Article: Using Authenticode Code Signing Certificates

[Ted Sullivan]

Using Authenticode Code Signing Certificates with Setup Factory 7.0

How can users trust code that is published on the Internet? Two issues that must be addressed are those of ensuring integrity and authenticity. Authenticity assures users that they know where the code came from. Integrity verifies that the code hasn't been tampered with since its publication.

In the Microsoft article titled Introduction to Code Signing, they write:

Quote:

Microsoft's solution to these issues is Microsoft Authenticode coupled with an infrastructure of trusted entities. Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures.

While Authenticode itself cannot guarantee that signed code is safe to run, Authenticode is the mechanism by which users can be informed of whether the software publisher is participating in the infrastructure of trusted entities. Thus, Authenticode serves the needs of both software publishers and users who rely upon the Internet for the downloading of software.

Why Should I Care?
If you plan to distribute your software over the Internet and you expect that some of your users will be using Windows XP Service Pack 2, you may want to consider signing your installer. Due to the changes made to Internet Explorer in Windows XP SP2, when a customer downloads and runs your software, they will be presented with a warning dialog asking the user if they really want to run your software. On that dialog, they will see "Unknown Publisher" if it is not signed. On the other hand, if you do sign your code, they will instead see your company name and an optional web link to follow for more information.

Getting a Code Signing Certificate
If you would like to purchase a code signing certificate, they are available from a number of companies, including Verisign, Thawte and Comodo. Comodo seems to offer a $99 certificate, so you may want to shop around and see what works best for you.

During the purchase process, you will be instructed on creating and saving a "private key" file, which will later be used along with your certificate to actually "sign" your software. You will also be asked for a password to protect your private key. Do not misplace any of this information. Each piece is extremely important!

It will take about 3-5 days for your application to be approved and your certificate issued. Keep in mind that you will likely need to provide supporting documentation to prove you actually are who you say you are. It's not something to be taken lightly and will likely require senior management to be involved.

Download the Microsoft Authenticode SDK
Now that you have a code signing certificate, you'll need to download some software from Microsoft so you can start using it.

1. Download the Authenticode for Internet Explorer 5.0 "codesigningx86.exe" package from Microsoft's website.
   
2. Install the package to your system. By default, it suggests using C:\inetsdk\bin.

Signing your Setup Factory 7.0 Installers
Once the Authenticode package is installed on your system, you are ready to start signing your code.

1. Build and publish your installer with Setup Factory 7.0, as usual. Be sure to choose the "Web (Single File)" option when publishing.
   
2. Double-click the signcode.exe file (e.g. "C:\inetsdk\bin\signcode.exe") to start the Digital Signature Wizard.
   
3. Follow the prompts in the wizard to digitally sign your installer.

Testing your Signature
To verify that everything went according to plan and view your signature, Microsoft includes the "chktrust.exe" application. To use it, go to "Start > Run" and type "C:\inetsdk\bin\chktrust.exe filename.exe", where "filename.exe" is the full path to your installer.

Alternatively, you could simply upload the installer to a web site and then download and run it from a computer using Windows XP SP2. You'll see the same information.

Getting More Information
There are many good resources on the Internet for finding out more about code signing, Authenticode, Windows XP, Security and related issues. Here are a few places to start.

• Microsoft: Authenticode for Internet Explorer 5.0 SDK
  
• Microsoft: Introduction to Code Signing
  
• Microsoft: Signing and Checking Code with Authenticode
  
• Certify your Software Integrity with Thawte Code Signing Certificates
  
• Purchase a Thawte Code Signing Certificate

Copyright (c) 2004 Indigo Rose Software. All rights reserved.

[bljacobs]

Is there any reason these instructions regarding Authenticode couldn't be used with Setup Factory 6.0? Any special considerations or things to look out for?

[Ted Sullivan]

Setup Factory 6.0 wasn't designed with Authenticode signing in mind. It may or may not work, but hasn't been tested as such.

[DTX]

Hi,

Are there any updates to this article? As Microsoft seem to have shifted the files that you need to download.


Cheers
Drew

[SteveDude]

I code sign all of my EXE's and DLL's. No problems signing EXE's built with Setup Factory. I use the one in the Windows Platform SDK.

I sugest using signtool.exe with this command line...

signtool.exe signwizard

It makes signing programs a no brainer.

It would be nice if this built into Setup Factory. It is in some other products.

Internet SDK
http://www.microsoft.com/downloads/d...displaylang=en

.NET SDK

http://www.microsoft.com/downloads/d...displaylang=en