Home > Exploring the CodeFluent Runtime > Exploring the CodeFluent Runtime: Authenticode

Exploring the CodeFluent Runtime: Authenticode


Today, on the series “Exploring the CodeFluent Runtime” we’re going to explore how to sign an application with Authenticode method.

Microsoft Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures. Authenticode allows software vendors to sign:

  • .cab files
  • .cat files
  • .ctl files
  • .dll files
  • .exe files
  • .ocx files

First we need a certificate that allows Code Signing. If you haven’t one, let’s create a self-signed one:

REM May change depending of your installed Windows SDK
cd "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin"

REM Generate the root certificate
.\makecert.exe -r -pe -n "CN=Sample.CA" -ss CA -sr CurrentUser -a sha1 -cy authority -sky signature -sv d:\Sample.CA.pvk d:\Sample.CA.cer

REM Add the Root certificate to the user store
certutil.exe -user -addstore Root d:\Sample.CA.cer

REM Create the certificate for code signing
.\makecert.exe -pe -n "CN=Sample.CodeSigning" -eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" -a sha1 -cy end -sky signature -ic d:\Sample.CA.cer -iv d:\Sample.CA.pvk -sv d:\Sample.CodeSigning.pvk d:\Sample.CodeSigning.cer

REM Convert to certificate to pfx file format
.\pvk2pfx.exe -pvk d:\Sample.CodeSigning.pvk -spc d:\Sample.CodeSigning.cer -pfx d:\Sample.CodeSigning.pfx

For convenience you can add the certificate to the personal store (“My”) by double clicking on it in the explorer.

We can now sign a file. Add the “CodeFluent.Runtime.dll” reference and use the following code:

// If you have zero more than one code signing certificate in the personal store, you have to load the certificate manually.
X509Certificate2 certificate = Authenticode.FindSuitableCertificate();
Authenticode.SignFile(certificate, "sample.exe", null, "SoftFluent");

The first line find a valid certificate for code signing in the user certificate store. If none is found, it returns null.

The second line signs the file. You have to indicate:

  • the certificate to use
  • the file to sign
  • the timestamp server
  • the display name

If you look at the file properties, you’ll find a new tab ‘Digital Signature’ which contains details about the signer.

Digital Signature

 

Please note:

  • you don’t need to provide a password, nor a path to the certificate => Generic, simple and secure
  • the method doesn’t rely on the Windows SDK, so you don’t have to bother with SDK path => much simplier 🙂
  • it’s a DLL so it’s very easy to integrate in your application

Additionally you’ll find two methods:

//Determines whether the specified certificate can sign code.
public static bool CanSignCode(X509Certificate2 certificate)

//Determines whether the specified file is signed using authenticode.
public static bool IsSigned(string filePath)

Starting with build 786:

When you sign a file with a timestamp server, an exception is sometimes raised. The workaround is to sign the file without using a timestamp server and then timestamp the signed file:

X509Certificate2 certificate = Authenticode.FindSuitableCertificate();
Authenticode.SignFile(certificate, "sample.exe", null, "Sample");
Authenticode.TimeStampFile("sample.exe", "http://timestamp.verisign.com/scripts/timstamp.dll");

We also introduce a new overload which allow to specify the hash algorithm to use:

Authenticode.SignFile(certificate, "sample.exe", null, "Sample", Authenticode.Sha512AlgorithmId);

Happy authenticoding,

The R&D team

  1. September 27, 2014 at 2:23 pm

    This is really great, I only have one problem. I get this error: The process cannot access the file because it is being used by another process. It seems happens every time I add a Time Server; without the Time Server it works great. Any ideas?

    • September 30, 2014 at 3:18 pm

      We updated the blog post as we made some changes in the Authenticode class.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s