I am using WinVerifyTrust to verify a file signature.
the connection to the internet is very bad so I want to check only the local cache.
The problem is that I am confused about how should I set the parameters in WinTrustData
regarding fdwRevocationChecks - the documentation is as following:
No additional revocation checking will be done when the WTD_REVOKE_NONE flag is used in conjunction with the HTTPSPROV_ACTION value set in the pgActionID parameter of the WinVerifyTrust function. To ensure the WinVerifyTrust function does not attempt any network retrieval when verifying code signatures, WTD_CACHE_ONLY_URL_RETRIEVAL must be set in the dwProvFlags parameter.
What does it mean "No additional revocation checking" - in addition to what? does it make revocation checks using the CRL? if I set this field to *WTD_REVOKE_WHOLECHAIN* will it check online too?
If I set WTD_CACHE_ONLY_URL_RETRIEVAL does it enough in order to make sure that it won't attempt to get the revocation list from the internet?
bottom line: how do I make sure that the there is a CRL check, but there isn't any online check.
Thanks
You should set fdwRevocationChecks to WTD_REVOKE_NONE and also add the WTD_CACHE_ONLY_URL_RETRIEVAL flag to dwProvFlags. This will make sure that WinVerifyTrust will look only in the cached CRL when verifying embedded signature.