OK, this post will be in English because I spent so much time trying to figure out how to digitally sign an executable file. So, I guess a lot of people might find this guide useful. Beware though! It's not a regular blog entry. Too much technical stuff... :P
I was looking for information on how to digitally sign some AutoIT executable files I've created. I didn't want to get my feet wet and pay for a digital signature from a Certificate Authoriry (CA) just yet. Instead, I just wanted to to sign the files using a self-signed certificate for starters. After a lot of investigation, I finally found two way to accomplish that:
- Using OpenSSL and Microsoft's Signcode.exe
- Using Microsoft's Makecert.exe and Signcode.exe
The tools we'll be using are the codesigningx86.exe file from http://www.cryptguard.com/documentation_resources_tools.shtml which contains all the Microsoft files, and a pre-compiled binary of OpenSSL for Windows from http://www.slproweb.com/products/Win32OpenSSL.html
Let's start with OpenSSL and Signcode.exe....
How to digitally sign a file using Microsoft's SignCode.exe and OpenSSL
Using openssl commands we'll....- Create a file containing key and self-signed certificate typing...
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout NAME.pem -out NAME.pem - Export NAME.pem as PKCS#12 file, NAME.pfx
openssl pkcs12 -export -out NAME.pfx -in NAME.pem -name "Name" - Import the .pfx file by double clicking on it
All Done!
We'll skip OpenSSL now and try the second solution...
How to digitally sign a file using Microsoft's SignCode.exe and Makecert.exe
Again we need to create the certificate file but this time we're gonna need the private key file (.PVK) as well. Let's do so using a root authority, setting a validity period from 01/01/2009 to 01-01/2019 and adding an explanatory URL (optionally)makecert -sv mycert.pvk -n "CN=Name of Company" -cy authority -l "http://example.com" -nscp -b 01/01/2009 -e 01/01/2019 mycert.cer
Next we'll need to convert the certificate file .CER to a Software Publishing Certificate .SPC file to be used for signing. We do that with the command:
cert2spc mycert.cer mycert.spc
Now, to sign the code using .SPC and .PVK files and timestampimg as well, we issue the following command:
signcode -spc mycer.spc -x -v mycert.pvk -i http://example.com -n "Small description here" -t http://timestamp.verisign.com/scripts/timstamp.dll FileName.exe
All Done!
Here are some more useful tricks...
How to convert a .PEM file to .PVK using PVK tool from here http://www.drh-consultancy.demon.co.uk/pvk.html
pvk.exe -in mykey.pem -topvk -strong -out mykey.pvkHow to export a Software Publishing Certificate (SPC) from a .PEM file
openssl.exe crl2pkcs7 -nocrl -certfile mycert.pem -outform DER -out mycert.spcI hope you found it pretty straight forward and you're ready to sign your files.
Happy signing! :)
The info on this post has been collected from:
http://www.madboa.com/geek/openssl/
http://www.tech-pro.net/export-to-pvk-spc.html
http://www.akadia.com/services/ssh_test_certificate.html
http://msdn.microsoft.com/en-us/library/9sh96ycy(VS.80).aspx
http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx
2 σχόλιο(α):
Με γεια !
Ωραίο είναι, αν και το πορτοκαλί βγάζει μάτι !
Thanks a bunch, saved me a lot of time googling.
Δημοσίευση σχολίου