Kernel mode code signing - code-signing

I made a driver, and now I need to sign it. It runs in kernel mode.
From what I've read in Microsoft's Kernel Mode Code Signing Walkthrough, I have to buy a software publisher certificate from a commercial CA. In that document, they say to look at the end, and follow this link for a list of CAs from which I can buy that certificate. I find the link very confusing somehow because I can't figure out exactly what certificate I need to buy. I need to sign the driver so that it will install on 64-bit Windows systems. A direct link would be very welcome (I would like to buy it from GlobalSign).
Is it the Microsoft Authenticode from here?

I asked a similar question in Microsoft Drivers Developers Forum some time ago. This is their answer:
You need to have your company get a code signing certificate from either GlobalSign or VeriSign (the others listed in that link are no longer offered). GlobalSign is cheaper, but Verisign has the advantage of providing access to WHQL if that is of interest to your firm. These are not cheap, the Verisign certificate costs $499 per year. Once you have
the cert you can use it instead of the test cert to sign the driver.
Your link contains this information in Supported Platforms: Digitally sign Windows ActiveX controls via Authenticode (32 bit and 64 bit .exe, .ocx, .dll or other) and kernel software for Windows. Windows 7 compatible.
It looks like you are in the right place.
Just to be precise: I have not used the code certification yet, I just learned it. I recommend you to verify this answer in osronline or Microsoft Drivers Developers Forum.

Check out https://www.startssl.com/?app=40 - StartSSL offers such certificates for US$ 199.00
The cross-signed CA certificate is at https://www.startssl.com/certs/ named microsoft.kernel.mode.pem or microsoft.kernel.mode.crt

You can buy a signature from Digicert.
Digicert will issue a cross signing certificate in a zip file. Unzip it
DigiCert High Assurance EV Root CA.crt
Double click it and add it to your IE personal store
Using IE, export the cert, with password to a .pfx file
The command to sign the driver is
signtool sign /t http://timestamp.digicert.com /f "path to .pfx file" /p PASSWORD_OF_PFX "path to driver .cat file"
You can use this same command to sign .exe files
signtool sign /t http://timestamp.digicert.com /f "path to .pfx file" /p PASSWORD_OF_PFX "path to driver .exe file"
Ensure this machine has internet access otherwise the signing process will fail.

Related

Why does SmartScreen still warn me after signing with an EV certificate?

I recently bought an EV Code Signing Certificate from GoDaddy (they call it a Driver Signing Certificate though, but it should be equivalent to an EV certificate and they also state that the Driver Signing Certificate "Eliminates security warnings during download and installation" aka SmartScreen warnings) and signed both my EXE files and MSI installer using:
signtool.exe" sign /v /fd sha256 /td sha256 /tr http://tsa.starfieldtech.com /f Cert.pdf /p password Application.exe/Installer.msi
After downloading the installer (using Chrome/Edge) from one of our servers I still get the SmartScreen warning, however (it shows the company name, though)? EV certificates are supposed to establish instant reputation with SmartScreen, but it doesn't - why?
After a chat session with GoDaddy support I now have conflicting information (in relation to the linked post in my original question):
GoDaddy Driver Signing Certificate is not the same as an EV Code Signing Certificate.
GoDaddy Driver Signing Certificate will not remove the SmartScreen warning immediately.
I assume this to be the more correct statements given that the SmartScreen warning is still shown when trying to install using our signed MSI file.
I assume it would still work given enough time for reputation to be built.

