"Code Signing" using a personal digital signature

Sune Trudslev's WebLog

Thursday, November 11. 2004

"Code Signing" using a personal digital signature

I have recently accquired a Digital Signature for accessing official Danish sites and for signing and encrypting e-mail.

Today at work I helped a coworker with signing an ActiveX control, that made me consider if my personal digital signature could be used to sign code as well. When I came home I checked the advanced options of my digital signature, and Code Signing was among the certificate purposes:

Checking out the advanced options of my digital signature reveals that it can also be used for signing code. Yay!

Okay, that was really cool. So now onto the details of actually signing the code. 

First I downloaded the Microsoft Authenticode Tools and extracted them to C:\Program Files\CodeSign. To sign an executable I would just need to run signcode.exe. I would however, need the a .cer file containing the public key of my digital signature and a .pvk file containing my private key. The issuer had disabled export to .cer includining the private key, so I had to find a different solution. From the issuers page it was possible to export the key (both public and private) to .pkcs12.

Using the parts of the steps described on Matthew Jones' Page I got the .pkcs12 (which is the same as a .pfx file) converted to a .pem file and then finally to a .pvk file.

To perform these steps you need OpenSSL for Windows and the PVK utility.

To convert the .pfx file to .pem:

openssl pkcs12 -in sune.pkcs12 -nocerts -nodes -out sune.pem

To convert the .pem file to .pvk:

pvk -in sune.pem -topvk -out sune.pvk

Using the cert2spc.exe executable from the authenticode tools I turned my .cer file into a .spc file.

Now I had everything to sign my first file (using Wise for Windows Installer):

Typing in the details needed to digitally sign my installer package for my program Davina's GGS Timer.

or from the command line:

C:\Program Files\CodeSign>signcode.exe -spc sune.spc -v sune.pvk -n "Davina's GGS Timer" -i http://www.tanis.dk/Products/DavinasGGSTimer -t http://timestamp.verisign.com/scripts/timestamp.dll DavinasGGSTimerInst.exe

A quick compile and running chktrust.exe from the authenticode tools on my installer exe now gives me this result:

Verifying the digital signature on my signed installation program.

I'll be signing my productions from now on.

Posted by Sune Trudslev in Technical at 19:45 | Comments (0) | Trackbacks (0)
View as PDF: This entry | This month | Full blog

E-Mail Entry

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Pavatar/Gravatar/Favatar/MyBlogLog author images supported.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
 
 

View as PDF: This entry | This month | Full blog

Calendar

Back July '10
Mon Tue Wed Thu Fri Sat Sun
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Categories

Archives

Related Links

Top Exits

www.phpbb.com (119)
www.tanis.dk (40)
www.andrometa.dk (13)
www.ws-i.org (11)
www.w3schools.com (9)
weblogs.asp.net (6)
www.ryanair.com (5)
phpbb.tanis.dk (4)
www.ktools.net (4)
www.momondo.com (4)

Syndicate This Blog

Categories



All categories

Blog Administration

Open login screen

Powered by

Creative Commons

Creative Commons License - Some Rights Reserved
Original content in this work is licensed under a Creative Commons License

Amazon Recommendations

Static Pages

Frontpage

Choose Language