Didier Stevens

Wednesday 31 December 2008

Howto: Add a Digital Signature to Executables

Filed under: Encryption — Didier Stevens @ 10:56

Signtool.exe is the default Windows development tool to add a digital signature (Authenticode) to Windows executables (PE files). This howto shows you how to use signtool. You’ll need to create your own certificate and key (or buy one) to sign code.

To obtain signtool, download the platform SDK or the .NET SDK.

I use signtool in my makefile with command line options to automatically sign compiled code, but in this howto, I’ll show the interactive use.

First we will install the certificate with key we’ll use to sign code. Double-click the file and let the wizard do its work with the default option:

20081231-094329

20081231-094445

Because the wizard will also install the root CA certificate found in the PKCS12 file, it will ask you if you trust it.

20081231-094615

It is not necessary to install this root CA certificate for code signing purposes, but if you don’t, signtool will not include the root CA certificate in the certificate chain. And you also need to install this root CA certificate if you want to automatically trust all certificates issued by this root CA (or its subordinate CAs).

Now start signtool from a command-line like this: signtool signwizard.

20081231-094839

For the purposes of this howto, we’ll sign notepad.exe. When you sign an executable that is already signed, the existing signature is overwritten. Actually, notepad is not signed by Microsoft with an embedded signature, but using a security catalog.

20081231-095047

We’ll use the default options presented by the wizard (except for the timestamp):

20081231-095559

20081231-095812

Select the certificate with key we installed: use Select from Store…

20081231-095856

20081231-095950

20081231-100027

By default, the signature doesn’t include a timestamp signed by an external authority (a counter-signature). It’s easy to add one, for example using Verisign’s timestamp service: http://timestamp.verisign.com/scripts/timstamp.dll (of course, using this option requires Internet access).

20081231-100318

Finally, click finish for the wizard to do its work:

20081231-100432

20081231-100504

From now on, notepad.exe’s properties displays a Digital Signatures tab:

20081231-100619

20081231-100920

20081231-101005

This certificate is OK because we installed the root CA certificate in our certificate store. But if you check this signature on another machine or with another account (which doesn’t trust our root CA), we’ll get a warning that although the signature is valid, we don’t trust the root CA:

20081231-101604

20081231-102020

If you didn’t make a backup of notepad.exe and want to remove the signature, use my digital signature tool disitool.

40 Comments »

  1. […] Signature to a Firefox Add-on Filed under: Encryption — Didier Stevens @ 22:02 After signing a Windows executable with our own certificate, let’s sign an XPI […]

    Pingback by Howto: Add a Digital Signature to a Firefox Add-on « Didier Stevens — Thursday 1 January 2009 @ 22:03

  2. […] Signature to a PDF File Filed under: Encryption, PDF — Didier Stevens @ 21:47 After signing an executable and a Mozilla add-on, let’s sign a PDF document with our […]

    Pingback by Howto: Add a Digital Signature to a PDF File « Didier Stevens — Sunday 4 January 2009 @ 21:47

  3. I followed the instruction, but my signtool shows not the certificate after pressing the “select from store” button (instead windows say that no certificate was found). The certificate can be found with the “certmgr.msc” tool. When I use the “custom” way instedad of “typical”, I am able to select the file (ia.crt) but than the key can not selected. I am using Windows 7.

    Comment by Ekke — Saturday 11 December 2010 @ 20:52

  4. @Ekke When you find the cert with the cert manager, where is it exactly located?

    Comment by Didier Stevens — Saturday 11 December 2010 @ 21:20

  5. I installed ca.crt into “trusted root certification authorities” and ia.crt into “personal”.

    Comment by Ekke — Sunday 12 December 2010 @ 13:19

  6. As allways – error in front of computer! Missed to generate the ia.p12 file. After installing this, its running. Thanx!

    Comment by Ekke — Sunday 12 December 2010 @ 13:25

  7. Had you ever tried to sign a device driver with the given method? Even everything looks nice (e.g. Signature path valid etc.), Windows 7, 64 bit version deny the drivers installation.