Code Signing with a Certum certificate

I want to sign a static .exe build of one of my Open Source programs so that it will be executable in a "normal" manner to a "normal" Windows user.
I bought an Open Source Code Signing Certificate from certum.eu to be able to do this.
After some searching on the internet, I tried to sign the exe file using osslsigncode 1.7.1 on my Linux maching using
osslsigncode sign -pkcs12 cert.p12 -pass "..." -h sha2 -t http://timestamp.verisign.com/scripts/timstamp.dll -in some.exe -out some-signed.exe
Having somebody testing it on Windows 10, a rough warning pops up: "Windows protected your PC. Windows SmartScreen prevented an unrecognized app
from starting. Running this app might put your PC at risk."
So I tried to use the native Windows tool signtool.exe to sign it. I installed it in my old virtual Windows XP (where I also compiled the program; I don't have access to any other Windows machine) and signed the exe file with
"C:\Programme\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign /f C:\cert.p12 /p "..." /t http://timestamp.verisign.com/scripts/timstamp.dll C:\some.exe
This tool also said everything was okay, but still, the very same warning pops up.
This way, the certificate is simply useless, as the "signed" exe file does produce the very same warning as the unsigned one. I would greatly appreciate help about this.
Short answer: Wait a couple of days and the problem will disappear.
I had the same issue with my Certum certificate earlier this year. And a few years ago, I had a commercial certificate I got from Comodo and it initially had the same issue as well.
The bottom line is that your new certificate and signed binaries needs some time to gain trust and auto-verified by Microsoft's code-signing reputation service.
Start distributing your signed exe to as many PC as you can and do the "advanced" option to force the exe to run anyway. That might help bump the reputation up faster.

The signed MSI-package isn't liked by Windows

I have prepared my MSI package using the Advanced Installer and then signed it using the SignTool:
signtool sign /debug /f "cert.pfx" /fd SHA256
/p "<pass>" /t http://timestamp.comodoca.com/authenticode "<file.msi>"
But, when other user is downloading the signed MSI via web-browser and to install it, the next message occurs:
My MSI has the next attributes:
digital signature, which was generated with paid/commercial
certificate (Comodo)
timestamp
there was used SHA-256 instead of SHA-1, because the last one is insecure in latest Windows
So, the main question is the next:
Why doesn't Windows recognize my signed MSI as well-known, if I have signed it with the commercial code-signing certificate?
PS
If you're interested in, which the version of Windows is used, then answer is the latest Windows 10.
About last one option from list, there is an interesting link, I shall quote some text from it:
Effective January 1, 2016, Windows (version 7 and higher) and Windows
Server will no longer trust new code that is signed with a SHA-1 code
signing certificate for Mark-of-the-Web related scenarios (e.g. files
containing a digital signature) and that has been time-stamped with a
value greater than January 1, 2016. This cut-off date applies to the
code-signing certificate itself.
SmartScreen Protection can show the above message when you try to run a newly released program or an application that has not yet established a reputation.
Reputation is established by SmartScreen® service intelligence algorithms based on how an application is used by Windows and Internet Explorer users.
For details, check the passing the smart screen on Win8 when install a signed application? thread that debates this subject.

creating a key and signing executable with signtool

How would I sign a Visual C# executable?
SignTool.exe can't find a certificate.
How would I create a self signed key and certificate, and have signtool be able to see the certificate and use it?
OpenSSL and Visual Studio 2010 Express are installed. Running Windows 7 Ultimate x64.
Using SignTool.exe from Windows Driver Kit.
Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).
With .Net, when a binary is digitally signed, it is automatically verified for integrity and authenticity during startup. While I have not personally tested this, using a self-signed certificate is probably going to cause you a great deal of problems.
If you want to digitally sign your programs, you need to invest in a code signing certificate from a CA. There are a number of companies out there that can provide this service (Verisign, Thawte), for a fee.
While the fee might seem a bit extreme in price, remember that you are not just purchasing a digital certificate but also 24/7 validation of that certificate. Any time someone starts your program it will ensure the program was written by you and that the program has not been changed since you released it.
Once you have a certificate, you can digitally sign your program by following the steps in How to: Sign Application and Deployment Manifests.
Update: If this program is strictly an internal application (limited to you or your business), you can created your own CA. Since you would be the only one running it, only you would need to validate it. The CA certificate would need to be installed as a Trusted Root Certificate on all the machines that would run the program (or if you have access to Windows Server, you could set up a real working CA).

