windows installation software, windows installer
         
 

QSetup
QSetup
Program Highlights
Testimonials
Customers
Download
PRO, STUDIO, LITE & DEMO
Buy Now!
Snapshots
White Paper
News


Features
Language
Setup Language
Composer Language
Execute Engine
Condition Commands
Execution Commands
Auto Update & Auto Inform
Custom Dialogs
Tokenized Serial Numbers
Code Signing
Compare
Version History


MSI
MSI Support
SuperOrca
MSI Error Coeds


Support
Support
Blog
Samples
QSTP
QSTP - Auto Update
QSTP - Auto Inform
How to
FAQ
Resellers




 
   
 
Code Signing

Sign Code

 What is Code Signing and why do you need it?

Security is becoming increasingly important for software and media developers. "Code Signing" enables end users of your software to verify that the code you provide comes from the rightful source and that it has not been maliciously altered or accidentally corrupted.

Code signing technology is available for many years, but many software vendors refrained from using it because of the complexity involved in the process. However - since the release of "Windows XP Service Pack 2" - code signing can not be ignored any more.

With XP SP2, when downloading an UN-SIGNED program with Internet Explorer and choosing to open it (or even if saved to a file and later opened via Windows Explorer), the browser will display the following "Security Warning" dialog:

BUT - when downloading a SIGNED program the browser will display the following dialog:

When you sign your file you actually add a small digest of information (1-4 KB) to the end of the file. When the browser download the file it reads this digest and contact a CA (Certificate Authority) like verisign.com, tawthe.com and others... to verify with them the authenticity of the file.

This article discusses the following topics:


Getting started

How to get started with code signing?

The first step you must take is getting the code signing tools from Microsoft.

You have 2 options available for you:
  • Option-A: suitable for ALL 32bit versions of Windows.
  • Option-B: Suitable ONLY for: Win2000, WinXP, Win2003.

Option-A

Microsoft first released code signing technology ("Authenticode" in MS terminology) back in 1998. At that time microsoft provided a small (124 KB) self-extract ZIP file by the name "codesigningx86.exe".

When opened, this file will produce the following files:
  • signcode.exe (*)
  • makecert.exe (*)
  • cert2spc.exe (*)
  • chktrust.exe (*)
  • certmgr.exe
  • makecat.exe
  • makectl.exe

  • Files marked with (*) are important for our discussion.

Unfortunately this file is no longer available on Microsoft's site.
You can still try to download it from the following site: www.cryptguard.com
(When you get to this page, search for the phrases: "codesigningx86.exe" or "Authenticode for Internet Explorer toolkit")

Today Microsoft provides those tools as part of the "Microsoft .NET Framework software development kit (SDK) 1.1". To download the SDK (162 MB), visit the following Microsoft Web site: http://www.microsoft.com/downloads/details.aspx?FamilyId=9B3A2CA6-3647-4070-9F41-
A333C6B9181D&displaylang=en

After you install the SDK you will be able to find the code signing files in the following location on your PC:
    "\Program Files\Microsoft.NET\SDK\v1.1\Bin"
From the many files found in the above BIN directory the following are of interest to us:
  • signcode.exe
  • makecert.exe
  • cert2spc.exe
  • chktrust.exe

Option-B

Recently, with the introduction of "Studio 2005" Microsoft has released a new set of tools.

The new set of tools is provided as part of the "Visual Studio 2005" and in the "Platform SDK". To download the "Platform SDK" (~400 MB), visit the following Microsoft Web site: http://msdn.microsoft.com/platformsdk

After you install the SDK you will be able to find the code signing files in the following location on your PC:
    "\Program Files\Microsoft Platform SDK\Bin"
From the many files found in the above BIN directory the following are of interest to us:
  • signtool.exe
  • makecert.exe
  • cert2spc.exe
  • pvk2pfx.exe

Option-A & Option-B

All the above mentioned tools are actually small console programs that should be run from a command prompt. When run, each program expects command-line parameters in a special syntax. We will demonstrate how to do it later in this article.



Public Certificate

Where to get a Public Certificate?

To be able to sign your code you will need a certificate. Certificates are issued by special Internet organizations called CA (Certificate Authority). There are many such organizations, the most prominent ones are: verisign.com and tawthe.com.
You can get a full list of CAs by going to: Microsoft Root Certificate Program Members

However - acquiring a certificate is quite a tedious and time consuming process, (The CA has to identify you or your organization before it can issue a certificate) and you should expect to pay few hundred of dollars for the certificate.

So before you start with the process it is highly recommended that you create a "TEST certificate", and use it to sign your program as a test run.
A program signed by this certificate must not be distributed on the net.



