I recently bought an EV Code Signing Certificate from GoDaddy (they call it a Driver Signing Certificate though, but it should be equivalent to an EV certificate and they also state that the Driver Signing Certificate "Eliminates security warnings during download and installation" aka SmartScreen warnings) and signed both my EXE files and MSI installer using:
signtool.exe" sign /v /fd sha256 /td sha256 /tr http://tsa.starfieldtech.com /f Cert.pdf /p password Application.exe/Installer.msi
After downloading the installer (using Chrome/Edge) from one of our servers I still get the SmartScreen warning, however (it shows the company name, though)? EV certificates are supposed to establish instant reputation with SmartScreen, but it doesn't - why?
After a chat session with GoDaddy support I now have conflicting information (in relation to the linked post in my original question):
GoDaddy Driver Signing Certificate is not the same as an EV Code Signing Certificate.
GoDaddy Driver Signing Certificate will not remove the SmartScreen warning immediately.
I assume this to be the more correct statements given that the SmartScreen warning is still shown when trying to install using our signed MSI file.
I assume it would still work given enough time for reputation to be built.
Related
I am trying to codesign with hardware token on Mac.
According to this
https://sectigo.com/knowledge-base/detail/Signing-with-an-Extended-Validation-Code-Signing-Certificate/kA03l000000c4TX
Plug your Token into your computer.
Open SafeNet Tools
Open Command Prompt
Input the following command below: signtool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /a
"Path_to_the_file_you_wish_to_sign "
SafeNet should open with a prompt asking users to input your password for the token.
After successfully inputting the password, your application will be successfully signed. At this point, you’re all set to start
distributing your application to your end-users! For those wishing to
check that the application was successfully signed, please see the
steps below.
It worked fine on my Windows.
Now, how do I codesign on Mac?
I am trying like this
$ codesign -s "Your Company, Inc." "/path/to/yourApp.app"
But it says "Warninig: unable to build chain to self-signed root for signer xxxx"
this thread on Apple's forum may help solve the issue. It also includes links back to stackoverflow with more solutions. Hope it helps.
apple developer forum thread
About an EV code signing certificate by sectigo.com,
It’s not that it’s not supported per se, just that it doesn’t buy you very much.
and it is recommended to obtain an apple-issued code signing certificate.
I am not sure what it really means, but it seems that I should obtain an apple-issued code signing certificate.
I am using a standard (i.e. not EV) Authenticode code signing certificate to sign a Windows desktop application in the hope that Smartscreen Filter will eventually stop blocking it.
I was hoping to certify the application but since my code signing certificate was issued by GoDaddy it appears that I can't do that since you need a certificate from Symantec, Entrust, GlobalSign, WoSign or Digicert in order to create a Windows Certification Dashboard account (the first step in the certification process).
So here's my question: Will my non-certified Windows application signed with a standard GoDaddy SHA-2 code signing certificate still accumulate reputation?
According to these article, most likely yes, but you need to check details in your certificate
https://social.technet.microsoft.com/wiki/contents/articles/51151.microsoft-trusted-root-certificate-program-participants-as-of-january-30-2018.aspx
We purchased the Microsoft Authenticode certificate from Thawte. Now I have it in a PFX file. I try the following:
D:\sign>signtool sign /f ./cert/cert.pfx /p mypass /t http://timestamp.verisign.com/scripts/timstamp.dll "mySetup.exe"
Done Adding Additional Store
Successfully signed and timestamped: mySetup.exe
But when I run mySetup.exe, it runs like unsigned, and shows "Unknown Publishier".
When I verify the EXE file with SignTool, I get following.
D:\sign>SignTool verify mySetup.exe
SignTool Error: WinVerifyTrust returned error: 0x800B010A
SignTool Error: File not valid: mySetup.exe
Number of errors: 1
What is wrong?
It may be related to the fact that Thawte uses an Intermediate Certificate for signing. They consider this to be within best practices, which I won't argue one way or the other.
From an end user standpoint, however, this can lead to complications. This is a known issue with VSTO (Visual Studio Tools for Office) solutions using ClickOnce, and may be what is affecting you here.
The solution for dealing with this is, sadly, that you will need to add the appropriate Intermediate CA's cert to all end user machines:
Resolution
The workaround to this issue is to include the Intermediate Certificate Authorities’ certificate on all end user machines where the application will be installed. As of now the issue is reported only with the handling of Thawte certificate and would require that Thawte intermediate certificate be installed on the end users machine.
Thawte provides links to the appropriate CA certs for their Intermediate Certificates
I made a driver, and now I need to sign it. It runs in kernel mode.
From what I've read in Microsoft's Kernel Mode Code Signing Walkthrough, I have to buy a software publisher certificate from a commercial CA. In that document, they say to look at the end, and follow this link for a list of CAs from which I can buy that certificate. I find the link very confusing somehow because I can't figure out exactly what certificate I need to buy. I need to sign the driver so that it will install on 64-bit Windows systems. A direct link would be very welcome (I would like to buy it from GlobalSign).
Is it the Microsoft Authenticode from here?
I asked a similar question in Microsoft Drivers Developers Forum some time ago. This is their answer:
You need to have your company get a code signing certificate from either GlobalSign or VeriSign (the others listed in that link are no longer offered). GlobalSign is cheaper, but Verisign has the advantage of providing access to WHQL if that is of interest to your firm. These are not cheap, the Verisign certificate costs $499 per year. Once you have
the cert you can use it instead of the test cert to sign the driver.
Your link contains this information in Supported Platforms: Digitally sign Windows ActiveX controls via Authenticode (32 bit and 64 bit .exe, .ocx, .dll or other) and kernel software for Windows. Windows 7 compatible.
It looks like you are in the right place.
Just to be precise: I have not used the code certification yet, I just learned it. I recommend you to verify this answer in osronline or Microsoft Drivers Developers Forum.
Check out https://www.startssl.com/?app=40 - StartSSL offers such certificates for US$ 199.00
The cross-signed CA certificate is at https://www.startssl.com/certs/ named microsoft.kernel.mode.pem or microsoft.kernel.mode.crt
You can buy a signature from Digicert.
Digicert will issue a cross signing certificate in a zip file. Unzip it
DigiCert High Assurance EV Root CA.crt
Double click it and add it to your IE personal store
Using IE, export the cert, with password to a .pfx file
The command to sign the driver is
signtool sign /t http://timestamp.digicert.com /f "path to .pfx file" /p PASSWORD_OF_PFX "path to driver .cat file"
You can use this same command to sign .exe files
signtool sign /t http://timestamp.digicert.com /f "path to .pfx file" /p PASSWORD_OF_PFX "path to driver .exe file"
Ensure this machine has internet access otherwise the signing process will fail.
I have an EXE file that I should like to sign so that Windows will not warn the end user about an application from an "unknown publisher". I am not a Windows developer. The application in question is a screensaver generated from an application that generates screensaver applications. As such I have no influence on how the file is generated.
I've already found out that I will need a code signing certificate from a CA like Verisign or instantssl.com. What I don't understand is what I need to do (if at all possible) to sign my EXE file. What is a simple explanation?
Mel Green's answer took me further, but signtool wants me to specify what certificate to use in any case. Can I get a free code signing certificate somehow to test if this will work for me at all?
Also please specify which certificate kind is the correct one. Most sites only mention "code signing" and talk about signing applications that are actually compiled by the user. This is not the case for me.
How to sign your app
Use Microsoft's SignTool to sign your app.
You download it as part of the Windows SDK. Note that it's also possible to install SignTool without installing the entire SDK. Once installed you can use SignTool from the command line like so:
signtool sign /a /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 MyFile.exe
This will sign MyFile.exe. Explanation of the used command line options:
/a will automatically use the certificate that is valid for the longest time. If you have no certificate, SignTool will display an error.
