Windows agent software is available in two different formats: ZIP and MSI. The MSI package combines the agent software together with policy information and packages into a Windows installer that the Carbon Black App Control server generates. This package is not signed by the server.
The ZIP file contains a Carbon Black signed MSI that contains the agent software and the files that are associated with the policy information. The signed MSI can be verified using a signing tool like Microsoft's Signtool.
Procedure
- Download the Microsoft Windows SDK.
- Install all components of the SDK.
SignTool is usually installed under C:\Program Files (x86)\Windows Kits\10\bin, but the exact location depends on the version of the SDK and your operating system. For example, it can be installed in any of the following locations:
- C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe
- C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe
- C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe
- Add the location of the Signtool binary to your
PATH
environment variable.
- Press the Windows key.
- Type env.
- Click Edit the System Environment Variables.
- Click Environmental Variables.
- Select Path and click Edit.
- At the end of the existing value, add the Signtool location. A semicolon (;) must separate the old value from the new value. For example:
- old value = %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;
- new value = %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;C:\Program Files (x86)\Windows Kits\10\App Certification Kit\
- Click OK three times to save your changes and exit the editor.
- Run the following command, where $file_to_verify is the name of the install package:
signtool.exe verify /pa /hash SHA56 /all $file_to_verify
- The
/pa
parameter instructs Signtool to check for code signing.
- An optional /hash SHA256 parameter instructs Signtool to only check the SHA256 signatures.
- The
/all
parameter instructs Signtool to check all signatures on the file.
Results