Didier Stevens

Wednesday 31 December 2008

Howto: Add a Digital Signature to Executables

Filed under: Encryption — Didier Stevens @ 10:56

Signtool.exe is the default Windows development tool to add a digital signature (Authenticode) to Windows executables (PE files). This howto shows you how to use signtool. You’ll need to create your own certificate and key (or buy one) to sign code.

To obtain signtool, download the platform SDK or the .NET SDK.

I use signtool in my makefile with command line options to automatically sign compiled code, but in this howto, I’ll show the interactive use.

First we will install the certificate with key we’ll use to sign code. Double-click the file and let the wizard do its work with the default option:

20081231-094329

20081231-094445

Because the wizard will also install the root CA certificate found in the PKCS12 file, it will ask you if you trust it.

20081231-094615

It is not necessary to install this root CA certificate for code signing purposes, but if you don’t, signtool will not include the root CA certificate in the certificate chain. And you also need to install this root CA certificate if you want to automatically trust all certificates issued by this root CA (or its subordinate CAs).

Now start signtool from a command-line like this: signtool signwizard.

20081231-094839

For the purposes of this howto, we’ll sign notepad.exe. When you sign an executable that is already signed, the existing signature is overwritten. Actually, notepad is not signed by Microsoft with an embedded signature, but using a security catalog.

20081231-095047

We’ll use the default options presented by the wizard (except for the timestamp):

20081231-095559

20081231-095812

Select the certificate with key we installed: use Select from Store…

20081231-095856

20081231-095950

20081231-100027

By default, the signature doesn’t include a timestamp signed by an external authority (a counter-signature). It’s easy to add one, for example using Verisign’s timestamp service: http://timestamp.verisign.com/scripts/timstamp.dll (of course, using this option requires Internet access).

20081231-100318

Finally, click finish for the wizard to do its work:

20081231-100432

20081231-100504

From now on, notepad.exe’s properties displays a Digital Signatures tab:

20081231-100619

20081231-100920

20081231-101005

This certificate is OK because we installed the root CA certificate in our certificate store. But if you check this signature on another machine or with another account (which doesn’t trust our root CA), we’ll get a warning that although the signature is valid, we don’t trust the root CA:

20081231-101604

20081231-102020

If you didn’t make a backup of notepad.exe and want to remove the signature, use my digital signature tool disitool.

15 Comments »

  1. [...] Signature to a Firefox Add-on Filed under: Encryption — Didier Stevens @ 22:02 After signing a Windows executable with our own certificate, let’s sign an XPI [...]

    Pingback by Howto: Add a Digital Signature to a Firefox Add-on « Didier Stevens — Thursday 1 January 2009 @ 22:03

  2. [...] Signature to a PDF File Filed under: Encryption, PDF — Didier Stevens @ 21:47 After signing an executable and a Mozilla add-on, let’s sign a PDF document with our [...]

    Pingback by Howto: Add a Digital Signature to a PDF File « Didier Stevens — Sunday 4 January 2009 @ 21:47

  3. I followed the instruction, but my signtool shows not the certificate after pressing the “select from store” button (instead windows say that no certificate was found). The certificate can be found with the “certmgr.msc” tool. When I use the “custom” way instedad of “typical”, I am able to select the file (ia.crt) but than the key can not selected. I am using Windows 7.

    Comment by Ekke — Saturday 11 December 2010 @ 20:52

  4. @Ekke When you find the cert with the cert manager, where is it exactly located?

    Comment by Didier Stevens — Saturday 11 December 2010 @ 21:20

  5. I installed ca.crt into “trusted root certification authorities” and ia.crt into “personal”.

    Comment by Ekke — Sunday 12 December 2010 @ 13:19

  6. As allways – error in front of computer! Missed to generate the ia.p12 file. After installing this, its running. Thanx!

    Comment by Ekke — Sunday 12 December 2010 @ 13:25

  7. Had you ever tried to sign a device driver with the given method? Even everything looks nice (e.g. Signature path valid etc.), Windows 7, 64 bit version deny the drivers installation.

    Comment by Ekke — Monday 13 December 2010 @ 11:29

  8. @Ekke You can’t use a self-signed certificate for Kernel Mode Code Signing https://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx

    Comment by Didier Stevens — Monday 13 December 2010 @ 17:40

  9. Cant get rid of that issuer even afer I deleted cert files.Any ideas

    You are about to install a certificate from a certification authority (CA) claiming to represent:
    ****

    Windows cannot validate that the certificate is actually from “***”. You should confirm its origin by contacting “***”. The following number will assist you in this process:

    Thumbprint (sha1): 0B7F31C0 7EA21AD5 FA0487C5 EA63D58F 1798E0AE

    Warning:
    If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click “Yes” you acknowledge this risk.

    Do you want to install this certificate?

    Comment by rain — Friday 22 April 2011 @ 22:03

  10. @rain So your remaining problem is the popup?

    Comment by Didier Stevens — Saturday 23 April 2011 @ 11:14

  11. [...] it’s only now that I hold all the pieces to test this flag. A normal authenticode signature is not enough. And you can not use a selfsigned certificate. You need to buy a certificate (aka [...]

    Pingback by Using DLLCHARACTERISTICS’ FORCE_INTEGRITY Flag « Didier Stevens — Thursday 27 October 2011 @ 17:46

  12. Can you do anything to self-sign an EXE and replace the “Unidentified Publisher” text (that shows in the Windows UAC dialog) with your own text? Obviously the EXE can’t be “trusted” since it is a self-signed cert, but it seems like UAC should show the “signing” text instead of “Unidentified Publisher”. I can get the EXE properties to indicate that I have successfully signed the EXE, but the UAC still shows “Unidentified Publisher”. I know I can “manually trust” my cert and make it work on my own system, but I can’t ask my end users to do that. I just want the UAC to identify the EXE with my name instead of “Unidentified Publisher”. If that can ONLY be done with a valid, purchased cert (that is, one that is not self-signed), I’d like to know for sure.

    Comment by J — Saturday 17 March 2012 @ 4:12

  13. @J
    1) are you using a simple self-signed cert or one with a root CA and a sub CA?
    2) what do you mean with manually trust? Install the root CA?

    Comment by Didier Stevens — Saturday 17 March 2012 @ 9:13

  14. 1) I created a root CA and a sub CA
    2) Yes, by “manually trust” I meant install the root CA. On the machine where I created the certs, I installed the root CA and when I run my EXE it shows me my name (as specified when creating the cert) instead of “Unidentified Publisher”. If I run my EXE on a brand new machine (equivalent to a “customer”), it shows me “Unidentified Publisher” still.

    I’m really hoping you or someone else can confirm my results and to say whether anything else is even possible. Like I said, I don’t expect the EXE to indicate it is now fully “trusted” being self-signed and all, but it sure seems like the UAC should be able to say the equivalent of “This EXE was signed by XXX who is not currently trusted. Do you want to run it anyway?”.

    Thanks for helping Didier.

    Comment by J — Saturday 17 March 2012 @ 17:12

  15. @J AFAIK, there is no other way to display your name than to have the EXE signed under a root CA that is trusted, e.g. stored Trusted Root CA store.

    Comment by Didier Stevens — Saturday 17 March 2012 @ 21:15


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 221 other followers

%d bloggers like this: