How would I sign a Visual C# executable?
SignTool.exe can't find a certificate.
How would I create a self signed key and certificate, and have signtool be able to see the certificate and use it?
OpenSSL and Visual Studio 2010 Express are installed. Running Windows 7 Ultimate x64.
Using SignTool.exe from Windows Driver Kit.
Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).
With .Net, when a binary is digitally signed, it is automatically verified for integrity and authenticity during startup. While I have not personally tested this, using a self-signed certificate is probably going to cause you a great deal of problems.
If you want to digitally sign your programs, you need to invest in a code signing certificate from a CA. There are a number of companies out there that can provide this service (Verisign, Thawte), for a fee.
While the fee might seem a bit extreme in price, remember that you are not just purchasing a digital certificate but also 24/7 validation of that certificate. Any time someone starts your program it will ensure the program was written by you and that the program has not been changed since you released it.
Once you have a certificate, you can digitally sign your program by following the steps in How to: Sign Application and Deployment Manifests.
Update: If this program is strictly an internal application (limited to you or your business), you can created your own CA. Since you would be the only one running it, only you would need to validate it. The CA certificate would need to be installed as a Trusted Root Certificate on all the machines that would run the program (or if you have access to Windows Server, you could set up a real working CA).
Related
I have coded an NWjs Windows application (Chromium application) and using Inno Setup, I have signed it using a self-signed certificate. However, I get the "Windows protected your PC" message when trying to install it from the web. I wonder now if signing my application with this self-signed certificate is useless because I get the same result when I don't sign the application and package it as it is.
When I click "more info" it states that the publisher is unknown in both cases when I sign the application with a self-signed certificate and without a self-signed certificate.
I wonder if after sometimes, the data (like the CN of the subject) of the certificate helps to get some reputation when the application is distributed on the internet. I wonder if a self signed certificate help to get rid of the "Windows protected your PC" message after sometimes.
Self-signed certificates are useful only, if can make them trusted on the target machine, by deploying them to Windows certificate store, before installation.
If you want your application to be installed on machines that you do not control, self-signed certificates are useless.
I wonder if a self signed certificate help to get rid of the "Windows protected your PC" message after sometimes.
No. Since everyone can generate a certificate himself, Windows cannot trust all of them and therefore cannot remove the message.
However, it can still be a good idea to sign an executable with your own certificate, if you publish the public key and provide it for people to check whether or not the executable was indeed provided by you. It will be useful for people with some IT or security knowledge.
I am using a standard (i.e. not EV) Authenticode code signing certificate to sign a Windows desktop application in the hope that Smartscreen Filter will eventually stop blocking it.
I was hoping to certify the application but since my code signing certificate was issued by GoDaddy it appears that I can't do that since you need a certificate from Symantec, Entrust, GlobalSign, WoSign or Digicert in order to create a Windows Certification Dashboard account (the first step in the certification process).
So here's my question: Will my non-certified Windows application signed with a standard GoDaddy SHA-2 code signing certificate still accumulate reputation?
According to these article, most likely yes, but you need to check details in your certificate
https://social.technet.microsoft.com/wiki/contents/articles/51151.microsoft-trusted-root-certificate-program-participants-as-of-january-30-2018.aspx
I distribute a Windows desktop app which has all executable files digitally signed by a Verisign Class 3 Code Signing certificate. For the vast majority of users, this seems to work fine.
However a small number of users report the certificate is invalid. They say it comes up with the message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider". This corresponds to error code CERT_E_UNTRUSTEDROOT (0x800B0109). This has also been reported on a fully-updated Windows 7 machine. So presumably my certificate is OK, but Windows sometimes doesn't trust VeriSign certificates.
Why does Windows sometimes not trust VeriSign? Is there anything I can add to my installer (also signed) which will tell Windows to trust the certificate?
There are frequent updates of the Root Certificates which Microsoft rolls out via Windows Update, but which are tagged as "optional update". Hence not all users may have them installed and may need to install them manually. This also holds for "fully updated" machines, as the automatic installation is often set to only install "important updates", which the Root Certificate updates are not.
Depending on the type of desktop application, you may have to follow certain rules when signing, too. For example applications interacting with the Windows Security Center require essentially the same signing method as drivers. That is, the certificate chain gets embedded along with the signature (/ac switch to signtool). You can get the MSCV-VSClass3.cer applicable to VeriSign certificates here.
