Finding a Signer Certificate Thumbprint for Process Check posture profiles in Windows and MacOS

ZAPP 2.1.2.x introduces a cool, new posture profile called “Process Check.” It takes an executable’s path\filename and a special cryptographic hash and checks if the executable is running or not. This is very helpful for creating posture policies in ZPA around Anti-Virus suites.

Finding the path and filename of the executable is easy enough, but finding the Signer Certificate Thumbprint can be a challenge for first time users.

Below I will provide step-by-step directions for Windows and MacOS.

Finding the Signer Certificate Thumbprint in Windows

Finding a Windows executable’s Signer Certificate Thumbprint is straightforward though “click-intensive.”

You can find it via the GUI by following these directions:

  1. Find the executable in Windows Explorer.
  2. Right click the file and click “Properties.”
  3. From the “Digital Signatures” tab, click on the listed signature, then click “Details.” A new window will appear.
  4. Click on “View Certificate;” another new window will appear.
  5. Click the “Details” tab, scroll down, and click on thumbprint.

Finally, you will be presented with the thumbprint.

A shortcut for this procedure involves opening a PowerShell window and using the “Get-AuthenticodeSignature” applet.

  1. Click on the Windows button and type PowerShell. Hit enter.
  2. Type "Get-AuthenticodeSignature -FilePath ‘’ "

In this example:
Get-AuthenticodeSignature -FilePath ‘C:\Program Files (x86)\Zscaler\ZSATunnel\ZSATunnel.exe’

Finding the Signer Certificate Thumbprint in MacOS

As far as I have been able to find, there is no way to get the equivalent Thumbprint in the MacOS GUI. Please feel free to respond below and I will update the guide.

You can find the Thumbprint using the CLI command ‘codesign’

  1. Open Terminal either using Spotlight (Cmd+Space, then type Terminal) or by going to the Finder menu bar, selecting Go, then Utilities, and double clicking the Terminal app icon.
  2. Type "codesign -dvvv " and hit enter.

In this example:
codesign -dvvv /Applications/Zscaler/

I’ve highlighted both the SHA1 and SHA256 Thumbprints for this file, though SHA1 will work most of the time.

Screen Shot 2020-04-07 at 5.32.06 PM

NOTE: MacOS applications are folders with a subfolder structure that contains the actual executable file. Sometimes you may need to investigate which executable file is the running process you want to target.

In this example I’m focusing on the ZscalerTunnel executable: