I have a .cat file that is signed by MS and I would like to append the SHA1 signature to it. However, signtool fails using /as to append the SHA1 signature. Error 0x80070057. I often sign using SHA1 first and use /as on the SHA256 signature and that works fine. It doesn't seem to like the /as with SHA1. Is there a way to get signtool to do it, does an updated version do it (using version from 8.1), or is there another tool that will do it?
TIA!!
The answer is you can't as of this time. SHA1 has to be first.
But it doesn't matter because attestation signing only flags the .CAT valid for Windows 10. Prior windows will complain so you need to create your own separate .CAT file using inf2cat indicating which OSes to support.
Related
We just switched from a SHA-1 to a SHA-2 code signing certificate. (As background info, we sign .exe and .xap files on Windows with signtool.exe, using COMODO code signing certificates.) We do this using a certified timestamp, to make sure that Windows keeps trusting the code signature after the code signing certificate expires.
Now I noticed that the timestamp certificate is still a SHA-1 certificate, when using http://timestamp.comodoca.com/authenticode. (Details: It is df946a5... with Subject 'CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford, S=Greater Manchester,C=GB'.)
(On Windows one can see that certificate by taking a signed .exe, then in its Explorer Properties dialog go to the Digital Signatures tab, select the signature and click Details, then in the Digital Signature Details dialog click the counter signature and click Details, then in the second Digital Signature Details dialog click on View Certificate. The certificate is a SHA-1 certificate if its 'Signature hash algorithm' is 'sha1'.)
Will this be a problem? In other words, after our current code signing certificate has expired, and after Microsoft Windows treats SHA-1 as a broken algorithm (which is in 2020 at the latest), will our current signatures still be trusted? Or will Windows say, “The timestamp is within the code signing certificate's validity range, but the timestamp was signed with a SHA-1 certificate, so I will not trust the timestamp, and therefore I won't trust this signature”?
Is there another service we can/should use? (Not Verisign's http://timestamp.verisign.com/scripts/timstamp.dll, since they also still use a SHA-1 time stamping certificate, viz. 6543992...)
Since 1/1/2017, you can no longer use SHA-1 on Windows 7 and later (if timestamped after 1/1/2016).
This article describes how to obtain a SHA-256 timestamp certificate, using the timestamp URL http://timestamp.globalsign.com/?signature=sha2. As an alternative, see this list of timestamp servers which you can also use.
The signtool /td flag is also important (and poorly documented).
Signing like this:
signtool sign /fd SHA256 /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 /a filename.exe
results in an executable with a code sign certificate and timestamp certificate with SHA-256 signature hash algorithm.
You can use your SHA-2 certificate to double-sign code so that it validates under XPsp3 and Vista (which don't understand SHA-2) as well as later OSs (Win 7, 8, 10).
It's a two-step process that first signs with SHA-1, then appends a SHA-256 signature. Though it is not explicit, the first run of signtool defaults to SHA-1 signing. In the second run, you request the sha256 digest algorithm with the /fd option. The time servers in this example are Comodo's.
signtool sign /f cert.pfx /p your_cert_password /t "http://timestamp.comodoca.com" /v file_to_sign.exe
signtool sign /f cert.pfx /p your_cert_pass /fd sha256 /tr "http://timestamp.comodoca.com/?td=sha256" /td sha 256 /as /v file_to_sign.exe
You need to use a version of signtool that supports dual signing (the /as option). I believe that's Windows SDK version 8.1 or higher.
When you have done this, check the security properties of the executable, and you should see both SHA-1 and SHA-256 signatures (under later OSs) but only the SHA-1 signature under XP/VISTA.
Note that other time servers have different options to specify the digest algorithm. Your issuing CA should be able to provide the appropriate URLs.
I'm unclear how a driver should be signed in my specific circumstances.
OpenVPN has a tap driver that consists of tap0901.sys, tap0901.cat and OemWin2k.inf files.
When I install it using "devcon install OemWin2k.inf tap0901" on my win7 64-bit, it installs silently, without scary warnings.
I renamed the driver to have a different name ogtap100 (by renaming files to ogtap100.sys, ogtap100.cat and replacing "tap0901" strings in OemWin2k.inf to "ogtap100", as per http://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers and comments in OemWin2k.inf).
However, when I run "devcon install OemWin2k.info ogtap100" on the renamed driver, I get big scary warning from Windows that the driver comes from unknown source. It'll install but I plan to ship it as part of my app, so big scary warning is not good.
When I run "signtool verify /v ogtap100.cat", I get: "SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." even though it also says that root certificate is "Issued to: DigiCert High Assurance EV Root CA".
I've tried re-signing (signtool sign /f cert.pfx ogtap100.cat) with my own certificate (which works when signing regular .exe files) but I get the same scary warning.
What am I missing?
Can it be sth. to do with catalog (.cat) file?
I've read http://msdn.microsoft.com/en-us/windows/hardware/gg463050 but it assumes that I'll generate .cat file myself. I already have .cat file from OpenVPN. Do I have to re-generate it after renaming files and OewmWin2k.inf? If yes, how?
1) Did you ensure that you got the high assurance digicert certificate? The standard one they issue isn't meant for drivers. It is simple to change...
https://www.digicert.com/code-signing/driver-signing-in-windows-using-signtool.htm
2) If you download the Windows 7 DDK and do a little 'reading the intent and the code' as opposed to just following the instructions, you can succeed at building your own driver (cat and sys files), properly renamed and signed.
https://community.openvpn.net/openvpn/wiki/BuildingTapWindows
Look at the OemWin2k.inf generated for some strong hints for renaming. Note: The Time stamp needs to be correct, and it is in (the ridiculous) mm/dd/yyyy format.
3) As for the warning message, at least you can get it to properly display your company name, and Windows will accept (and not disable) the properly signed driver.
For details about driver signing, check out
https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/0b00c9d4-dff9-4fbe-b741-768c9b39349c/practical-windows-code-and-driver-signing-discussion?forum=wdk
This is a summery that points to some reference docs. Generating the .cat file from the inf is simple.
Check out the syntax and order of operation. I'm also using a Digicert certificate. make sure you have one issued for driver signing and pay attention to the make sure the cross certificate is correct.
The build script uses the inf2cat method, so if you are following the WHOLE instructions (and searching for the stuff in the settings that the inf didn't tell you about ... look for constants) then you are generating the .cat file.
For my install, I figured that the .sys file should be signed before generating the .cat and signing it.
Also, make sure your pc has all the windows updates. This actually did work to 'fix' a pc that had the same error signature. (It didn't have the required certificate to validate the cross certificate, which it automatically downloaded.)
We purchased the Microsoft Authenticode certificate from Thawte. Now I have it in a PFX file. I try the following:
D:\sign>signtool sign /f ./cert/cert.pfx /p mypass /t http://timestamp.verisign.com/scripts/timstamp.dll "mySetup.exe"
Done Adding Additional Store
Successfully signed and timestamped: mySetup.exe
But when I run mySetup.exe, it runs like unsigned, and shows "Unknown Publishier".
When I verify the EXE file with SignTool, I get following.
D:\sign>SignTool verify mySetup.exe
SignTool Error: WinVerifyTrust returned error: 0x800B010A
SignTool Error: File not valid: mySetup.exe
Number of errors: 1
What is wrong?
It may be related to the fact that Thawte uses an Intermediate Certificate for signing. They consider this to be within best practices, which I won't argue one way or the other.
From an end user standpoint, however, this can lead to complications. This is a known issue with VSTO (Visual Studio Tools for Office) solutions using ClickOnce, and may be what is affecting you here.
The solution for dealing with this is, sadly, that you will need to add the appropriate Intermediate CA's cert to all end user machines:
Resolution
The workaround to this issue is to include the Intermediate Certificate Authorities’ certificate on all end user machines where the application will be installed. As of now the issue is reported only with the handling of Thawte certificate and would require that Thawte intermediate certificate be installed on the end users machine.
Thawte provides links to the appropriate CA certs for their Intermediate Certificates
I can't really see a big difference other than signtool is newer and requires different file formats for your digital certificate?
They both accomplish the same thing -- code signing. As you pointed out, the principal difference is that signcode requires the private key and software publisher certificate to be in two separate files (.pvk, .spc).
The more modern signtool requires that they are contained in a single Personal Information Exchange (.pfx) file. (You also need the .pfx file format to use the Association of Shareware Professionals' PAD signing toolkit.)
In addition to John Feminella's answer above, signtool allows you to alternatively provide the thumbprint hash of the certificate instead of the .pfx file if the cert is loaded into the local (user or machine) certificate store.
A major difference is that SignCode can run as a Windows GUI and be configurable on demand, while SignTool can be run from the CMD prompt or from a .bat file.