/fd SHA256 will use the SHA-256 digest algorithm for the file signature. Using SHA256 is recommended and considered to be more secure than the default SHA1 digest algorithm.
/tr http://timestamp.digicert.com adds a timestamp to your signed apps. This is extremely important because this will allow the signature to remain valid even after the certificate itself has already expired. The argument for the /tr option is a timestamp URL. You can use any of the timestamp URL's from this list of free RFC 3161 timestamp servers.
/td SHA256 will use the SHA-256 digest algorithm for the timestamp signature. As before, using SHA256 is recommended and considered to be more secure.
How and when to use self-signed certificates
If you'd like to get a hold of a certificate that you can use to test your process of signing the executable, you can use MakeCert to create a self-signed certificate.
Once you've created your own certificate and have used it to sign your executable, you'll need to manually add it as a Trusted Root CA for your machine in order for UAC to accept your self-signed certificate as a trusted source. Note that you can only do this on your own development machines. You usually can not do this on your user's computers, since most users will not accept to install a new Root CA for good reasons.
How to get rid of the "unrecognized app" warning
Even if your app is signed, you might still see the following warning message when trying to run the app:
Microsoft Defender SmartScreen prevented an unrecognized app from
starting. Running this app might put your PC at risk.
How to avoid this warning is a somewhat complex topic. Please see this answer to get the whole picture about these Microsoft SmartScreen warnings and what you can do and should know about it.
I had the same scenario in my job and here are our findings
The first thing you have to do is get the certificate and install it on your computer, you can either buy one from a Certificate Authority or generate one using makecert.
Here are the pros and cons of the 2 options
Buy a certificate
Pros
Using a certificate issued by a CA(Certificate Authority) will
ensure that Windows will not warn the end user about an application
from an "unknown publisher" on any Computer using the certificate
from the CA (OS normally comes with the root certificates from manny
CA's)
Cons:
There is a cost involved on getting a certificate from a CA
For prices, see https://cheapsslsecurity.com/sslproducts/codesigningcertificate.html and https://www.digicert.com/code-signing/
Generate a certificate using Makecert
Pros:
The steps are easy and you can share the certificate with the end users
Cons:
End users will have to manually install the certificate on their machines and depending on your clients that might not be an option
Certificates generated with makecert are normally used for development and testing, not production
Sign the executable file
There are two ways of signing the file you want:
Using a certificate installed on the computer
signtool.exe sign /a /s MY /sha1 sha1_thumbprint_value /t http://timestamp.verisign.com/scripts/timstamp.dll /v "C:\filename.dll"
In this example we are using a certificate stored on the Personal folder with a SHA1 thumbprint (This thumbprint comes from the certificate) to sign the file located at C:\filename.dll
Using a certificate file
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"
In this example we are using the certificate c:\path\to\mycert.pfx with the password pfxpassword to sign the file c:\path\to\file.exe
Test Your Signature
Method 1: Using signtool
Go to: Start > Run
Type CMD > click OK
At the command prompt, enter the directory where signtool exists
Run the following:
signtool.exe verify /pa /v "C:\filename.dll"
Method 2: Using Windows
Right-click the signed file
Select Properties
Select the Digital Signatures tab. The signature will be displayed in the Signature list section.
I hope this could help you
Sources:
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537361(v=vs.85)
https://www.digicert.com/kb/code-signing/signcode-signtool-command-line.htm
https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecert
https://cheapsslweb.com/comodo-code-signing
You can get a code-signing certificate from Certum if you're doing open source development. I've been using their certificate for over a year, and it does get rid of the unknown publisher message from Windows. Price history:
2005 - €14.00
2019 - €25.00
2022 - €69.00
As far as signing code I use signtool.exe from a script like this:
signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f "MyCert.pfx" /p MyPassword /d SignedFile.exe SignedFile.exe
Another option, if you need to sign the executable on a Linux box is to use signcode from the Mono project tools. It is supported on Ubuntu.
