Académique Documents
Professionnel Documents
Culture Documents
Authenticode Signing
User Guide
Code signing
Use Entrust certificates for Microsoft Authenticode to sign CAB, CAT, CTL, DLL,
EXE, and OCX files. Browsers use the signature and its accompanying information to
provide some confidence to the end user that the code is from a legitimate source and
is free of tampering. Entrust offers PKCS#7 (Public Key Cryptography Standard # 7)
certificates for use with Authenticode.
Note :
You cannot use Entrust code signing certificates for Microsoft Authenticode to
sign kernel mode software.
User guides containing information about:
Entrust code signing certificates for Windows macros and Visual Basic files
that you have purchased and installed an Entrust certificate for signing
Authenticode
Note :
SignTool supports PFX format. If you selected PVK format when you purchased
your certificate you can convert it to PFX using the PVK2PFX utility, located in the
same folder as SignTool. Alternatively, when you import the certificate into your
certificate store you can specify PFX format.
Converting a PVK formatted file to PFX
This procedure outlines how convert a PVK formatted file to PFX using the PVK2PFX
utility.
Where:
<name of PVK file> is the name of the PVK file that you purchased from
Entrust
<password for PVK> is the password that you created to safeguard and use
the certificate
<name of PFX file> is an option to allow you to use a different name for
the PFX file. If you choose not to use this option an export wizard opens and
subsequent options (-po and -f) in the command are ignored.
Optionally you can add -po <password> to set a password for the PFX file
that is different from the one set for the PVK file. If you choose not to set a
new password the original password applies.
Note :
Older versions of SignTool (version 6.0 and lower) require you to specify the
timestamp in a separate command, rather than as an option in the signing
command.
To sign code using SignTool
1
http://timestamp.entrust.net/TSS/AuthenticodeTS /v <path>\<file to
be signed>
Where:
<Path to the SignTool executable> is usually the bin folder in the Windows
SDK installation.
<path>\<cert.pfx> is the location and name of your certificate
<password> is the password for your certificate
http://timestamp.entrust.net/TSS/AuthenticodeTS is the URL of Entrusts
Note :
This URL applies only to Authenticode signing certificates. Other types of Entrust
code signing certificates use different URLs.
/v specifies verbose execution for information about success, failure, or errors
<path>\<file to be signed> is the location and name of the file containing the
Note :
Signtool 6.0 or higher is required to use this command.
To sign code using SignTool
1
Where:
cross-certificate
/d allows you to add a description of the signed content; for example the
name of the software XYZ Desktop Client
/du allows you to add a URL with additional information about the signed
content
The code is passed through a hashing algorithm creating a hash of the file.
The hash is an exact numerical representation of the file. The hash is only
reproducible using the unaltered file and the hashing algorithm that was
used to create the hash. The hash is bundled with the file.
Timestamping Authority
001011
Hash of code
Code
Code
Code
Public key
Certificate
The validity of the TSAs public key is verified by checking its expiry date and
consulting the revocation lists to be sure that it has not been revoked.
The two hashes are compared. If the hashes are equal, the timestamp is
considered to be valid.
10
The public key of the designer or publisher is extracted from the bundle and
applied to the signature information. Applying the public key reveals the
hash that was calculated when the file was signed.
The public key is checked against the revocation lists to be sure that it is valid.
Code
Check Signature
Check Timestamp
001011
0 09
001011
v62
No
Hash from
signers public
key
Hash of signature
and timestamp
Revocation list
Revocation list
001011
001011
Hash from
signers private
key
Hash from
signers public
key
09
001011
6 20
N ov
001011
Hash of signature
and timestamp
6
N ov
200 9
Code
11