I have an EXE file that I should like to sign so that Windows will not warn the end user about an application from an "unknown publisher". I am not a Windows developer. The application in question is a screensaver generated from an application that generates screensaver applications. As such I have no influence on how the file is generated.
I've already found out that I will need a code signing certificate from a CA like Verisign or instantssl.com. What I don't understand is what I need to do (if at all possible) to sign my EXE file. What is a simple explanation?
Mel Green's answer took me further, but signtool wants me to specify what certificate to use in any case. Can I get a free code signing certificate somehow to test if this will work for me at all?
Also please specify which certificate kind is the correct one. Most sites only mention "code signing" and talk about signing applications that are actually compiled by the user. This is not the case for me.
How to sign your app
Use Microsoft's SignTool to sign your app.
You download it as part of the Windows SDK. Note that it's also possible to install SignTool without installing the entire SDK. Once installed you can use SignTool from the command line like so:
signtool sign /a /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 MyFile.exe
This will sign MyFile.exe. Explanation of the used command line options:
/a will automatically use the certificate that is valid for the longest time. If you have no certificate, SignTool will display an error.
/fd SHA256 will use the SHA-256 digest algorithm for the file signature. Using SHA256 is recommended and considered to be more secure than the default SHA1 digest algorithm.
/tr http://timestamp.digicert.com adds a timestamp to your signed apps. This is extremely important because this will allow the signature to remain valid even after the certificate itself has already expired. The argument for the /tr option is a timestamp URL. You can use any of the timestamp URL's from this list of free RFC 3161 timestamp servers.
/td SHA256 will use the SHA-256 digest algorithm for the timestamp signature. As before, using SHA256 is recommended and considered to be more secure.
How and when to use self-signed certificates
If you'd like to get a hold of a certificate that you can use to test your process of signing the executable, you can use MakeCert to create a self-signed certificate.
Once you've created your own certificate and have used it to sign your executable, you'll need to manually add it as a Trusted Root CA for your machine in order for UAC to accept your self-signed certificate as a trusted source. Note that you can only do this on your own development machines. You usually can not do this on your user's computers, since most users will not accept to install a new Root CA for good reasons.
How to get rid of the "unrecognized app" warning
Even if your app is signed, you might still see the following warning message when trying to run the app:
Microsoft Defender SmartScreen prevented an unrecognized app from
starting. Running this app might put your PC at risk.
How to avoid this warning is a somewhat complex topic. Please see this answer to get the whole picture about these Microsoft SmartScreen warnings and what you can do and should know about it.
I had the same scenario in my job and here are our findings
The first thing you have to do is get the certificate and install it on your computer, you can either buy one from a Certificate Authority or generate one using makecert.
Here are the pros and cons of the 2 options
Buy a certificate
Pros
Using a certificate issued by a CA(Certificate Authority) will
ensure that Windows will not warn the end user about an application
from an "unknown publisher" on any Computer using the certificate
from the CA (OS normally comes with the root certificates from manny
CA's)
Cons:
There is a cost involved on getting a certificate from a CA
For prices, see https://cheapsslsecurity.com/sslproducts/codesigningcertificate.html and https://www.digicert.com/code-signing/
Generate a certificate using Makecert
Pros:
The steps are easy and you can share the certificate with the end users
Cons:
End users will have to manually install the certificate on their machines and depending on your clients that might not be an option
Certificates generated with makecert are normally used for development and testing, not production
Sign the executable file
There are two ways of signing the file you want:
Using a certificate installed on the computer
signtool.exe sign /a /s MY /sha1 sha1_thumbprint_value /t http://timestamp.verisign.com/scripts/timstamp.dll /v "C:\filename.dll"
In this example we are using a certificate stored on the Personal folder with a SHA1 thumbprint (This thumbprint comes from the certificate) to sign the file located at C:\filename.dll
Using a certificate file
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"
In this example we are using the certificate c:\path\to\mycert.pfx with the password pfxpassword to sign the file c:\path\to\file.exe
Test Your Signature
Method 1: Using signtool
Go to: Start > Run
Type CMD > click OK
At the command prompt, enter the directory where signtool exists
Run the following:
signtool.exe verify /pa /v "C:\filename.dll"
Method 2: Using Windows
Right-click the signed file
Select Properties
Select the Digital Signatures tab. The signature will be displayed in the Signature list section.