The ASP's magazine ASPects has a detailed description on how to sign code (You have to be a member to read the article). You can download it through http://www.asp-shareware.org/
Here's link to a description how you can make your own test certificate.
This might also be interesting.
This is not a direct answer to the question, but it is closely related (and useful I hope) since sooner or later any individual programmer will have put his hand into the wallet.
So, prices for EV (Extended Validation) Code Signing Certificates, sorted by price:
AboutSSL
$240/Year (clickbait price)
$287/Year (real price, after coupon)
KSoftware.net
1 Year $350 + ($50 hidden fee!)
2 Year $600
3 Year $750
OV: $84 per year (for 3 years)
I purchased from them an EV. Some years later I purchased an OV. The eToken was sent on a USB stick. No reader needed. They are only intermediary. In the end, you actually purchase from Comodo (Sectigo).
Sectigo is veeeeerrry slow.
The second time, the verification took two full months. The phone verification failed multiple times. Everything was cumbersome. The tech support didn't have a clue about what is going on, probably just a guy in Pakistan reading through some script.
Sklep.certum.pl
1 Year 379 euro
(seems to be for Poland users only)
LeaderSsl.de
1 Year 364 euro or 307 euro (+19%VAT)
(OV 69+VAT)
Sectigo.com
1 Year $499 USD
3 Year $897 USD
GlobalSign.com
1 Year $410 total
2 Years $760 total
3 Years $950 total
Digicert.com
1 Year: $600 (it was $104)
3 Year: ?
symantec.com
1 Year: $700
3 Years: ridiculous expensive
More prices here:
cheapsslsecurity.com CodeSigning EV
cheapsslsecurity.com SSL only!
EV vs OV
With EV, nine additional steps are required including verifying a businesses’ public phone number, length of time in business, registration number and jurisdiction, as well as a domain fraud check, contact blacklist check and a telephone call to authenticate the employment status of the requestor.
Some recommend submitting a program signed with OV to Microsoft to be checked with their antivirus.
IF YOU FIND CHEAPER PRICES, let me know, and I will update the list!
How to use the certificate?
To sign the exe file, I used MS signtool.exe. For this you will need to download the bloated MS Windows SDK which has a whooping 1GB. FORTUNATELY, you don't have to install it. Just open the ISO and extract "Windows SDK Signing Tools-x86_en-us.msi". It has a merely 400 KB.
Then I built this tiny script file:
prompt $
echo off
cls
copy "my.exe" "my.bak.exe"
"c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd SHA256 /f MyCertificate.pfx /p MyPassword My.exe
pause
__
What happened after signing my EXE file?
So, after investing some money, I finally signed my EXE file. What happened after that? Nothing... On Win10 I still see the same "untrusted" window with the "Don't run" button. The "Continue" button is still invisible. My program has about 400 downloads per day. Let's wait and see how many downloads are necessary.
Reference https://steward-fu.github.io/website/driver/wdm/self_sign.htm
Note: signtool.exe from Microsoft SDK
1.First time (to make private cert)
Makecert -r -pe -ss YourName YourName.cer
certmgr.exe -add YourName.cer -s -r localMachine root
2.After (to add your sign to your app)
signtool sign /s YourName YourApp.exe
And yet another option, if you're developing on Windows 10 but don't have Microsoft's signtool.exe installed, you can use Bash on Ubuntu on Windows to sign your app. Here is a run down:
https://blog.synapp.nz/2017/06/16/code-signing-a-windows-application-on-linux-on-windows/
Use following link to sign .exe (setup/ installer)file (sign exe/setup file without using Microsoft setup signtool)
https://ebourg.github.io/jsign/#files
sample command java -jar jsign-2.0.jar --keystore keystore.jks" --alias alias --storepass password MyInstaller.exe
Worked for me :)