Signing a Windows EXE file

I have an EXE file that I should like to sign so that Windows will not warn the end user about an application from an "unknown publisher". I am not a Windows developer. The application in question is a screensaver generated from an application that generates screensaver applications. As such I have no influence on how the file is generated.
I've already found out that I will need a code signing certificate from a CA like Verisign or instantssl.com. What I don't understand is what I need to do (if at all possible) to sign my EXE file. What is a simple explanation?
Mel Green's answer took me further, but signtool wants me to specify what certificate to use in any case. Can I get a free code signing certificate somehow to test if this will work for me at all?
Also please specify which certificate kind is the correct one. Most sites only mention "code signing" and talk about signing applications that are actually compiled by the user. This is not the case for me.
How to sign your app
Use Microsoft's SignTool to sign your app.
You download it as part of the Windows SDK. Note that it's also possible to install SignTool without installing the entire SDK. Once installed you can use SignTool from the command line like so:
signtool sign /a /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 MyFile.exe
This will sign MyFile.exe. Explanation of the used command line options:
/a will automatically use the certificate that is valid for the longest time. If you have no certificate, SignTool will display an error.
/fd SHA256 will use the SHA-256 digest algorithm for the file signature. Using SHA256 is recommended and considered to be more secure than the default SHA1 digest algorithm.
/tr http://timestamp.digicert.com adds a timestamp to your signed apps. This is extremely important because this will allow the signature to remain valid even after the certificate itself has already expired. The argument for the /tr option is a timestamp URL. You can use any of the timestamp URL's from this list of free RFC 3161 timestamp servers.
/td SHA256 will use the SHA-256 digest algorithm for the timestamp signature. As before, using SHA256 is recommended and considered to be more secure.
How and when to use self-signed certificates
If you'd like to get a hold of a certificate that you can use to test your process of signing the executable, you can use MakeCert to create a self-signed certificate.
Once you've created your own certificate and have used it to sign your executable, you'll need to manually add it as a Trusted Root CA for your machine in order for UAC to accept your self-signed certificate as a trusted source. Note that you can only do this on your own development machines. You usually can not do this on your user's computers, since most users will not accept to install a new Root CA for good reasons.
How to get rid of the "unrecognized app" warning
Even if your app is signed, you might still see the following warning message when trying to run the app:
Microsoft Defender SmartScreen prevented an unrecognized app from
starting. Running this app might put your PC at risk.
How to avoid this warning is a somewhat complex topic. Please see this answer to get the whole picture about these Microsoft SmartScreen warnings and what you can do and should know about it.
I had the same scenario in my job and here are our findings
The first thing you have to do is get the certificate and install it on your computer, you can either buy one from a Certificate Authority or generate one using makecert.
Here are the pros and cons of the 2 options
Buy a certificate
Pros
Using a certificate issued by a CA(Certificate Authority) will
ensure that Windows will not warn the end user about an application
from an "unknown publisher" on any Computer using the certificate
from the CA (OS normally comes with the root certificates from manny
CA's)
Cons:
There is a cost involved on getting a certificate from a CA
For prices, see https://cheapsslsecurity.com/sslproducts/codesigningcertificate.html and https://www.digicert.com/code-signing/
Generate a certificate using Makecert
Pros:
The steps are easy and you can share the certificate with the end users
Cons:
End users will have to manually install the certificate on their machines and depending on your clients that might not be an option
Certificates generated with makecert are normally used for development and testing, not production
Sign the executable file
There are two ways of signing the file you want:
Using a certificate installed on the computer
signtool.exe sign /a /s MY /sha1 sha1_thumbprint_value /t http://timestamp.verisign.com/scripts/timstamp.dll /v "C:\filename.dll"
In this example we are using a certificate stored on the Personal folder with a SHA1 thumbprint (This thumbprint comes from the certificate) to sign the file located at C:\filename.dll
Using a certificate file
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"
In this example we are using the certificate c:\path\to\mycert.pfx with the password pfxpassword to sign the file c:\path\to\file.exe
Test Your Signature
