Hi all,

Here's little how-to for signing code. I hope this helps someone out there...

Code signing with a StartSSL Level 2 certificate - a How-To

You will need:

a) OpenSSL for windows version 0.9.8 or better. You can get it from:

http://slproweb.com/products/Win32OpenSSL.html

b) a conversion utility called pvk.exe, created by Dr. Steven N. Henson. You can get it from:
http://www.drh-consultancy.demon.co.uk/pvk.html
or from:
http://www.tech-pro.net/files/pvktool.zip
If neither of these links work, you'll probably have to Google it.

c) The Microsoft code signing tools. They come in the .net framework SDK, or as part of Visual Studio. I used the v1.1 SDK that ships with Visual Studio 2003. If you use the .net framework SDK version 2 or greater, you'll use a tool called signtool.exe in place of the signcode.exe tool that's described below. The arguments to the tools are somewhat different. Check the documentation on the Microsoft website for signtool if you're using that one. You should be able to get either SDK from the microsoft website (but since they completely change their website on a weekly basis, I can't tell you where to find it. If I did, I'd be wrong the next week.)


You will create:

mykey.pem - Your private key in PEM format.
myreq.pem - Your certificate signing request in PEM format. You send this to StartSSL to get a certificate.
mycert.pem - Your certificate in PEM format.
mykey.pvk - Your private key in Microsoft's CryptoAPI format (basically a proprietary, undocumented format)
mycert.spc - Your certificate in Microsoft's CryptoAPI format as a Software Publisher's Certificate.


PEM format is readable by any text editor (i.e. notepad) so you can see what you've got just by opening the file in notepad. As an example, once you've created your private key file (mykey.pem) you can open it in notepad and you'll see the file start with the line:
-----BEGIN RSA PRIVATE KEY----- and end with:
-----END RSA PRIVATE KEY-----

First, acquire a Level 2 validation from Startssl.com so you can get a Level 2 certificate.

Next, create a certificate signing request using OpenSSL:



You will be asked to supply a number of items:
The PEM passphrase
and the PEM passphrase again, for verification

The country name
The state or province name
The locality name
The Organization name
The Organizational unit name
The Common Name
Email address

and a number of 'extra' attributes that you can leave blank:
A challenge password
An optional company name

Once you've filled in all these fields or pressed Enter on the blank values, OpenSSL will create two files - mykey.pem and myreq.pem

Open notepad and open the file myreq.pem in notepad. The first line in the file should read:



and should end with:



Highlight all the contents of this file, and type Ctrl-C to copy the contents to the clipboard. Once you've done that, you can close notepad.

Log on to the startssl.com secure server, choose the certificate wizard, then select "Object code signing certificate" from the drop down list.

Click on the submission box for the code signing request and type Ctrl-V to paste the contents of the clipboard into this box, then click Ok.

You'll get a new window with your Certificate in a PEM format. Copy the contents of this certificate into a local file. In this how-to, we're calling this certificate file mycert.pem.

At this point you've got 3 files, mykey.pem, myreq.pem and mycert.pem. We're finished with myreq.pem, but we need to convert the other two (mykey.pem and mycert.pem) into the format that Microsoft understands.

Next, you create the file mykey.pvk from mykey.pem by using Dr. Henson's wonderful little tool:



Next, create the mycert.spc certificate file. There are two ways to do this. Microsoft has a little utility in their SDK called cert2spc.exe. In their documentation, Microsoft says this utility is only for creating test certificates, but it seems to work quite well on real certificates:

cert2spc mycert.pem mycert.spc

Alternatively, you can use OpenSSL:



FINALLY, you're ready to actually sign an executable:



Of course all this should be on one line. I've used the backslash characters to break up the line in this tutorial, but you should enter everything on the one line.

To check that your executable is properly signed, you can use the chktrust utility:



Chktrust will open a dialog in which you can see the name of the publisher (you) and the name of the product, and allow you examine the certificate.

Congratulations, you're done!!!!!

signcode.exe is a little bit outdated...

If you have OpenSSL at hand - look at the article above where to get it, you can use:

openssl req -new -newkey rsa:4096 -nodes -keyout codesign_privatekey.pem -out codesign_certificate_request.csr

Enter the asked values or use the default ones - it doesn't matter as StartCom will insert the appropriate values from their database (where you have entered your individual/organization data). NOTE: do not set a password for your private key.

