyperfine "signtool verify /pa /q Signed.exe" --warmup 10
Time (mean ± σ): 65.1 ms ± 5.2 ms [User: 24.2 ms, System: 34.5 ms]
Range (min … max): 54.3 ms … 77.7 ms 36 runs
hyperfine "signtool verify /pa /q Unsigned.exe" -i --warmup 10
Time (mean ± σ): 38.4 ms ± 5.5 ms [User: 14.6 ms, System: 17.3 ms]
Range (min … max): 30.2 ms … 65.3 ms 50 runs
hyperfine "signtool verify /pa /q BadSignature.cat" -i --warmup 10
Time (mean ± σ): 67.7 ms ± 4.4 ms [User: 24.8 ms, System: 34.6 ms]
Range (min … max): 60.6 ms … 83.0 ms 35 runs
---------------------------------------------------------------------------------
hyperfine "sigcheck64.exe -nobanner Signed.exe" --warmup 10
Time (mean ± σ): 67.4 ms ± 4.4 ms [User: 16.6 ms, System: 34.8 ms]
Range (min … max): 60.0 ms … 77.2 ms 34 runs
hyperfine "sigcheck64.exe -nobanner Unsigned.exe" -i --warmup 10
Time (mean ± σ): 57.7 ms ± 4.8 ms [User: 14.0 ms, System: 35.9 ms]
Range (min … max): 49.6 ms … 78.2 ms 38 runs
hyperfine "sigcheck64.exe -nobanner BadSignature.cat" -i --warmup 10
Time (mean ± σ): 75.0 ms ± 3.8 ms [User: 23.4 ms, System: 39.6 ms]
Range (min … max): 68.3 ms … 86.7 ms 31 runs
- Does not work with catalog signatures
- The "Headless" Version: This version returns results only as an exit code with no option for string outputs of any kind, in case maximum efficiency is required. Though I haven't found it to really be any faster, but have included it anyway just in case.
- The whole visual studio solution/project is included, so you should be able to just open the .sln file and it will be ready to compile.
- The actual source code for each version of the tool is just 1 file each, the rest are project files.
FastSigCheck.exe
: https://github.com/ThioJoe/FastSigCheck/blob/master/FastSigCheck.cppFastSigCheckHeadless.exe
: https://github.com/ThioJoe/FastSigCheck/blob/master/FastSigCheckHeadless/FastSigCheckHeadless.cpp
- If you get an error (Exit code -1), it's possible there is a result code I missed.
- You can also try running the tool with the
--debug
argument for a bit more information. - Feel free to leave an issue with the result's error code so I can add it
- See this page on the wiki for more info about result code sources