Exploring the CodeFluent Runtime: Authenticode
Today, on the series “Exploring the CodeFluent Runtime” we’re going to explore how to sign an application with Authenticode method.
Microsoft Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures. Authenticode allows software vendors to sign:
- .cab files
- .cat files
- .ctl files
- .dll files
- .exe files
- .ocx files
First we need a certificate that allows Code Signing. If you haven’t one, let’s create a self-signed one:
REM May change depending of your installed Windows SDK cd "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin" REM Generate the root certificate .\makecert.exe -r -pe -n "CN=Sample.CA" -ss CA -sr CurrentUser -a sha1 -cy authority -sky signature -sv d:\Sample.CA.pvk d:\Sample.CA.cer REM Add the Root certificate to the user store certutil.exe -user -addstore Root d:\Sample.CA.cer REM Create the certificate for code signing .\makecert.exe -pe -n "CN=Sample.CodeSigning" -eku "184.108.40.206.220.127.116.11.3,18.104.22.168.4.1.322.214.171.124" -a sha1 -cy end -sky signature -ic d:\Sample.CA.cer -iv d:\Sample.CA.pvk -sv d:\Sample.CodeSigning.pvk d:\Sample.CodeSigning.cer REM Convert to certificate to pfx file format .\pvk2pfx.exe -pvk d:\Sample.CodeSigning.pvk -spc d:\Sample.CodeSigning.cer -pfx d:\Sample.CodeSigning.pfx
For convenience you can add the certificate to the personal store (“My”) by double clicking on it in the explorer.
We can now sign a file. Add the “CodeFluent.Runtime.dll” reference and use the following code:
// If you have zero more than one code signing certificate in the personal store, you have to load the certificate manually. X509Certificate2 certificate = Authenticode.FindSuitableCertificate(); Authenticode.SignFile(certificate, "sample.exe", null, "SoftFluent");
The first line find a valid certificate for code signing in the user certificate store. If none is found, it returns null.
The second line signs the file. You have to indicate:
- the certificate to use
- the file to sign
- the timestamp server
- the display name
If you look at the file properties, you’ll find a new tab ‘Digital Signature’ which contains details about the signer.
- you don’t need to provide a password, nor a path to the certificate => Generic, simple and secure
- the method doesn’t rely on the Windows SDK, so you don’t have to bother with SDK path => much simplier 🙂
- it’s a DLL so it’s very easy to integrate in your application
Additionally you’ll find two methods:
//Determines whether the specified certificate can sign code. public static bool CanSignCode(X509Certificate2 certificate) //Determines whether the specified file is signed using authenticode. public static bool IsSigned(string filePath)
Starting with build 786:
When you sign a file with a timestamp server, an exception is sometimes raised. The workaround is to sign the file without using a timestamp server and then timestamp the signed file:
X509Certificate2 certificate = Authenticode.FindSuitableCertificate(); Authenticode.SignFile(certificate, "sample.exe", null, "Sample"); Authenticode.TimeStampFile("sample.exe", "http://timestamp.verisign.com/scripts/timstamp.dll");
We also introduce a new overload which allow to specify the hash algorithm to use:
Authenticode.SignFile(certificate, "sample.exe", null, "Sample", Authenticode.Sha512AlgorithmId);
The R&D team