Reference

Code Signing ActiveX Controls and Windows Programs

Digitally signing Windows software is straightforward and can be performed in a few simple steps. Unfortunately, the documentation for the overall process is spread across many web sites, which further adds confusion to the terminology, file types and available tools. This article is an attempt to summarize the process under Windows from a practical perspective and without adding too much technical detail.

Tags: activex cryptography programming security windows

Prerequisites

The following items are required for code signing on Windows:

  • Code signing certificate: Digital certificate to identify you, the publisher
  • SignTool.exe: Performs the actual code signing.

The Sign Tool is included with Visual Studio 2005. It is not part of Visual Studio 2008 and 2010, but it can be found in all newer Platform SDKs. It is usually located in one of the following directories:

  • C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2\Bin
  • C:\Program Files\Microsoft SDKs\Windows\v6.0\bin
  • C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin
  • C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin
  • C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin
  • C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin

Obtaining a Certificate

Code signing certificates can be obtained in one of three ways:

Self-signed certificates can be created instantly by anyone and should therefore only be used for development and testing. Since there is no trusted organization backing up the identity you’re claiming, most end-users who don’t know you will likely not trust your software.

If your product is to be used only within an organization, such as a company, a locally trusted Certificate Service running on your company’s network can be used to generate a certificate. For commercial products distributed over the internet, however, it is recommended to generate the certificate through a trusted root certficiate authority, because these are already trusted in all modern operating systems, and your end users will likely not be willing to execute your software without them.

Commercial code signing certificates come in different flavors and packages, and it is worthwhile to shop around before possibly shelling out hundreds of dollars. At the time of this writing, a simple code signing certificate that covers most applications, such as ActiveX controls, DLLs, CAB files and installers can be purchased for $180 per year. Specialized applications, such as signed device drivers for 64-bit versions of Microsoft Windows usually require more expensive packages.

For projects that are not associated with a company or public organization you may also consider purchasing StartCom’s affordable Class 2 Identity Validation for less than $50, which can be used to create personal code signing certificates.

Please note that the duration of a certificate’s validity only affects how long it can be used to sign new products. Old software will continue to function beyond this time period – if signed with a timestamp.

Technical Details

Certificates for code signing generally consist of a pair of two files:

  • A Software Publisher Certificate File (.spc) containing the public part of the certificate
  • A Private Key File (.pvk) containing the private key used to create the certificate

As the name suggests, the private key file should be known only to the software publisher and never be disclosed to anyone, because it can be used to generate certificates in the publisher’s name.

Finally, the file needed for the signing of binaries under Windows is a PKCS #12 Personal Information Exchange File (comes with different file extensions, such as .pfx or .p12) that stores an encrypted version of the certificate. This file can be generated from the two files above using Microsoft’s Digital Certificate Files Importer or it can be exported from the web browser (see next paragraphs).

Exporting PFX from a Web Browser

With most commercial certificate authorities it is possible to perform the entire certificate creation process in a web browser. It generally starts with the user initiating a certificate request by purchasing a certificate. The web browser then creates, submits and locally stores a Certificate Enrollment Request. These requests are being verified by the certificate authority within a few days. Upon approval, the certificate authority will provide a link where a .spc file can be downloaded and/or installed in the web browser. If installed, the web browser can then export a PKCS #12 file.

Firefox

  1. Click Tools → Options
  2. In the Advanced section select the Encryption tab and click View Certificates
  3. Select the certificate to be exported and click Backup
  4. Chose PKCS12 as the file type to save
  5. Create a strong password to protect the private key inside the saved file and click OK.

Firefox should confirm that the export was completed successfully.

Internet Explorer

  1. Click Tools → Options
  2. On the Content tab click Certificates
  3. Select the certificate to be exported and click Export…
  4. In the Certificate Export Wizard check Yes, export the private key, and click Next
  5. Select the Personal Information Exchange format, check Include all certificates in the certification path if possible, check Delete the private key if the export is successful, and check Export all extended properties, then click Next
  6. Create a strong password to protect the private key inside the saved file and click Next
  7. Enter a file name for the target file, click Next, and then Finish.

Internet Explorer should confirm that the export was completed successfully.

Exporting PFX from SPC/PVK Pair

If you created a certificate manually, through a certificate service or otherwise ended up with a SPC/PVK file pair, you will need to use Microsoft’s Pwkimprt.exe tool to manually create a .pfx file for signing with the following command line:

pvkimprt -pfx YourCertificate.spc YourPrivateKey.pvk

The importer may ask for a password if one has been used to protect the private key file (which is highly recommended). The file format to be exported must be Personal Information Exchange – PKCS #12 (.PFX), and the Include all certificates in the certification path if possible and Enable strong protection options should be checked.

Please note that the pvkimprt.exe in the download is just a self-extracting ZIP file that contains the actual pvkimprt.exe, which needs to be extracted first.

Signing The Binaries

Once the PKCS #12 file (.pfx, .p12 or similar) is available, everything is ready to sign the software. The code signing is performed with Microsoft’s Sign Tool and consists of a single command line:

signtool sign /f YourCertificate.pfx /p YourCertificatePassword
   /t TimeStampUrl /d "ProductName" /du ProductUrl FileToSign

The parameters in the command line above are as follows:

  • YourCertificate: The PFX file generated with Pvkimprt.exe in the previous step
  • YourCertificatePassword: The password used to protect the private key in the PFX file
  • TimeStampUrl: The URL to a server that provides a timestamp.

Please note that timestamps are optional, but they ensure that the signed product will not expire after the code signing certificate expires. If timestamps are not used, the product must be signed again with a new certificate after the old one expired. Otherwise the software will continue to function until the timestamp certificate expires, which is usually at least a few years in the future.

Commonly used timestamp servers are provided by root certificate authorities, for example:

  • http://timestamp.comodoca.com/authenticode
  • http://timestamp.verisign.com/scripts/timstamp.dll
  • http://www.startssl.com/timestamp
  • http://tsa.starfieldtech.com

Other servers, including your own, may be used instead.

  • ProductName: User defined name of the product to be signed, i.e. "My Cool Product"
  • ProductUrl: User defined web URL for the product to be signed, i.e. http://www.mycoolproduct.com
  • FileToSign: The product to be signed, i.e. MyCoolActiveX.dll, MyCoolProgram.exe or MyCoolInstaller.msi

Verifying a Signature

Once a file is signed, the signature can be verified by selecting the Digital Signatures tab, which should now be present in the file’s properties.

It is also possible to invoke a signature check using the Sign Tool with the following command line:

signtool verify /pa FileToSign

Related Resources