Due to Windows changing their security policies, we are planning to begin code-signing driver files with the SHA-256 algorithm instead of SHA-1. However, we still want to be able to support older OS's that still require SHA-1 signing.
Using Microsoft's signtool.exe we are able to code sign files successfully with both SHA-1 and SHA-256 digest algorithms using the /fd flag. However, if possible, we would like to sign the file with both algorithms simultaneously. Is this even possible? We would like to avoid having multiple sets of drivers that are signed with different algorithms and determining which set to install based on OS -- which would be our alternative approach.
If anyone has had experience with accomplishing this please explain what approach you took. If this isn't possible, an explanation of why it's impossible would be appreciated.
You can append the second certifcate to the EXE/DLL/SYS by calling signtool sign /as [signing cert parameters] [name of file]
Related
As so far I was using "CAPICOM" for code signing.
But currently using "Platform SDK Redistributable: CAPICOM" link to get this SDK you will see We're sorry, this download is no longer available..
So I was curious what other code signing possibilities are.
As I have a license for the Chilkat software, I was wondering how to use this code signing software.
For this moment I only found this 8 year old answer:
http://www.chilkatforum.com/questions/3757/code-signing
And this reference documentation:
https://www.chilkatsoft.com/refdoc/xChilkatCertRef.html#prop8
But no one examples.
Could somebody help me how to use Chilkat component for codeSigning ?
ps.
For my best would be VBScript example, if not then any other will be fine.
Code signing functionality would require inserting the signature (Authenticode Signature Format) into the Windows PE File Format. Although Chilkat has the ability to create PKCS7/CMS signatures, there is no implementation at this time to do the PE insertion. If Chilkat does it in the future, you will find methods and examples explicitly for code signing.
(The ForCodeSigning property of a Certificate is just an indication of the intended usage of a certificate. It does not imply code signing ability.)
I have been using CAM::PDF perl module for password protection of pdf documents, The default encryption level is 40-bit.
This is not very strong. Is it possible to increase this to at least 128-bit?
I am looking for command line tool that can be used in Linux or Windows with perl.
There is is paid tool verypdf which does this, but before purchasing this want to make sure
if there is perl/open source way to do it without using commercial apps.
Thanks
Raj
pdftk seems to support either 40-bit or 128-bit encryption.
I am developing some freeware applications. Mostly they are written in Java to make them run on multiple systems. Meanwhile I have some thousand users and so it makes a lot of fun.
To make the Java apps easier to run under Windows, I also create executable wrappers using launch4j and installer applications using inno setup.
Now I have problem, because of Windows 8. In former Windows versions the OS just showed up a message by trying to start such an executable which was saying that the exe file comes from an "unknown" vendor. In Windows 8 they made it even harder. There is something like "Windows protected you from this dangerous application!".
So I am highly interested in signing my apps. But I am not willing to pay anything for this as I offer my software for free. Using Google I found the "CAcert" project that allows people to create free certificates. But I haven't found detailed information about the following questions:
can I create certificates to sign executables?
can I create certificates using my company name?
Is there anyone familiar with CAcert?
Or has anyone another hint to solve my problem?
thanks a lot...
Well, you can use use a CAcert certificate to sign your code, but it won't help you. That's because the OS doesn't install the CAcert root certificate.
If you want to stop your users seeing these messages you'll need to obtain a commercial certificate.
I've been asked to redesign our build/sign/release processes. I'm pretty happy with Windows stuff and I've identified several networked-HSM products that will do what we need. They basically integrate directly with CryptoAPI so the people doing the signing can just use signtool.exe as normal.
We currently have a separate Mac team who do their own build/sign/release. This is all working fine on a couple of Mac Minis in one of our DCs. I'd like to protect our Mac software keys as well and so I'm trying to find out how to integrate a networked-HSM into our Mac signing process.
I can't find any good information about this anywhere! So I'm hoping someone in here has done this already and can lessen my pain.
The actual questions are;
1) Can I use a HSM with the standard Mac code-signing tools?
2) Can anyone recommend a vendor/product for the above?
3) Can anyone point me towards some good documentation on Mac code signing and the inner-workings of the Mac crypto infrastructure?
Cheers
BHB
I don't believe any of the major HSM vendors (nCipher, SafeNet, etc.) have any hooks into the Mac code signing tools, nor do I believe Apple exposes any. Your best bet would be to try and determine what the code signing mechanism looks like when performed by the Mac tools and then try and duplicate it yourself manually. However, off the top of my head, I don't recall seeing that the major vendors support OSX-based HSM clients out of the box. I know that SafeNet supports Java via a custom JCE provider. If there's a PKCS#11 interface you can hook into, then you may be able to leverage OpenSSL or another similar toolkit, but it will result in some work for you.
I develop a desktop application for use on Windows, and was wondering how I can get my executables signed so they stop showing those horrible looking warning messages about being from an unknown publisher. I am somewhat familiar with signing binaries before releasing them. I have a Linux port of the same program which is distributed though it's own signed repository (apt-get).
The process for signing windows executables seems extremely complicated and I can't find a simple tutorial on what to do, rather thousands of webpages describing only parts of the process, or which go into way too much depth.
I just need a quick list of steps which are necessary to sign executables under windows. I believe it's called "authenticode".
Tools see MSFT Introduction to Code Signing
edit: you buy a certificate from a provider - most web registrars sell them.
Then simply sign the executable using the msft tools
see http://www.instantssl.com/code-signing/code-signing-process.html