Code Signing for Developers

Code signing adds a digital signature to software files. Digital signatures can identify the software publisher, and verify that the software users receive over the Internet has not been altered or corrupted since it was created and signed by a third party. Code signing does not alter the software. It simply appends a digital signature to the executable code. Microsoft refers to code signing technology as "Authenticode". Microsoft believes code signing will help restrict the spread of malicious software.

Customer Experiences

Even though code signing technology has been available since 1996, many software publishers refused to use it because of the complexity and lack of value for their effort. After a code-signed file is downloaded from a Web site, the browser extracts the certificate from the file, and checks an internal list of certificate authorities (CAs) and their public keys to verify the signature in the certificate. If the signed software is tampered with in any way, the digital signature will break and alert customers that the code has been altered and is not trustworthy.

As the Internet changes, web pages will gradually change from static content to being filled with controls and applications that are downloaded and run locally, on the user's computer. Browsers can check for a valid digital signature, and warn of possible dangers, but can not guarantee that the downloaded file is 100% safe.

Digital Signature Verification Using Windows Explorer

Windows Explorer can check any file for a valid digital signature.

• Open Windows Explorer.
• Browse to the filename, right click, and select "Properties" from the pop-up menu.
• Explorer will display the properties dialog of the file.
• If the file is digitally signed, the properties dialog will include a new tab "Digital Signatures".
• The complete details of the digital signature are displayed on this tab.

Windows XP SP2 and Digital Signatures

When a customer downloads software, Windows displays a "Security Warning" dialog asking if they really want to run your software. The security warning dialog indicates an "Unknown Publisher" if the digital signature is missing. If your software is digitally signed, the customer will see your company name and an optional web link to follow for more information.

Windows Vista and Digital Signatures

One of the biggest changes with the Vista release is the addition of User Account Control UAC). The Vista UAC expects computer users to run at a low privilege level most of the time. The user can still be permitted to raise their privilege level for entire applications, for example, to install a new application, or for parts of individual applications as needed.

Vista has added new features that take advantage of code-signing technologies. New security policies can require only signed executables and Windows components to be run on a computer. Internet Explorer version 7, with Vista, can be set to prohibit downloading installation packages and executables if the digital signature is missing or cannot be verified. Vista can also be set to only allow applications to run properly in locked-down environments.

Windows Vista Logo Certification Requirements for Software

Microsoft requires all files with the following extensions: exe, dll, ocx, sys, cpl, drv, scr to be signed with an Authenticode certificate to receive Windows Vista Logo Certification. Microsoft believes that if a software publisher wants to use the Internet to distribute software, the publisher should be willing to take responsibility for that software. This belief is based on the premise that accountability is a deterrent to the distribution of harmful code. Authenticode allows developers to include information about themselves and their code with their programs through the use of digital signatures. Digital signatures ensure this accountability.

Software which carries the Vista logo must meet the privacy guidelines put forth by the Anti-Spyware Coalition. Applications that are considered malware or spyware are subject to losing their logo certification.

Obtaining the Code Signing Certificate

The Microsoft web site http://msdn2.microsoft.com/en-us/library/ms995347.aspx lists 27 trusted third-party commercial certificate authorities (CA) that validate the identity and entitlement of an applicant, and can issue the applicant a digital certificate for code signing. A code signing certificate is also called a digital ID or Software Publishing Certificate (SPC). Software publishers only need one certificate to perform digital code signing on all files. Signing the code requires access to the Software Publishing Certificate (SPC) and the Private Key (PVK) associated with the SPC.

Digital signatures issued by a certification authority (CA) such as Comodo, Thawte, and Verisign are treated equally by Windows. Prices paid for the digital signature certificates varies quite a bit (Verisign $499 per year, Thawte $199 per year, Comodo $179 per year). Authorized resellers can also sell the certificates at a lower price than the certification Authorities. Discounted Comodo certificates can be purchased for $85 per year at http://www.ksoftware.net/code_signing.html.

The Sign Up Process

1. Use Internet Explorer. You must use the same computer to apply for the certificate and obtain your digital ID file. After you obtain your digital ID, any computer can be used to sign files using your private key (PVK) and digital certificate (SPC) files.
2. You will need to provide an email address, password, challenge phrase, and information about your company. The password will also be used later when you sign your applications.
3. Your browser will generate a private key. The private key is known only to its owner. Make sure to mark the key as exportable. Save this private key (called mykey.pvk) to a local .pvk file. Make a back-up copy of this private key, as this key will be needed to sign code. If you ever lose this private key, you will be unable to sign code.
4. Create and save a text file that contains the information (email address, password, challenge phrase, and information about your company) that will be associated with your private key (PVK) and Software Publishing Certificate (SPC).
5. You will need to submit your payment so the Certificate Authority can process your application.
6. You will need to fax or send information to the Certificate Authority so they can verify your identity. The verification process can take several days.
7. After verification, the Certificate Authority will send you an email containing a Personal Identification Number (PIN).
8. Follow the instructions in the email to retrieve your Software Publishing Certificate (SPC) called mycert.spc. The SPC file is also called a digital ID or digital certificate.
9. A copy of your private key (PVK), digital certificate (SPC), and text file with the associated information should be kept in a secure location (safe deposit box). If this information is ever lost or stolen, you should contact the Certificate Authority to prevent fraudulent use.

