How to verify digital signature for a Visual C++ Redistributable installation

4

I recently installed a digitally signed program and the installer launched an internally packaged Microsoft Visual C++ redistributable installer halfway in.

I scanned the program and checked its digital signature before running it and giving it admin privileges (standard procedure on my computers - scan all programs and installers, admin privileges require valid digital signature from a reputable source).

Main problem: the digital signature was for the installer, there's no specific verification of any internal packages. I checked the redistributable packages in Control Panel -> Programs and Features and the right click options are Uninstall and Change.

Clicking on Change brings up a window with Repair/Uninstall/Close buttons.

Is there any convenient way to verify the digital signature of the Visual C++ redistributable installation? (in particular, verify that the redistributable package is authentic and hasn't been tampered with?)

The installer only has a digital signature for its publisher.

user1258361

Posted 2016-06-08T17:31:59.607

Reputation: 625

Do you trust the original package vendor? If the additional installer was packaged as an internal piece of the original installer doesn't the original package's verification also verify that this package is as the original author intended it to be? – heavyd – 2016-06-08T17:46:45.457

Download the C++ Redistributable from Microsoft and skip the installation by the other installer if you don't trust it, of course if you trust the installer because its signed you should trust the required software also is legit.. – Ramhound – 2016-06-08T17:57:52.373

Trusting the original package vendor has little to do with subpackage integrity in practice. As far as I know, package verification isn't recursive - a vendor could build installer A containing installer B. Installer B gets altered somehow (could be accidental/random data corruption) before inclusion in installer A. Vendor reviews installer A and puts a digital signature on it (contains potentially faulty/unknown installer B). Digital signature means the vendor vouches for (and takes legal responsibility) for the package. If a third party made installer B, there's no verification of the source – user1258361 – 2016-06-08T18:00:39.967

@user1258361 - I still say its a question of trust. You either trust the source of the installer, which itself either contains the installer or downloads the installer, to the installation in question or you don't. Most signed packages cannot be signed unless everything contained in the packages is also signed. I know thats how the MSBuild feature within Visual Studio always worked. – Ramhound – 2016-06-08T20:06:37.447

Answers

4

There are two ways I can think of:

  1. Your installer must extract the Visual C++ Redistributable packages somewhere prior to installation. Usually it's put somewhere under %temp%. You can either clean that folder prior to installation, or run the installer on Sandboxie and then browsing the sandbox files to find it and check its digital signature.

  2. Install a HIPS (Host Intrusion Prevention) software, set it properly, and you'll be prompted for every package installation individually.

If you'd like to check the VC++ Redistributable DLLs already installed on your system, browse to %windir%\System32 and check the msvcpX.dll files (where X is the version number (ie msvcp140.dll for VC++ version 14.0.23918).

And kudos for keeping the good practice of checking digital signatures before granting full rights.

Marc.2377

Posted 2016-06-08T17:31:59.607

Reputation: 1 072

1The redistributable packages weren't in AppData\Local\Temp, however I found some installer logs. I opened one of them and they pointed to a location in C:\ProgramData\Package Cache. Found a bunch of Microsoft installer packages (.msi/.msu files) and some cabinet (.cab) files from 500KB to 4 MB in size. Verified their digital signatures. I have strict standards for granting programs admin privileges - the developer/publisher/vendor and digital signer must be reputable, must be scanned with a digitally signed and reputable antivirus/antimalware program. No signature = no admin privileges. – user1258361 – 2016-06-08T18:31:07.567

Asked: 2016-06-08T17:31:59.607

Viewed: 23 563 times

Active: 2018-10-16T04:58:04.060