A Go library and CLI tool for extracting and validating digital signatures from Windows PE (Portable Executable) files.
- Extract digital signatures from signed PE files (PKCS#7 format)
- Validate digital signatures using certificate chain verification
- Cross-platform support (Windows, Linux, macOS)
- CLI tool for command-line operations
- Go library for programmatic integration
- Comprehensive testing with unit and integration tests
go get github.com/konidev20/sigtoolgo install github.com/konidev20/sigtool/cmd/gosigtool@latestExtract a digital signature from a PE file:
gosigtool path/to/signed.exe output_signature.pkcs7The tool will:
- Extract the PKCS#7 signature from the PE file
- Save it to the specified output file
- Validate the signature and report the result
package main
import (
"fmt"
"log"
"github.com/konidev20/sigtool"
)
func main() {
// Extract digital signature
signature, err := sigtool.ExtractDigitalSignature("path/to/signed.exe")
if err != nil {
log.Fatal(err)
}
fmt.Printf("Extracted signature: %d bytes\n", len(signature))
// Validate the signature
err = sigtool.IsValidDigitalSignature("path/to/signed.exe")
if err != nil {
fmt.Printf("Signature validation failed: %v\n", err)
} else {
fmt.Println("Signature is valid")
}
}Extracts the PKCS#7 digital signature from a signed PE file.
Parameters:
filePath: Path to the PE file
Returns:
[]byte: Raw PKCS#7 signature dataerror: Error if extraction fails
Errors:
- File not found or cannot be opened
- Invalid PE file format
- File is not digitally signed
- Signature data is corrupted or invalid
Validates the digital signature of a PE file using PKCS#7 verification.
Parameters:
filePath: Path to the PE file
Returns:
error:nilif signature is valid, error describing validation failure otherwise
Note: Validation may fail due to expired certificates, missing root certificates, or untrusted certificate chains, even if the signature format is correct.
- Go 1.21 or higher
- No external dependencies beyond the Go standard library and
go.mozilla.org/pkcs7
# Build the library
go build ./...
# Build the CLI tool
go build -o gosigtool ./cmd/gosigtool# Run unit tests
go test -short ./...
# Run all tests including integration tests
go test ./...
# Run tests with coverage
go test -coverprofile=coverage.out ./...
go tool cover -html=coverage.outIntegration tests require signed PE files. The test suite will automatically search for:
- Windows system files (if available)
- Files in
testdata/directory - Custom files via
SIGTOOL_TEST_PE_FILEenvironment variable
# Run with custom test file
SIGTOOL_TEST_PE_FILE=/path/to/signed.exe go test ./...The project includes comprehensive GitHub Actions workflows:
- Unit tests on multiple Go versions and platforms
- Integration tests with real PE files
- Code quality checks (golangci-lint, gosec, gofmt)
- Security scanning with Gosec
- Build verification for all supported platforms
- Coverage reporting via Codecov
- The tool is designed for defensive security analysis only
- File access is intentionally limited to user-specified files
- Input validation prevents buffer overflows and path traversal
- Maximum signature size limits prevent memory exhaustion
- All file operations include proper bounds checking
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Ensure all tests pass and linting is clean
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
- Uses the go.mozilla.org/pkcs7 library for PKCS#7 parsing and verification
- Built with Go's excellent
debug/pepackage for PE file parsing
For bugs, feature requests, or questions:
- Open an issue on GitHub
- Ensure you provide sample files (if safe to share) and full error messages
- Include your Go version and operating system details