2 Δεκ 2009

How to digitally sign a file on Windows platform

OK, this post will be in English because I spent so much time trying to figure out how to digitally sign an executable file. So, I guess a lot of people might find this guide useful. Beware though! It's not a regular blog entry. Too much technical stuff... :P

I was looking for information on how to digitally sign some AutoIT executable files I've created. I didn't want to get my feet wet and pay for a digital signature from a Certificate Authoriry (CA) just yet. Instead, I just wanted to to sign the files using a self-signed certificate for starters. After a lot of investigation, I finally found two way to accomplish that:


The tools we'll be using are the codesigningx86.exe file from http://www.cryptguard.com/documentation_resources_tools.shtml which contains all the Microsoft files, and a pre-compiled binary of OpenSSL for Windows from http://www.slproweb.com/products/Win32OpenSSL.html


Let's start with OpenSSL and Signcode.exe....

How to digitally sign a file using Microsoft's SignCode.exe and OpenSSL

Using openssl commands we'll....
  • Create a file containing key and self-signed certificate typing...
    openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout NAME.pem -out NAME.pem
  • Export NAME.pem as PKCS#12 file, NAME.pfx
    openssl pkcs12 -export -out NAME.pfx -in NAME.pem -name "Name"
  • Import the .pfx file by double clicking on it
Self signed certificates are ready. Next we need to run the Signcode.exe program and go through a step by step process to sign the file. We select the file to be signed and choose Typical signing. Now we need to select from Store the certificate we imported before. Some optional info to fill in and then we get an option to timestamp the file. by entering the URL http://timestamp.verisign.com/scripts/timstamp.dll

All Done!

We'll skip OpenSSL now and try the second solution...

How to digitally sign a file using Microsoft's SignCode.exe and Makecert.exe

Again we need to create the certificate file but this time we're gonna need the private key file (.PVK) as well. Let's do so using a root authority, setting a validity period from 01/01/2009 to 01-01/2019 and adding an explanatory URL (optionally)
makecert -sv mycert.pvk -n "CN=Name of Company" -cy authority -l "http://example.com" -nscp -b 01/01/2009 -e 01/01/2019 mycert.cer
Next we'll need to convert the certificate file .CER to a Software Publishing Certificate .SPC file to be used for signing. We do that with the command:
cert2spc mycert.cer mycert.spc
Now, to sign the code using .SPC and .PVK files and timestampimg as well, we issue the following command:
signcode -spc mycer.spc -x -v mycert.pvk -i http://example.com -n "Small description here" -t http://timestamp.verisign.com/scripts/timstamp.dll FileName.exe

All Done!

Here are some more useful tricks...

How to convert a .PEM file to .PVK using PVK tool from here http://www.drh-consultancy.demon.co.uk/pvk.html

pvk.exe -in mykey.pem -topvk -strong -out mykey.pvk

How to export a Software Publishing Certificate (SPC) from a .PEM file

openssl.exe crl2pkcs7 -nocrl -certfile mycert.pem  -outform DER -out mycert.spc

I hope you found it pretty straight forward and you're ready to sign your files.
Happy signing! :)


The info on this post has been collected from:
http://www.madboa.com/geek/openssl/
http://www.tech-pro.net/export-to-pvk-spc.html
http://www.akadia.com/services/ssh_test_certificate.html
http://msdn.microsoft.com/en-us/library/9sh96ycy(VS.80).aspx
http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx

Socializer Widget By Blogger Yard
SOCIALIZE IT →
FOLLOW US →
SHARE IT →

2 σχόλιο(α):

ESKARINA είπε...

Με γεια !
Ωραίο είναι, αν και το πορτοκαλί βγάζει μάτι !

yeah! είπε...

Thanks a bunch, saved me a lot of time googling.