A digital signature is created when a file is run through a hashing algorithm and the resultant hash (digest / fingerprint) is then signed by a private key. If an application wants to check the integrity of a file, it can perform the following steps:
- Decrypt the signed hash with the corresponding public key
- Put the file through the same hash algorithm used as part of the original signing process o generate a hash
- Compare the two hashes.
If the hashes are the same, the file hasn't been tampered with... assuming the hashing algorithm can still be trusted!
And therein lies the rub...
Md4 and MD5 haven't been trusted for a while and SHA1 is no longer considered secure against a well-resourced attackers. If you want details of Windows enforcement of SHA1 certificates, read this.
How do you use PowerShell to check if your user account is using certificates signed by a CA with a SHA1 algorithm?
(Get-ChildItem Cert:\Currentuser\My\ | Select -Property SignatureAlgorithm -ExpandProperty SignatureAlgorithm).FriendlyName