Authenticode Code Signing

Using Authenticode Code Signing

Background

How can users trust code that is published on the Internet? Two issues that must be addressed are those of ensuring integrity and authenticity. Authenticity assures users that they know where the code came from. Integrity verifies that the code hasn't been tampered with since its publication.

In the Microsoft article titled Introduction to Code Signing, they write:

Microsoft's solution to these issues is Microsoft Authenticode coupled with an infrastructure of trusted entities. Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures.

While Authenticode itself cannot guarantee that signed code is safe to run, Authenticode is the mechanism by which users can be informed of whether the software publisher is participating in the infrastructure of trusted entities. Thus, Authenticode serves the needs of both software publishers and users who rely upon the Internet for the downloading of software.

Why Should I Care?

If you plan to distribute your software over the Internet and you expect that some of your users will be using Windows XP Service Pack 2, or Windows Vista you should consider signing your AutoPlay applications. Due to the changes made to Internet Explorer in Windows XP SP2, and the Windows Vista OS, when a customer downloads and runs your software, they will be presented with a warning dialog asking the user if they really want to run your software. On that dialog, they will see "Unknown Publisher" if it is not signed. On the other hand, if you do sign your code, they will instead see your company name and an optional web link to follow for more information. If you plan to distribute on Windows Vista, another point of consideration beyond user experience, is the fact that Windows Vista has the ability to prevent any unsigned applications from launching with full privileges. This may impact both the application's functionality.

Getting a Code Signing Certificate

If you would like to purchase a code signing certificate, Indigo Rose has teamed up with Thawte, one of the largest certification authorities worldwide. Their price is $199 US for a 1 year certificate (about half the price of Verisign). You can purchase by visiting https://www.t-refer.com/t-refer/CAINDIGO-1.

During the purchase process, you will be instructed on creating and saving a "private key" file, which will later be used along with your certificate to actually "sign" your software. You will also be asked for a password to protect your private key. Do not misplace any of this information. Each piece is extremely important!

It will take about 3-5 days for your application to be approved and your certificate issued. Keep in mind that you will likely need to provide supporting documentation to prove you actually are who you say you are. It's not something to be taken lightly and will likely require senior management to be involved.

Download the Microsoft Authenticode SDK

Now that you have a code signing certificate, you'll need to download some software from Microsoft so you can start using it.

  1. Download the Authenticode for Internet Explorer 5.0 "codesigningx86.exe" package from Microsoft's website.

  2. Install the package to your system. By default, it suggests using C:\inetsdk\bin.

Signing your AutoPlay Applications

Once the Authenticode package is installed on your system, you are ready to start signing your code.

  1. Build and publish your application with AutoPlay Media Studio, as usual.

  2. Double-click the signcode.exe file (e.g.  "C:\inetsdk\bin\signcode.exe") to start the Digital Signature Wizard.

  3. Follow the prompts in the wizard to digitally sign your application.

Testing your Signature

To verify that everything went according to plan and view your signature, Microsoft includes the "chktrust.exe" application. To use it, go to "Start > Run" and type "C:\inetsdk\binchktrust.exe filename.exe", where "filename.exe" is the full path to your AutoPlay application executable.

Getting More Information

There are many good resources on the Internet for finding out more about code signing, Authenticode, Windows XP, Security and related issues. Here are a few places to start.

Copyright 2006 Indigo Rose Software. All rights reserved.