I am trying to sign a .exe file using signtool's digest signing option with several signatures while appending them.
For each signature I am using /dg to create the digest, then /ds to sign it and then /di to ingest it and sign the .exe file.
Didn't quite understand how and when to use /as. Should it replace the next /di step? Should it be done after?
Thanks!
Related
I am using OpenSSL (from https://slproweb.com/products/Win32OpenSSL.html) to decrypt a file retrieved from external sftp site. The external site is publishing new files daily, each with new filenames. At the moment when the file is downloaded I have to manually go into Openssl.exe and type the following each time
C:\OpenSSL-Win64\bin\openssl.exe cms –decrypt –inkey C:\key.pem –recip C:\cert.pem –inform DER –in \\server01\filename.xml.crypt –out \\server01\Decrypt\filename.xml
I tried putting this in a batch file (*.bat) but when I ran that it did not work. The only thing that I have managed to get to work is the manual process described above.
Is there a way to automate this and avoid having to manually type the whole code above? I should mention the filename.xml.crypt is actually normally around 100 characters long...
Ideally looking at a windows batch file, or something similar?
Sorry if this is a stupid question!
TIA
Hamez
I'm also having the exact same issues. The hyphen '-' is being converted to the accented u (i.e. -recip, -inform etc). No doubt we've all copied it from a webpage and that has altered the code base of the hyphen. I've just manually inputted the - for all the command line parameters and now it's worked.
Universal Windows apps are in .appx file, which is simply a zip of a bunch of files and metadata. Most of the metadata files are extensively documented on the Microsoft website and are trivial to parse and/or regenerate. However AppxSignature.p7x remains a mystery.
From this diagram (source):
AppxSignature.p7x should have hashes of the AppxBlockMap.xml, content & directory hashes, and a signature. However I cannot find any documentation of the AppxSignature.p7x file itself. Ideally I would like to use an alternative tool to produce and verify this signature, e.g. openssl/gnutls or similar. A practical use for this is to update and repackage apps on Linux, and prepare .appxupload file for the Windows Store.
As described in the blog post you link to, the AppxBlockMap.xml file stores cryptographic block hashes for every file in the package. This file is verified and secured with a digital signature when the package is signed using authenticode.
So, on windows, you have two tools:
MakeAppx.exe that creates the package (.zip format) and the blockmap file at the same time. This is important, as what's in the block map corresponds closely to the .zip file bits, you can't just any zipping tool for this step, you must program the zip/app package creation using some ZIP API.
SignTool.exe that adds the signature to the package using "standard" authenticode.
With the Windows API you can do the same as MakeAppx using the
Packaging API and you can do the same as SignTool using The SignerSign function.
The whole MakeAppx process is not documented IMHO, but the blockmap schema is in fact described here: Package block map schema reference which is relatively easy to understand.
The Authenticode signature for PE document is documented here: Windows Authenticode Portable Executable Signature Format
But it's only for PE (.dll, .exe, etc.) files (note it's also possible to sign .CAB files), and I don't think how SignerSign builds AppxSignature.p7x is documented. However, there is an open source tool here that does it here: https://github.com/facebook/fb-util-for-appx. You will notice this file https://github.com/facebook/fb-util-for-appx/blob/master/PrivateHeaders/APPX/Sign.h that declares what should be used as input for signing. I have no idea where they got that information.
The P7X format is just 0x504B4358 ("PKCX") followed by PKCS #7 data in the DER format. DER is described by ASN.1.
I'm using Objective C with the native webkit GUI option for my Cocoa-based application, and using file:// URLs to load my GUI. Is there a way that at compile time I can generate a CRC value on my html folder and save it in a plist so that when the application loads, it can validate the CRC to ensure the directory hasn't been tampered with since the HTML is plain text and modifiable?
I know that I can manually do this with a Bash script, but wanted to know how to setup XCode to do this during compiling.
Note: Of course I would kind of sha256 hash or AES256 encrypt this with a salt so that someone couldn't just generate their own very easily.
If you already have a script for this, you can simply create a run script phase for this build target and put add the script to it.
Can you tell me how to generate a checksum/hash for a .tar archive with a php script of mine that I offer for download? I mainly want this as integrity verification mechanism. Is there any free/simple/alternative way instead of obtaining a code signing certificate (eg Comodo)? Thanks.
Edit: I don't know if this makes any sense/is applicable, but I don't want to sign every file one by one, just the result .tar archive.
Well some open-source projects like the Apache Webserver give out SHA1-sums and additionally release a GPG/PGP signature. You can use gnupg for that which is free.
You create a key-pair and share the public-key (on the website or with a key-server like http://pgp.mit.edu/) and keep the private-key on your side. The private-key is used for signing the .tar and your users can then verify the .tar with the public-key.
Just generate an sha1 hash of the archive using the unix command line tool sha1sum filename.tar or any other program or tool that generates hashes. Then when you offer your file for download also list the output of that command, and once users download the archive they can do the same thing and if the outputs match, the files are the same.
My installer build "signs" a DLL using a Code Signing certificate during the build process.
I've noticed that if I try to build twice in succession, the second build fails because the DLL is already signed so signcode chokes. Obviously I can fix this by signing a copy of the DLL in the build, but the problem intrigued me:
Is it possible to "unsign" a DLL, and if not, why not...?
signtool remove /s C:\path\to.exe.or.dll
signtool is available in Windows SDK, and must be at least from Windows 8 SDK kit (version 6.2.9200.20789) to have the remove command supported.
You can use delcert.exe from the this XDA Forum post.
here is a small tool that strips (removes) digital sign (Authenticode)
from PE executable files like *.exe, *.dll, *.mui, etc.
It's fairly easy to remove the signature from a .dll file using the ImageRemoveCertificate API.
You don't have any language specified in your tags but this article shows how to implement it in C#. Remove digital signature from a file using C#
Other than that, if you are looking for a simple tool to do the work for you, you can use FileUnsigner.
Another possible option is to switch to the SignTool.exe. It comes with the Windows SDK and signing a binary that has already been signed does not generate an error. I use signtool.exe in my build process and haven't any difficulties with it, even when something is already signed.
Also, check out the question What's the main difference between signcode.exe and signtool.exe?
Sure it's possible, but not trivial.
Although it would be easier to save a copy of the presigned DLL.
This digital signature is little more than an extra section appended to the end of a PE file. You could write a program that deleted the signature, if you want.
It's not quite as simple as truncating the file; you have to remove references to the signature in the file header. It could get complicated if the DLL has multiple signatures and you just want to remove one.
The format of a PE file is publicly documented here
Check if your build tool supports "Re-signing". This should replace all existing signatures.
If not, you can use Stud_PE to remove the signature block.
Open the DLL or EXE in Stud_PE, go to the sections tab, right click the digital signature section and select "Delete section". However, this needs user interaction. Old versions of the tool could destroy the file.