    Comment by Ekke — Monday 13 December 2010 @ 11:29

  8. @Ekke You can’t use a self-signed certificate for Kernel Mode Code Signing https://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx

    Comment by Didier Stevens — Monday 13 December 2010 @ 17:40

  9. Cant get rid of that issuer even afer I deleted cert files.Any ideas

    You are about to install a certificate from a certification authority (CA) claiming to represent:
    ****

    Windows cannot validate that the certificate is actually from “***”. You should confirm its origin by contacting “***”. The following number will assist you in this process:

    Thumbprint (sha1): 0B7F31C0 7EA21AD5 FA0487C5 EA63D58F 1798E0AE

    Warning:
    If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click “Yes” you acknowledge this risk.

    Do you want to install this certificate?

    Comment by rain — Friday 22 April 2011 @ 22:03

  10. @rain So your remaining problem is the popup?

    Comment by Didier Stevens — Saturday 23 April 2011 @ 11:14

  11. […] it’s only now that I hold all the pieces to test this flag. A normal authenticode signature is not enough. And you can not use a selfsigned certificate. You need to buy a certificate (aka […]

    Pingback by Using DLLCHARACTERISTICS’ FORCE_INTEGRITY Flag « Didier Stevens — Thursday 27 October 2011 @ 17:46

  12. Can you do anything to self-sign an EXE and replace the “Unidentified Publisher” text (that shows in the Windows UAC dialog) with your own text? Obviously the EXE can’t be “trusted” since it is a self-signed cert, but it seems like UAC should show the “signing” text instead of “Unidentified Publisher”. I can get the EXE properties to indicate that I have successfully signed the EXE, but the UAC still shows “Unidentified Publisher”. I know I can “manually trust” my cert and make it work on my own system, but I can’t ask my end users to do that. I just want the UAC to identify the EXE with my name instead of “Unidentified Publisher”. If that can ONLY be done with a valid, purchased cert (that is, one that is not self-signed), I’d like to know for sure.

    Comment by J — Saturday 17 March 2012 @ 4:12

  13. @J
    1) are you using a simple self-signed cert or one with a root CA and a sub CA?
    2) what do you mean with manually trust? Install the root CA?

    Comment by Didier Stevens — Saturday 17 March 2012 @ 9:13

  14. 1) I created a root CA and a sub CA
    2) Yes, by “manually trust” I meant install the root CA. On the machine where I created the certs, I installed the root CA and when I run my EXE it shows me my name (as specified when creating the cert) instead of “Unidentified Publisher”. If I run my EXE on a brand new machine (equivalent to a “customer”), it shows me “Unidentified Publisher” still.

    I’m really hoping you or someone else can confirm my results and to say whether anything else is even possible. Like I said, I don’t expect the EXE to indicate it is now fully “trusted” being self-signed and all, but it sure seems like the UAC should be able to say the equivalent of “This EXE was signed by XXX who is not currently trusted. Do you want to run it anyway?”.

    Thanks for helping Didier.

    Comment by J — Saturday 17 March 2012 @ 17:12

  15. @J AFAIK, there is no other way to display your name than to have the EXE signed under a root CA that is trusted, e.g. stored Trusted Root CA store.

    Comment by Didier Stevens — Saturday 17 March 2012 @ 21:15

  16. Didier, I created my own certificate and key using https://toolbokz.com/gencert.psp. I received no errors or warnings. I then renamed ia.p12 to ia.pfx and the ran the command:
    signtool sign /f “c:\program files\windows sdks\v7.1\bin\ia.pfx” “c:\development\commnfac\setup.exe”
    I received no messages and everything looked ok. However, when I copied the setup.exe file onto another computer and ran it, the dialog box showed Publisher: Unknown. Also, because I have Norton Internet Security, I get a message from Norton saying the program is a threat and asks if I want to continue. I thought signing an EXE file was suppose to put a name in the published area and avoid messages from antivirus/malware programs. What is going wrong?

    Please help.

    Thanks.

    Comment by Bob Gattol — Friday 20 March 2015 @ 18:23

  17. @Bob Did you install the root CA on the second machine?

    Comment by Didier Stevens — Saturday 21 March 2015 @ 9:54

  18. @Didier No. I just ran the signed setup program from a flash drive. Sounds like I have to do something before this.

