Code signing didn't complain when I changed an exe file?

I purchased a code signing certificate and all looks well. When tested inside a clean Virtual PC OS I no longer get the "The Publisher could not be verified" message.

So just for grins, using a hex editor, I change a few constants in the VB6 exe which I see on a form. And the VB 6 exe开发者_运维知识库 still runs wihout any error message.

I thought the code signing certificate would tell you if the file had been changed in any way?

Yes, Authenticode will indicate that the signature is invalid if the file is modified.

However, running a program from your local disk won't typically check the signature; right-click on the EXE, choose Properties and choose Digital Signatures to see a signature error message.

If an evil-doer can gain enough access to your machine to change bytes in a file then you are already pwnded. The Signature is there mainly to verify files before you install them. You could of course write your own program to scan your files and recheck their signatures for trust, but the evildoer would just change the bytes in your scanner as well.