Method 1: Using signtool
Go to: Start > Run
Type CMD > click OK
At the command prompt, enter the directory where signtool exists
Run the following:
signtool.exe verify /pa /v "C:\filename.dll"
Method 2: Using Windows
Right-click the signed file
Select Properties
Select the Digital Signatures tab. The signature will be displayed in the Signature list section.
I hope this could help you
Sources:
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537361(v=vs.85)
https://www.digicert.com/kb/code-signing/signcode-signtool-command-line.htm
https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecert
https://cheapsslweb.com/comodo-code-signing
You can get a code-signing certificate from Certum if you're doing open source development. I've been using their certificate for over a year, and it does get rid of the unknown publisher message from Windows. Price history:
2005 - €14.00
2019 - €25.00
2022 - €69.00
As far as signing code I use signtool.exe from a script like this:
signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f "MyCert.pfx" /p MyPassword /d SignedFile.exe SignedFile.exe
Another option, if you need to sign the executable on a Linux box is to use signcode from the Mono project tools. It is supported on Ubuntu.
The ASP's magazine ASPects has a detailed description on how to sign code (You have to be a member to read the article). You can download it through http://www.asp-shareware.org/
Here's link to a description how you can make your own test certificate.
This might also be interesting.
This is not a direct answer to the question, but it is closely related (and useful I hope) since sooner or later any individual programmer will have put his hand into the wallet.
So, prices for EV (Extended Validation) Code Signing Certificates, sorted by price:
AboutSSL
$240/Year (clickbait price)
$287/Year (real price, after coupon)
KSoftware.net
1 Year $350 + ($50 hidden fee!)
2 Year $600
3 Year $750
OV: $84 per year (for 3 years)
I purchased from them an EV. Some years later I purchased an OV. The eToken was sent on a USB stick. No reader needed. They are only intermediary. In the end, you actually purchase from Comodo (Sectigo).
Sectigo is veeeeerrry slow.
The second time, the verification took two full months. The phone verification failed multiple times. Everything was cumbersome. The tech support didn't have a clue about what is going on, probably just a guy in Pakistan reading through some script.
Sklep.certum.pl
1 Year 379 euro
(seems to be for Poland users only)
LeaderSsl.de
1 Year 364 euro or 307 euro (+19%VAT)
(OV 69+VAT)
Sectigo.com
1 Year $499 USD
3 Year $897 USD
GlobalSign.com
1 Year $410 total
2 Years $760 total
3 Years $950 total
Digicert.com
1 Year: $600 (it was $104)
3 Year: ?
symantec.com
1 Year: $700
3 Years: ridiculous expensive
More prices here:
cheapsslsecurity.com CodeSigning EV
cheapsslsecurity.com SSL only!
EV vs OV
With EV, nine additional steps are required including verifying a businesses’ public phone number, length of time in business, registration number and jurisdiction, as well as a domain fraud check, contact blacklist check and a telephone call to authenticate the employment status of the requestor.
Some recommend submitting a program signed with OV to Microsoft to be checked with their antivirus.
IF YOU FIND CHEAPER PRICES, let me know, and I will update the list!
How to use the certificate?
To sign the exe file, I used MS signtool.exe. For this you will need to download the bloated MS Windows SDK which has a whooping 1GB. FORTUNATELY, you don't have to install it. Just open the ISO and extract "Windows SDK Signing Tools-x86_en-us.msi". It has a merely 400 KB.
Then I built this tiny script file:
prompt $
echo off
cls
copy "my.exe" "my.bak.exe"
"c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd SHA256 /f MyCertificate.pfx /p MyPassword My.exe
pause
__
What happened after signing my EXE file?
So, after investing some money, I finally signed my EXE file. What happened after that? Nothing... On Win10 I still see the same "untrusted" window with the "Don't run" button. The "Continue" button is still invisible. My program has about 400 downloads per day. Let's wait and see how many downloads are necessary.
Reference https://steward-fu.github.io/website/driver/wdm/self_sign.htm
Note: signtool.exe from Microsoft SDK
1.First time (to make private cert)
Makecert -r -pe -ss YourName YourName.cer
certmgr.exe -add YourName.cer -s -r localMachine root
2.After (to add your sign to your app)
signtool sign /s YourName YourApp.exe
And yet another option, if you're developing on Windows 10 but don't have Microsoft's signtool.exe installed, you can use Bash on Ubuntu on Windows to sign your app. Here is a run down:
https://blog.synapp.nz/2017/06/16/code-signing-a-windows-application-on-linux-on-windows/
Use following link to sign .exe (setup/ installer)file (sign exe/setup file without using Microsoft setup signtool)
https://ebourg.github.io/jsign/#files
sample command java -jar jsign-2.0.jar --keystore keystore.jks" --alias alias --storepass password MyInstaller.exe
Worked for me :)

Resources