You should use a stronger key than 1024 bit (I've used 4096 bit in the line above - just alter to suit your needs)...

Now submit the content via copy & paste (i.e. open file with notepad.exe) to StartCom when asked for your CSR file.

When StartCom lists the text-content of your Certificate (select and do a copy & paste to your editor), save it to a new file, for example: codesign_certificate.crt

Now we are going to create a 'handy' PFX-file:

openssl pkcs12 -export -out codesign.pfx -inkey codesign_privatekey.pem -in codesign_certificate.crt

NOTE: do not set a password when asked.

Now start the MMC (Microsoft Management Console): Start -> Run -> enter: mmc -> click: OK

In the File-menu select: Add/Remove Snap-In -> click: Add -> select: Certificates -> click: Add -> select: My User account -> click: Finish -> click: Close -> click: OK

Now open the Certificates - Current User tree -> select: Personal -> right-click & select: AllTasks -> Import -> point to your PFX file and install it.

Leave the password box empty when asked and set the option to mark your key as exportable, DO NOT enable strong key protection!

Now you can use Example for using the MS SignTool from the Windows SDK:
-------------------------------------------------------------------------------------------------
signtool.exe sign /d "Your Project Name" /du "http://www.yoururl.tld/yourproject/" /f "codesign.pfx" /t "http://timestamp.verisign.com/scripts/timestamp.dll" /v "your_file.exe"

--------------------

If anyone is interested, how you can automate the signing process in Visual Studio after compilation is finished, I will complement this how-to with the necessary steps, especially how to incorporate Manifests for privilege elevation (UAC Box) on Vista, using stong-named assemblies with code-signing (when you'll need to resign with your strong-name), etc.

If you have any questions left, just write here!

HTH,
Duncan

If you use something like

"C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\signtool.exe" signwizard

(i.e. use the signwizard argument) in a shortcut then you get a gui wizard to take you through the process.

Question - is there any plans for startssl to provide a timestamp service?

Adrian

There is one, but it's really "BETA". But using it will only increase its usefulness I guess, try it and read this FAQ item.

What does *really* BETA mean? IMHO a Time Stamp service does work or not - or do you mean by BETA that it might fail under certain circumstances - or under heavy load?

Currently we are using http://timestamp.verisign.com/scripts/timestamp.dll but they had recently (some months ago) problems (maybe heavy load or DDoS), so we switched to http://timestamp.globalsign.com/scripts/timestamp.dll as an alternative.

Okay, we 'll try out StartCom soon...

Duncan

Automatic signing in Visual studio is very easy:
Add a post build event to your project (in VB.NET, this is in My Project->Compile->Build Events.

If your certificate is installed in Windows (replace YOUR_CERTIFICATE_SHA1_FINGERPRINT with your certificate sha1 fingerprint):
"PATH:\To\signtool.exe" sign /sha1 YOUR_CERTIFICATE_SHA1_FINGERPRINT /v /t http://timestamp.verisign.com/scripts/timstamp.dll "$(ProjectDir)obj\$(ConfigurationName)\$(TargetFileName)"

I am using Verisign's timestamp because StartSSL's timestamp server is not working.

Hi all!
I'm trying to sign LibUSB drivers to use ArgyllCMS with Windows7 X64 that needs signed drivers.

I followed this howto, downloaded Platform SDK to use signtool.exe signed libusb0.dll[.sys] and X64 bit too but nothing, trying to install them after cleaned windows from the old unsigned drivers (c:\windows\system32 system32\drivers c:\windows\sysWOW64 ) but nothing, he still refusing my drivers since for windows they're not signed or the provider its not know and added to catalog :/

Any hints?

scarecrow, see viewtopic.php?f=15&t=1768

excellent.
thanks for this great article.
the steps:
1. "C:\Program Files\OpenSSL\bin\openssl" req -new -newkey rsa:2048 -nodes -keyout ..\myPK.pem -out ..\myCertRequest.csr
(without pwd)

2. "C:\Program Files\OpenSSL\bin\openssl" pkcs12 -export -out ..\myCodesignCert.pfx -inkey ..\myCodesignPK.pem -in ..\myCodesignCertificate.crt
(without pwd)

3. PostBuildEvent: .\Tools\signtool.exe sign /sha1 XXxxXXxxXX...XXxx /v /t http://timestamp.globalsign.com/scripts/timestamp.dll "$(TargetDir)$(TargetFileName)"

work fine.