So one of the changes in Windows XP SP2 (That I highly highly recomend everybody download and install) is an increased presense of the digital signature support for signing applications. I decided not to be an outsider and start signing all Meshwork code. Read on for how I did it…
Authenticode works exactly like SSL, you generate a certificate and have a certificate authority (CA) sign it. Verisign charges ~$600 to do this, which is a little steep for my personal projects.
Fortunetly, with the help of OpenSSL anyone can become their own Root CA. Directions on how to set this up are avaliable at http://www.post1.com/home/ngps/m2/howto.ca.html but here is the abbreviated version:
(Run these commands from a unix-ish command prompt) # This will ask you some questions, and then create # your Root certificate and private key # I set the CN (Common Name) for this to "FileFind.net CA". /etc/ssl/misc/CA.pl -newca # This will generate a Certificate Signing Request (CSR), this is # the certificate you will actually use to sign your application # I set the CN (Common Name) for this to "FileFind.net" # since that is the name of the company I am releasing this software under. /etc/ssl/misc/CA.pl -newreq # Now sign the CSR using your Root Certificate /etc/ssl/misc/CA.pl -sign
This will result in two files in the current direrctory, the cert (newcert.pem) and the private key (newreq.pem). I have renamed them “FileFind.cer” and “FileFind.pem” respectivly to be more Windows friendly. Note that I used OpenSSL, but any SSL software should work fine.
There will also be a directory (possibly named demoCA). This contains all the files for your Certificate Authority that you created in the first step. Before computers can trust certificates signed using your CA’s key they must add your CA’s certificate to their operating system’s trusted CA store. Copy the file “cacert.pem” to a webserver (you should probabally rename it to .cer so windows plays nice, I called mine FileFindCA.cer), and instruct all your customers to download and open/install it first.
WARNING: PROTECT YOUR PRIVATE KEY. Your private key is what allows you to verify that a piece of code was actually written by you, it should not be stored on a web server or any other server directly accessed by customers if possible.
Note: The “pvk” command mentioned below can be downloaded from http://www.drh-consultancy.demon.co.uk/pvk.html.
(Run these commands from a Windows command prompt)
- If you are your own CA, you need to make sure that your CA root certificate is installed in Windows (by copying double-clicking on it and clicking “Install Certificate”. This was breifly discussed above.
- Convert the private key to a format that signcode can read
pvk -in FileFind.pem -topvk -nocrypt -strong -out FileFind.pvk - Run signcode
- Select the exe to sign
- Select “Custom”
- Click “Select from File” and select your Cert file (FileFind.cer)
- Under “Private Key From Disk” select the pvk file you generated in step 6
- Select “sha1″
- Leave this page set at the defaults
- Under Description put the application name (Meshwork For Windows), under web address put your website
- Select “Add a timestamp to the data” and enter “http://timestamp.verisign.com/scripts/timstamp.dll”
- Click Finish and your done!
- You can verify that everything worked
chktrust Filename.exe
Here are some screenshots showing everything working:
You can download the FileFind.net Root CA Certificate from http://FileFind.net/FileFindCA.cer.
One Comment
You can also get free code signing certs from http://www.CAcert.org