The process is often called cross-signing, which seems to be a misnomer. While this is one step in getting your driver binary or catalog cross-signed, the vital step is that Microsoft signs the driver (or more usually the catalog file these days), which is the actual cross-signing.
For my Windows-based application, I would like to use ClickOnce as the deployment technology. My application will be distributed via the Internet.
In the article ClickOnce and Authenticode, I read that:
For ClickOnce applications, you must have an Authenticode certificate
that is valid for code signing. You can obtain a certificate for code
signing in one of three ways:
Purchase one from a certificate vendor.
Receive one from a group in your organization responsible for creating
digital certificates.
Generate your own certificate with MakeCert.exe, which is included
with the Windows Software Development Kit (SDK).
In my case, number 2 is not applicable.
As I read a few rows later:
By default, ClickOnce applications signed with self-certs and deployed
over the Internet cannot utilize Trusted Application Deployment.
(Emphasis mine.)
I cannot understand the meaning of this by default. Is the option #3 possible or not in my case?
And then, to understand all the possibilities, what does the #1 imply ? ("Purchase one from a certificate vendor") What kind of certificate should I buy? Which certificate authority can be recommended? Depending on what I should choose? How much does a certificate cost?
It must be a "Microsoft Authenticode Certificate". It allows us to sign all kinds of Windows executables and code, including .exe, .cab, .dll, .ocx, and .xpi files.
It is not mandatory to sign an application, but if we do it our users won’t see a warning message stating that the author of the software is unknown.
Microsoft Authenticode Certificates need to be issued by a trusted certificate authority. Unfortunately, the prices are quite expensive. More information and some examples
are on page Microsoft Authenticode Certificates.
UPDATE I purchased the certificate through KSoftware, which is a Comodo retailer. The price is quite good compared to alternatives: $95/year. The process is faster than I expected: I applied in the morning and in the evening my certificate was already available. (For those interested, I followed this step-by-step guide.)
See my answer to Stack Overflow question How to sign a ClickOnce application.
I would definitely suggest getting a proper code-signing certificate - your application install screen will look much nicer in this case.
StartCom CA is closed since Jan. 1st, 2018 I got my code-signing certificate from http://startssl.com - and it was $100 or so in total (and you get wild-card domain certificate for your website as well as a bonus).
It's much cheaper than going with VeriSign or TrustWave.
I made a driver, and now I need to sign it. It runs in kernel mode.
From what I've read in Microsoft's Kernel Mode Code Signing Walkthrough, I have to buy a software publisher certificate from a commercial CA. In that document, they say to look at the end, and follow this link for a list of CAs from which I can buy that certificate. I find the link very confusing somehow because I can't figure out exactly what certificate I need to buy. I need to sign the driver so that it will install on 64-bit Windows systems. A direct link would be very welcome (I would like to buy it from GlobalSign).
Is it the Microsoft Authenticode from here?
I asked a similar question in Microsoft Drivers Developers Forum some time ago. This is their answer:
You need to have your company get a code signing certificate from either GlobalSign or VeriSign (the others listed in that link are no longer offered). GlobalSign is cheaper, but Verisign has the advantage of providing access to WHQL if that is of interest to your firm. These are not cheap, the Verisign certificate costs $499 per year. Once you have
the cert you can use it instead of the test cert to sign the driver.
Your link contains this information in Supported Platforms: Digitally sign Windows ActiveX controls via Authenticode (32 bit and 64 bit .exe, .ocx, .dll or other) and kernel software for Windows. Windows 7 compatible.
It looks like you are in the right place.
Just to be precise: I have not used the code certification yet, I just learned it. I recommend you to verify this answer in osronline or Microsoft Drivers Developers Forum.
Check out https://www.startssl.com/?app=40 - StartSSL offers such certificates for US$ 199.00
The cross-signed CA certificate is at https://www.startssl.com/certs/ named microsoft.kernel.mode.pem or microsoft.kernel.mode.crt
You can buy a signature from Digicert.
Digicert will issue a cross signing certificate in a zip file. Unzip it
DigiCert High Assurance EV Root CA.crt
Double click it and add it to your IE personal store
Using IE, export the cert, with password to a .pfx file
The command to sign the driver is
signtool sign /t http://timestamp.digicert.com /f "path to .pfx file" /p PASSWORD_OF_PFX "path to driver .cat file"
You can use this same command to sign .exe files
signtool sign /t http://timestamp.digicert.com /f "path to .pfx file" /p PASSWORD_OF_PFX "path to driver .exe file"
Ensure this machine has internet access otherwise the signing process will fail.