Finding a Signer Certificate Thumbprint for Process Check posture profiles in Windows and MacOS

ZAPP 2.1.2.x introduces a cool, new posture profile called “Process Check.” It takes an executable’s path\filename and a special cryptographic hash and checks if the executable is running or not. This is very helpful for creating posture policies in ZPA around Anti-Virus suites.

Finding the path and filename of the executable is easy enough, but finding the Signer Certificate Thumbprint can be a challenge for first time users.

Below I will provide step-by-step directions for Windows and MacOS.

Finding the Signer Certificate Thumbprint in Windows

Finding a Windows executable’s Signer Certificate Thumbprint is straightforward though “click-intensive.”

You can find it via the GUI by following these directions:

  1. Find the executable in Windows Explorer.
  2. Right click the file and click “Properties.”
  3. From the “Digital Signatures” tab, click on the listed signature, then click “Details.” A new window will appear.
  4. Click on “View Certificate;” another new window will appear.
  5. Click the “Details” tab, scroll down, and click on thumbprint.

Finally, you will be presented with the thumbprint.

A shortcut for this procedure involves opening a PowerShell window and using the “Get-AuthenticodeSignature” applet.

  1. Click on the Windows button and type PowerShell. Hit enter.
  2. Type "Get-AuthenticodeSignature -FilePath ‘’ "

In this example:
Get-AuthenticodeSignature -FilePath ‘C:\Program Files (x86)\Zscaler\ZSATunnel\ZSATunnel.exe’


Finding the Signer Certificate Thumbprint in MacOS

As far as I have been able to find, there is no way to get the equivalent Thumbprint in the MacOS GUI. Please feel free to respond below and I will update the guide.

You can find the Thumbprint using the CLI command ‘codesign’

  1. Open Terminal either using Spotlight (Cmd+Space, then type Terminal) or by going to the Finder menu bar, selecting Go, then Utilities, and double clicking the Terminal app icon.
  2. Type "codesign -dvvv " and hit enter.

In this example:
codesign -dvvv /Applications/Zscaler/Zscaler.app/

I’ve highlighted both the SHA1 and SHA256 Thumbprints for this file, though SHA1 will work most of the time.

Screen Shot 2020-04-07 at 5.32.06 PM

NOTE: MacOS applications are folders with a subfolder structure that contains the actual executable file. Sometimes you may need to investigate which executable file is the running process you want to target.

In this example I’m focusing on the ZscalerTunnel executable:

3 Likes

one thing to add. The Match for the process thumbprint has to be exact! If the PowerShell approach is used:

> Get-AuthenticodeSignature -FilePath ‘C:\Program Files (x86)\Zscaler\ZSATunnel\ZSATunnel.exe’

The thumbprint is all uppercase and will not match. Convert it to lowercase and it will work. This is valid for Zscaler Client Connector (formerly Z App) Version 2.1.2.81

Great info on how to get the hash, but using it in the posture check needs more detail. With many hash values, and usually hash and hashfull, what does posture match against? Also, is the posture parameter, just the value (sha256=value) or does it also include “sha256=value”? Example below of MS ATP.
CandidateCDHash sha256=c05a5cdbcc40e77093f8c06525258591af94ca86
CandidateCDHashFull sha256=c05a5cdbcc40e77093f8c06525258591af94ca86079167d85d053e2ca60cb045

@dcreedy can you please help with this?