Obtaining the Microsoft Code Signing Files

If developers use a Microsoft Development tool, for example Visual Studio 2005, they more than likely have the 3 files need to code sign their files. If the programmer uses a Borland product, for example Delphi, the developer has to find those 3 files on the Microsoft web site. Microsoft has removed the file codesigningx86.exe from their web site which contained the 3 files. Now the developer is required to download 19 different files, perform a cab extraction of nearly a GB of files, and install an SDK just to get those 3 files. Once the developer has the 3 files, one simple command line will perform the code signing. Microsoft makes it difficult, but not impossible for developers using non-Microsoft development tools.

The three Microsoft files needed to code sign your files:

1. signtool.exe 68 KB dated 04/14/2005.
2. capicom.dll 505 KB dated 11/02/2004.
3. pkvimprt.exe 273 KB dated 05/08/2001.

Preparation

To keep things simple for the following steps, I'll create 2 new folders with Windows Explorer.

• I'll use C:\Downloads\CodeSigning\ for all downloads
• I'll use C:\CodeSign\ for the final working folder
• The drive used for the downloads and extraction should have at least 1 GB free space.

Downloading

• Go to http://www.microsoft.com/downloads
• Windows Genuine Validation may be required before downloading.

1. Search all downloads for PVKIMPRT and click GO.
   1. Click on the only link that is displayed.
   2. Download pvkimpt.exe to C:\Downloads\CodeSigning\
   3. Scroll back to the top of the page to search for downloads.
2. Search all downloads for PSDK-FULL and click GO.
   1. Choose the link for 'Windows Server 2003 R2 Platform SDK Full Download'
   2. Info - This SDK replaces the SDK for Windows SP2 and Windows Server 2003 SP1
   3. Download the 16 PSDK-FULL.*.cab files and the PSDK-FULL.EXE
   4. Info - PSDK-FULL will expand the cab files.
   5. Scroll back to the top of the page to search for downloads - link in the middle of the page is broken.
3. Search all downloads for CAPICOM and click GO.
   1. Click on the only link that is displayed.
   2. Download the working file 'ccinst21.exe' 1.30 MB
   3. Info - You now have 18 files in this folder.

Installation

• Back to the Desktop.
• Installation and extraction will use either the Run command or the Command Prompt.

1. Click Start, then click Run. Browse to C:\Downloads\CodeSigning\PSDK-FULL.EXE Click OK
   1. Dialog is displayed Click Run.
   2. Enter the location to extract the cab files. I chose C:\Downloads\CodeSigning
   3. Two more files are created - Extract.exe and PSDK-FULL.bat (up to 20 files total)
   4. Back to the Desktop. Now we use the Command Prompt.
   5. Click Start - Run. Type cmd and press enter
   6. Enter cd\
   7. Enter cd Downloads\CodeSigning
   8. Enter psdk-full.bat C:\Downloads\CodeSigning
   9. The cab files will be expanded into 3 subfolders with still more files including Setup.exe
   10. Enter Setup.Exe
   11. Info - A wizard will be displayed to install the Microsoft Platform SDK
   12. Click Next, agree to the licensing terms, click Next.
   13. Keep pressing Next until the Microsoft Platform SDK Wizard completes the installation.
   • Info - There is little time difference between either Custom (Binary only) or Full install
   • Info - Files will be placed in C:\Program Files\Microsoft Platform SDK\
   • Info - This wizard installs a lot of files - Full install size is 938 MB
   • Info - The only file needed is C:\Program Files\Microsoft Platform SDK\Bin\signtool.exe

2. Enter cc21inst.exe at the command prompt.
   • Info - This will extract a lot of files in a subfolder CAPICOM 2.1.0.1
   • The only file needed is in C:\Downloads\CodeSigning\CAPICOM 2.1.0.1\x86\capicom.dll

3. Enter pvkimprt.exe at the command prompt.
   1. Winzip asks for a folder - I'll use C:\Downloads\CodeSigning\PVK
   2. Create the PVK subfolder because one of the extracted files is also called pvkimprt.exe
   3. Click UnZip - Message '2 files created.'
   4. Enter cd pvk
   5. Enter pvkimprt.exe
   6. Dialog will be displayed to Install Microsoft PVKImprt. Click Yes to continue.
   7. Click Yes to Agree to the EULA.
   8. Change the default location from C:\Windows to C:\CodeSign and Click Continue
   • Info - A message will be displayed - Microsoft PVKImprt was successfully installed.
   • Info - You are done with downloading and extraction.
4. Enter exit to return to the desktop.

