>Happy New Year! And does anybody have experience confirming that
>
>a) The running VFP exe's digital signature is valid, and
>b) That it is signed by us, or a named signatory.
>
>This could also be useful to prevent dll injection for signed dlls or flls from 3rd parties. Even MS's C++ runtime libraries are signed these days.
>
>Looking online, there's decades of struggle attempting to solve this in C++ and NET. Solutions rely on the notoriously tricky WinVerifyTrust() API that tells you whether there's a valid signature, followed by other APIs like CryptQueryObject() to confirm who signed it. However, there's a more recent report that if an exe can have multiple signatures, a hacker can modify the exe and then sign it with their own certificate in a fashion that passes WinVerifyTrust() checks, as well as a second test that your signature is present... even though no longer valid. You can't assume that yours is the valid signature without more work.
>
>This is hardly an unexpected need, so you'd think an easier API would be made available, but apparently not. So if any VFP guru has cracked what seems to be a fairly standard requirement: yes please! Regards, J

I have no answer about signatures, but I wonder if you could achieve something similar using hashes/digests of EXE, DLL or other files.