Sometimes we are asked why we don’t have a listing of file hashes next to the download link on our website. We definitely understand why it’s important for users to verify the integrity of a file that they download from us. We don’t want you to use a file that has been modified or tampered with, and you certainly should not open such a file on your computer. For this reason, we always digitally sign the BatchPatch.exe. A digital signature enables the end-user to confirm that a file was both published by the intended/expected source (in this case by us, Cocobolo Software, LLC) and also has not been modified, altered, or tampered with after being published or while being downloaded. A file hash on its own does not provide any any assurance that the file was published by the intended/expected source, so it is inferior to a digital signature. For example, imagine a scenario where a website is hacked. The hacker then does two things: She replaces the downloadable file on the website with her own a malicious file, and then she also replaces the file hash next to the download link to match that of the malicious file. If an end-user then comes along to download the file, he might think he is downloading a safe file because the file hash posted on the website matches the actual hash of the file after being downloaded. But little does he realize that he has downloaded a malicious file. So, for this reason, we don’t post file hashes. We do always digitally sign our BatchPatch.exe.
To verify that the BatchPatch.exe that you download from us is authentic and has not been modified or tampered with, we recommend that you check the digital signature on the BatchPatch.exe before you launch it. In this case, by verifying the digital signature on BatchPatch.exe you can be assured that the file you have is the file that we published, and that it has not been modified in between the time that we published it and the time that you obtained it. If the BatchPatch.exe does *not* have a digital signature at all OR if it has a digital signature that is *not* signed by us, Cocobolo Software, LLC, then you’ll know that the file you obtained is *not* the file that we published. Additionally note that at the time of this writing, DigiCert is our certificate authority, which means that you will see DigiCert as the issuer in the certificate.
How to Check the Digital Signature on BatchPatch.exe
- In Windows Explorer, right-click on the BatchPatch.exe file that you obtained from us and click ‘Properties’ in the drop-down menu that appears. In the ‘BatchPatch.exe Properties’ dialog, first make sure that you see a ‘Digital Signatures’ tab. If there is no ‘Digital Signatures’ tab then it means the file is not signed. If the file is not signed, do not open it on your computer.
- Next, take note of who the signer is. In the screenshot above you can see the signer is us, Cocobolo Software, LLC. If you double-click on the row, or highlight the row and click ‘Details’, you can further examine the certificate, if desired.