I hope this could help you
Sources:
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537361(v=vs.85)
https://www.digicert.com/kb/code-signing/signcode-signtool-command-line.htm
https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecert
https://cheapsslweb.com/comodo-code-signing
You can get a code-signing certificate from Certum if you're doing open source development. I've been using their certificate for over a year, and it does get rid of the unknown publisher message from Windows. Price history:
2005 - €14.00
2019 - €25.00
2022 - €69.00
As far as signing code I use signtool.exe from a script like this:
signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f "MyCert.pfx" /p MyPassword /d SignedFile.exe SignedFile.exe
Another option, if you need to sign the executable on a Linux box is to use signcode from the Mono project tools. It is supported on Ubuntu.
The ASP's magazine ASPects has a detailed description on how to sign code (You have to be a member to read the article). You can download it through http://www.asp-shareware.org/
Here's link to a description how you can make your own test certificate.
This might also be interesting.
This is not a direct answer to the question, but it is closely related (and useful I hope) since sooner or later any individual programmer will have put his hand into the wallet.
So, prices for EV (Extended Validation) Code Signing Certificates, sorted by price:
AboutSSL
$240/Year (clickbait price)
$287/Year (real price, after coupon)
KSoftware.net
1 Year $350 + ($50 hidden fee!)
2 Year $600
3 Year $750
OV: $84 per year (for 3 years)
I purchased from them an EV. Some years later I purchased an OV. The eToken was sent on a USB stick. No reader needed. They are only intermediary. In the end, you actually purchase from Comodo (Sectigo).
Sectigo is veeeeerrry slow.
The second time, the verification took two full months. The phone verification failed multiple times. Everything was cumbersome. The tech support didn't have a clue about what is going on, probably just a guy in Pakistan reading through some script.
Sklep.certum.pl
1 Year 379 euro
(seems to be for Poland users only)
LeaderSsl.de
1 Year 364 euro or 307 euro (+19%VAT)
(OV 69+VAT)
Sectigo.com
1 Year $499 USD
3 Year $897 USD
GlobalSign.com
1 Year $410 total
2 Years $760 total
3 Years $950 total
Digicert.com
1 Year: $600 (it was $104)
3 Year: ?
symantec.com
1 Year: $700
3 Years: ridiculous expensive
More prices here:
cheapsslsecurity.com CodeSigning EV
cheapsslsecurity.com SSL only!
EV vs OV
With EV, nine additional steps are required including verifying a businesses’ public phone number, length of time in business, registration number and jurisdiction, as well as a domain fraud check, contact blacklist check and a telephone call to authenticate the employment status of the requestor.
Some recommend submitting a program signed with OV to Microsoft to be checked with their antivirus.
IF YOU FIND CHEAPER PRICES, let me know, and I will update the list!
How to use the certificate?
To sign the exe file, I used MS signtool.exe. For this you will need to download the bloated MS Windows SDK which has a whooping 1GB. FORTUNATELY, you don't have to install it. Just open the ISO and extract "Windows SDK Signing Tools-x86_en-us.msi". It has a merely 400 KB.
Then I built this tiny script file:
prompt $
echo off
cls
copy "my.exe" "my.bak.exe"
"c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd SHA256 /f MyCertificate.pfx /p MyPassword My.exe
pause
__
What happened after signing my EXE file?
So, after investing some money, I finally signed my EXE file. What happened after that? Nothing... On Win10 I still see the same "untrusted" window with the "Don't run" button. The "Continue" button is still invisible. My program has about 400 downloads per day. Let's wait and see how many downloads are necessary.
Reference https://steward-fu.github.io/website/driver/wdm/self_sign.htm
Note: signtool.exe from Microsoft SDK
1.First time (to make private cert)
Makecert -r -pe -ss YourName YourName.cer
certmgr.exe -add YourName.cer -s -r localMachine root
2.After (to add your sign to your app)
signtool sign /s YourName YourApp.exe
And yet another option, if you're developing on Windows 10 but don't have Microsoft's signtool.exe installed, you can use Bash on Ubuntu on Windows to sign your app. Here is a run down:
https://blog.synapp.nz/2017/06/16/code-signing-a-windows-application-on-linux-on-windows/
Use following link to sign .exe (setup/ installer)file (sign exe/setup file without using Microsoft setup signtool)
https://ebourg.github.io/jsign/#files
sample command java -jar jsign-2.0.jar --keystore keystore.jks" --alias alias --storepass password MyInstaller.exe
Worked for me :)