All,

Happy New Year! And does anybody have experience confirming that

a) The running VFP exe's digital signature is valid, and
b) That it is signed by us, or a named signatory.

This could also be useful to prevent dll injection for signed dlls or flls from 3rd parties. Even MS's C++ runtime libraries are signed these days.

Looking online, there's decades of struggle attempting to solve this in C++ and NET. Solutions rely on the notoriously tricky WinVerifyTrust() API that tells you whether there's a valid signature, followed by other APIs like CryptQueryObject() to confirm who signed it. However, there's a more recent report that if an exe can have multiple signatures, a hacker can modify the exe and then sign it with their own certificate in a fashion that passes WinVerifyTrust() checks, as well as a second test that your signature is present... even though no longer valid. You can't assume that yours is the valid signature without more work.

This is hardly an unexpected need, so you'd think an easier API would be made available, but apparently not. So if any VFP guru has cracked what seems to be a fairly standard requirement: yes please! Regards, J