    Comment by bobgatto — Sunday 22 March 2015 @ 3:48

  19. If tou want the signature to be valid, you need to install the root CA.

    Comment by Didier Stevens — Sunday 22 March 2015 @ 10:50

  20. @Didier So you’re saying I have to copy ca.key onto the computer before I install the signed program?

    Comment by bobgatto — Sunday 22 March 2015 @ 13:10

  21. @bob No, you never share your private keys. You have to keep them secure. You need to install the root CA if you want your signature to be valid: ca.crt

    Comment by Didier Stevens — Sunday 22 March 2015 @ 17:01

  22. @Didier So where does the ca.crt get installed and does it have to be installed first?. My installer gives the option of selecting where the program is to be installed

    Comment by bobgatto — Sunday 22 March 2015 @ 17:40

  23. @bob Your installer? What is your final goal with this?

    Comment by Didier Stevens — Sunday 22 March 2015 @ 18:34

  24. @Didier I have an installer that I want to run on another computer to install a program u wrote. I signed the installer but the UAC dialog keeps coming up with Publisher: Unknown and my Norton Internet Security displays a dialog box showing it is an untrustworthy program and should not be installed. I want to show the publisher with the company name and to have Norton trust this program.

    Comment by bobgatto — Sunday 22 March 2015 @ 20:01

  25. @bob A program I wrote? What program? And is this machine you want to install on your machine? Or somebody else, like a client?

    Comment by Didier Stevens — Sunday 22 March 2015 @ 20:20

  26. @Didier I’m sorry. I meant I when I wrote u It’s my program. Eventually I would like to get it on other home computers. But for now, I’ve developed, compiled, and signed it on my laptop and am testing installation on my desktop.

    Comment by bobgatto — Sunday 22 March 2015 @ 20:27

  27. @Bob OK, because my Windows programs are already signed with a commercial certificate. You need to install the root CA on the target machine. Copy it to the machine (ca.crt), double-click it, select to install the certificate for the machine in store Trusted Root Certification Authorities.

    Comment by Didier Stevens — Sunday 22 March 2015 @ 20:49

  28. […] have a couple of how-to posts on digital signatures, like this code signing post. Let me revisit this topic now that Microsoft announced some upcoming changes to code […]

    Pingback by Authenticode And Timestamping And sha256 | Didier Stevens — Tuesday 24 November 2015 @ 0:01

  29. Hello Mr. Didier

    Thank you very much for your help.
    Your Generate certificates page is great.
    God Bless You!

    I’am trying to automate the store task, and with the code bellow, almost getting.

    Can you please improve this?

    Thanks in advance.

    REM We will use the “CERTUTIL.EXE” which exists under c:\windows\system32 folder
    REM in Windows Vista and Windows 7 – WINDOWS XP it is necessary CERTUTIL earlier version.

    REM Edit a “StoreKeys.bat” and copy the script bellow:

    REM RUN .BAT AS ADM MODE

    @echo off
    certutil -addstore -f -enterprise -user root C:\ca.crt > NUL
    certutil -addstore -f -enterprise -user root C:\ia.crt > NUL
    certutil -addstore -f -enterprise -user root C:\ia.p12 > NUL

    REM *********************************************************************************

    REM If we remove the -enterprise, we can run the .bat without ADM
    REM privilegies, BUT the prompt Gui for confirmation will be shown.

    REM ??? Is there a way to hide this Gui por automate the confirmation ????

    REM *********************************************************************************

    REM TO SEE STORED SUCCESS:
    REM Press Windows+R or click on Window RUN
    REM and execute the command certmgr.msc

    REM To see the certutil commands edit a bat file with the command:
    REM
    REM certutil -?
    REM or to see then complete help
    REM certutil -v -?
    REM PAUSE

    REM IF YOU WANT TO SEE THE PROCESS REMOVE REM * FROM LINES BELLOW
    REM AND INSERT REM before @echo off above

    REM * certutil -addstore -f -enterprise -user root D:\ca.crt > NUL
    REM * PAUSE
    REM * certutil -addstore -f -enterprise -user root D:\ia.crt > NUL
    REM * PAUSE

    REM THE FOLLOWING LINE GETS AN ERROR ON WINDOWS 7, 8 and 10
    REM (But I tried and think this is note necessary)
    REM
    REM * certutil -addstore -f -enterprise -user root D:\ia.p12 > NUL
    REM * PAUSE

    Comment by Fetha — Monday 22 February 2016 @ 0:05

  30. Nice!

    Comment by Didier Stevens — Monday 22 February 2016 @ 7:18

  31. Hello Didier,

    I’m trying to add digital signature to an exe that contains other exes files.