Test Certificate

How to create a Test Certificate?

The following command line may be used to create a "Test Certificate" (CER) file:

  

makecert.exe -sv panta.pvk -n "CN=Pantaray Research Ltd." panta.cer

At the end of this process you will have the following 2 files:
  • panta.pvk - a "Private Key" file needed to create the certificate.
  • panta.cer - a "Public Key" file needed to create the certificate.
When running - "makecert.exe" will present the following dialog:

  

Enter here a password to protect your "Private Key".



Create Software Publishing Certificate

How to create a Software Publishing Certificate?

The "Software Publishing Certificate" (*.SPC file) is created from the "Publick Key" file (*.CER) you created in the previous step.

The following command is used to create the "Software Publishing Certificate" (SPC) file:

  

cert2spc.exe panta.cer panta.spc

At the end of this process you will have one new file:
  • panta.spc - a "Software Publishing Certificate" file.
When running - "cert2spc.exe" will present the following dialog:

  

Enter here the same password you used when creating the "Test Certificate" or the "Public Certificate".



Purchase Software Publishing Certificate

How to purchase a Software Publishing Certificate?

You purchase a certificate from one of the CAs (Ceritificate Authority) listed in the following link: Microsoft Root Certificate Program Members.

Once you select a CA, log to his website and navigate to the page where the CA offers a "Code Signing Certificate". When you click the [Buy] button, the CA will lead you through a process that include the following steps:
  • Enter your personal and company details.
  • Pay for the certificate.
  • Run a special applet that will create a Private Key file (*.PVK) on you computer.
During the creation of the Private Key file you will be prompted for a password. You should remember this password so that you can use it later when you sign your application. You must also copy the Private Key file to a safe place.

When creating the Private Key file on your computer, the applet will also create a complimentary "Public Key" file, and send it to the CA.

Now the CA will start a process that will verify and approve your organization and domain. This process usually take few days. During this time the CA might approach you by phone or other means and request some identifying documents.

When the verification process is concluded the CA will send you a link to a Certificate File (*.SPC). Download this file and do the following:

  • Copy the *.PVK file and the *.SPC file to a common directory.
  • Rename both files so that they have the same name (but different extensions).
The procedure described above may vary in details from one CA to another.


Personal Information Exchange

How to create a Personal Information Exchange file?

This step is optional. You will need it only if you select to work with Option-B as described above.

The following command line may be used to create a "Personal Information Exchange" (PFX) file:

  

pvk2pfx -pvk panta.pvk -pi Pass1 -spc panta.spc -pfx panta.pfx -po Pass2 -f

At the end of this process you will have one new file:
  • panta.pfx - a "Personal Information Exchange" file.
The program "pvk2pfx.exe" expects 2 passwords: Pass1 & Pass2:
Pass1: - Provide the same password you used when creating the Private & Public keys.
Pass2: - Provide a new password to protect the PFX file.

   * For security reasons it is recommended that Pass2 will be different then Pass1.



Sign Your Code

How to sign your code?

As described above, you have 2 options to sign your code: Option-A and Option-B


Option-A - using signcode.exe

The following commands may be used to sign your code using Option-A:

  

set Product=LingoMAIL Multilingual EMail program
set File=lingo.exe
set TimeURL=http://timestamp.verisign.com/scripts/timstamp.dll

signcode -spc panta.spc -v panta.pvk -n "%Product%" -t "%TimeURL%" "%File%"

At the end of this process the program file "Lingo.exe" in this example will be signed.

As can be seen, this command expects the following parameters:

    panta.spc: The Software Publishing Certificate.
panta.pvk: The private key you used to create your certificate.
Product: A descriptive name of your software program.
TimeURL: The URL of a time stamping service provided for free by verisign.com.
File: The file name of the executable you want to sign.


Option-B - using signtool.exe

The following commands may be used to sign your code using Option-B:

  

set File=lingo.exe
set TimeURL=http://timestamp.verisign.com/scripts/timstamp.dll

signtool.exe sign /f panta.pfx /p Pass2 /v "%File%" /t %TimeURL%

At the end of this process the program file "Lingo.exe" in this example will be signed.

As can be seen, this command expects the following parameters:

    panta.pfx: The Personal Information Exchange file.
Pass2: Enter here the second password you used when creating the PFX file
File: The file name of the executable you want to sign.
TimeURL: The URL of a time stamping service provided for free by verisign.com.



Verify your Digital Signature

How to verify your digital signature?

Also here, you have 2 options to verify your digital signature: Option-A and Option-B


Option-A - using chktrust.exe

The following commands may be used to verify your digital signature using Option-A:

  

set File=lingo.exe

chktrust.exe /q /v "%File%"

As can be seen, this command expects only one parameter the name of the file under test.


Option-B - using signtool.exe

The following commands may be used to verify your digital signature using Option-B:

  

set File=lingo.exe

signtool.exe verify /v /a  "%File%"

As can be seen, this command expects only one parameter the name of the file under test.


Verify using Properties

You can also use the following method to verify your digital signature:
  • Open Explorer.
  • Browse to the file you just signed.
  • Right Click the file name and select "Properties".
Explorer will present you with the properties dialog of the file.
This properties dialog will include a new tab "Digital Signatures".
You can now read the details of the signature in this tab.



QSetup Sign Code Dialog

How to use the QSetup "Sign Code" dialog to sign your Self Extract setup file?

By now you must be aware of the fact that "Code Signing" is quite a tedious task that involves many details and many stages. The purpose of the "Sign Code" dialog which is part of the QSetup Composer Version 7.5, is to streamline the process and make it as easy as possible.

The "Sign Code" dialog includes many data items. Most of the data items will be filled automatically by QSetup when the dialog is opened. All the items that you will fill manually (including passwords) will be stored in your registry (not the QSP file).

To open the "Sign Code" dialog, goto the "Project" page and click the [Sign Code] button.
The following dialog will be displayed

  

The "Sign Code" dialog include the following areas:
    General: Enter here general information required for all next steps.
Create Test Certificate: Use this area to create a test certificate.
Create PFX File: Use this area to create a PFX file.
Sign Code: Use this area to sign your setup file.
Log Display: In this area a process log will be displayed during operation.



General

    SignCode Executable Location:
    Enter here the full path of the BIN directory where the signcode executables are located. As described above those tools might be found at:
    • "\Program Files\Microsoft.NET\SDK\v1.1\Bin"
    • "\Program Files\Microsoft Platform SDK\Bin"

    Key Files Location
    This is the place where your key files are stored.
    If you are creating a "Test Certificate" the PVK & CER files will be placed in this directory.
    If you are using a genuine Certificate that you received from a CA, put the CER file in this directory.
    Also the SPC & PFX files will be placed in this directory.

    Time Stamp URL
    The URL of a time stamping service provided for free by verisign.com.
    This URL should be: "http://timestamp.verisign.com/scripts/timstamp.dll".

    Key File Name
    Enter here a short name for the key files ("panta" in our above samples).
    This name will be used for all the files used and produced in the various stages of the process.
    The files we refer to are: PVK, CER, SPC & PFX.

    Signing Tool
    Here you may select one of 2 options:
    • SignCode.exe - (All Windows) - corresponds to Option-A above.
    • SignTool.exe - (Win2K, WinXP, Win2K3) - corresponds to Option-B above.
Create Test Certificate

    Use this area if you want to create a test certificate.
    Enter your "Company Name" and click the [Create] button.
    This step will run the "makecert.exe" program and produce PVK & CER files.
    Then it will run the "cert2spc.exe" program and produce SPC file.
    • If you are using a genuine Certificate that you received from a CA, then this step should be avoided.

Create PFX File

    Use this area if you want to create a PFX File.
    Enter the Private Key password as "PVK Password".
    Enter a new password as "PFX Password".
    Click the [Create] button.
    This step will run the "pvk2pfx.exe" program and produce a PFX file.
    This step is required only if you are using Option-B (SignTool.exe).
Sign Code

    Use this area to sign your Self Extract setup file.
    In day to day use this is the only step that you will have to repeat after compiling a setup file. There is no need to repeat the steps of creating various key files.

    PFX Password
    Enter here the same password you entered for "PFX Password" in the previous area.
    This item is required only if you are using Option-B.

    Product Name
    Enter here a descriptive name of your product.
    This item is required only if you are using Option-A.

    Target File Name
    Enter here the full path of your Self Extract setup file.

    [Sign]
    Click the [Sign] button to sign your Self Extract setup file.

    [Verify]
    Click the [Verify] button to verify your Self Extract setup file.

    [Properties]
    Click the [Properties] button to display the "Properties" dialog of your Self Extract setup file.

Use Batch File

    Normally the "Sign Code" dialog will run the various tools in hidden mode. If the Use Batch File option is checked then the "Sign Code" dialog will run the various tools in visible mode, and pause every process. Use this option If you encounter problems and you want to see the progress of the various tools and stages.


Further Reading

Use the following links to learn more about Code Signing and Authenticode

 		 
     

 
 
  Home| QSetup| Blog| MSI| Download| Order| News| About Us| Contact Info| Site Map  
  Last edited: 05-AUG-2008  –  Copyright © 2002-2008 Pantaray Research, All Rights Reserved.