Copy the Microsoft Files to Your Working Folder

1. Copy C:\Program Files\Microsoft Platform SDK\Bin\signtool.exe to C:\CodeSign
2. Copy C:\Downloads\CodeSigning\CapICOM 2.1.0.1\x86\capicom.dll to C:\CodeSign
3. Copy your certificate 'mycert.spc' to C:\CodeSign
4. Copy your private key 'mykey.pvk' to C:\CodeSign

• Info - Other files are PVKIMPRT.EXE and PVKImprt EULA.doc
• Info - A total of 6 files are in the C:\CodeSign\ folder.
• You can use the Control Panel to uninstall the Microsoft Platform SDK and Microsoft PVK Import.

Create the PKS12 File Combining your Private Key and Certificate

A PKCS12 file combines your private key and certificate into one file.

1. Click Start - Run. Type cmd and press enter
2. Enter cd\
3. Enter cd CodeSign
4. Enter pvkimprt -PFX mycert.spc mykey.pvk
   1. A dialog will be displayed, prompting you to enter your password.
   2. The Certificate Export Wizard is displayed.
   3. Click Next on the first screen.
   4. Mark the radio button for 'Yes, export the private key' Click Next
   5. Mark the 2nd radio button, and mark the top 2 check boxes. Click Next.
   6. Enter your password again. Click Next.
   7. Enter your company name. The extension '.pfx' will be added. Click Next.
   8. Click Finish. Dialog is displayed 'Export was successful.'

• The 'mycompany.pfx' file is created combining your private key and certificate.
• Info - A total of 7 files are in your C:\CodeSign\ folder.

Code Signing Process

• Info - To make things easier to display, I copied my files to sign to C:\CodeSign\
• Info - Of course you could include the complete path with your files to sign.

1. From the c:\Codesign> prompt enter the following on one line to sign your file:
   
   signtool sign /f mycompany.pfx /p mypassword /v
   /t http://timestamp.comodoca.com/authenticode myinstall.exe
2. Info - 4 lines of your certificate info are displayed - includes Issued to and expiration date
3. Additional progress information is displayed:
   • Attempting to sign: myinstall.exe
   • Successfully signed and timestamped: myinstall.exe
   • Number of files successfully Signed: 1
   • Number of warnings: 0
   • Number of errors: 0
4. You can verify the file signing by entering:
   
   signtool.exe verify /pa /v myinstall.exe

• Helpful hints when working with the command prompt (from old DOS days):
• Function key F3 repeats the previous command line.
• Function key F1 displays 1 character at a time from the previous command line.
• The insert and delete keys work as expected in the command line.
• Pressing F3 to repeat the last command line, using backspace to remove the filename, and entering the new filename to sign will be a time-saver.
• Of course you can create a batch file to save even more time.

From the above steps, it should be clear that retrieving the code signing files is more difficult than it needs to be. The large number of steps and the command line prompt can also be very tedious and error prone.

Code Signing with a Batch File

1. Open Notepad
2. Enter the following on one line to sign your file:
   
   signtool sign /f mycompany.pfx /p mypassword /v
   /t http://timestamp.comodoca.com/authenticode %1
3. On the second line type pause and press the Enter key at the end of this line.
4. Info - Pause allows you to see any error messages.
5. Save the file in the C:\Codesign\ folder as AutoSign.bat
6. Close NotePad. Use Windows Explorer and create a shortcut to AutoSign.bat on your desktop.
7. Now you can drag and drop your file on top of the desktop shortcut.

• You can verify your file was signed by right-clicking your filename in Explorer.
• A new 'Digital Signatures' tab was added to your file's properties.

An Easier Way to Code Sign

The software program "X2Net SignCode" from http://www.x2net.com can make the code signing process as easy as possible for $49. You fill in seven edit boxes on the application screen. That information is saved to your computer. Then, clicking a single toolbar button digitally signs your code. X2Net SignCode also supports being run from the command line or batch file as part of an automated build process. The software does not require either signcode.exe or signtool.exe to add your digital signature to your software.

Terry Jepson
www.wiscocomputing.com