    All of the exes work great except one that tries to contact server to validate a unique key (unique key is input key from user and is provided by me)

    This is a strange issue as when I sign, both, the exe contacting server (further refereed as verifier.exe) and the main (parent) exe (further refereed as setup.exe), verifier.exe cannot contact server and the installer is at a standstill during installation.

    If I sign either of the two everything works fine and the install is completed.

    I also skipped using the timestamp while signing as thinking that when setup.exe is signed and verifier.exe are different in my case (as I’ll be building setup.exe after signing verifer.exe) but it didn’t help.

    I’m really stuck here and any help would be really really appreciated.

    I’m using InstallJammer to create setup.exe and verifer.exe is a .Net Console Application.

    Comment by Parth — Wednesday 9 March 2016 @ 5:47

  32. Some (old) installers use the PE file directory that contains the signature for their own data. Can you check the unsigned files with my AnalyzePESig tool to check if the directory is empty?

    Comment by Didier Stevens — Wednesday 9 March 2016 @ 16:02

  33. Hi Didier,

    I am doing little bit different steps to achieve the same goal.

    I am asking you below question considering that you would probably help me.

    Q: I have a installer, let’s call it myInstaller.exe which I want to sign. I am able to sign this executable by using signtool exe on cmd.
    Now also I have DLLs in that exe but those DLLS are not getting signed (Verified from Microsoft Test Tool).

    Could you please help me by suggesting steps to sign DLLs as well containing in installer(myInstaller.exe)?

    Thanks in advance.

    Thanks,
    Kshitij

    Comment by Kshitij — Wednesday 16 March 2016 @ 11:30

  34. You also have to use the signtool on your DLLs before you include them in the installer.

    Comment by Didier Stevens — Wednesday 16 March 2016 @ 11:34

  35. (in regard to comment 32 and 31)
    Hello,
    I tried searching for PE file directories and all but didn’t find anything that’d solve my issue.
    I then just tried installing setup.exe on another machine and it’s working properly. I don’t exactly know what the issue is with my machine but I’ll post it here as I find.
    Thanks for the help Didier.

    Comment by Parth — Wednesday 16 March 2016 @ 11:43

  36. @Kshitij
    If you are not comfortable with Microsoft signTool you may also try this tool (https://www.digicert.com/util/). It is a UI based rather than command line based signtool.
    Note: It’s of no use if you want to achieve any kind of automation.

    Comment by Parth — Wednesday 16 March 2016 @ 11:47

  37. @Parth
    Thanks for the reply.

    I just signed an exe by using this tool. It ran successfully.

    But not sure whether all the DLLs in it are signed or not. Do you know if this tool signs all the DLLs as well?

    Comment by Kshitij — Thursday 17 March 2016 @ 7:02

  38. Yes. The tool also allows you to sign DLLs too
    It allows you to sign
    1) Executable files (.exe, .dll, .ocx)
    2) Driver files (.sys)
    3) Cabinet files (.cab)
    4) Certificate trust list files (.stl)
    5) Catalog Files (.cat)
    6) Windows installer files (.msi)
    7) Silerlight application (.xap)

    But signing the exe alone does not mean that the dlls are signed too. You first need to sign the DLLs that are going to be packed into the exe, run the build process and then sign the exe that is the output of the build process.

    Comment by Parth — Thursday 17 March 2016 @ 7:19

  39. Hello again Didier,

    I have been wondering whether there is any advantage or importance of signed files that include timestamp over the ones without timestamp?

    Comment by Parth — Monday 4 April 2016 @ 9:29

  40. @Parth Yes, I explained this in this blogpost: https://blog.didierstevens.com/2015/11/24/authenticode-and-timestamping-and-sha256/

    Comment by Didier Stevens — Friday 8 April 2016 @ 16:24


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 451 other followers

%d bloggers like this: