November 9, 2006

Filed under: General — Marcus Tettmar @ 9:34 am

Update 26th April 2011: We are now able to offer our customers a discount on Comodo Code Signing certificates through our Partners K Software. For details and coupon code please log into the registered user area.

What is Code Signing?

In Windows XP when you download an executable file from the Internet the browser checks the file’s Authenticode signature. This verifies who the publisher is. You get a dialog asking if you wish to download software from this publisher. If there is no signature the warning is more severe and it says something like:

The publisher could not be verified. Are you sure you want to run this software? This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust.

In some cases you will also get a similar warning when running applications that haven’t been signed. Apps that have been signed are trusted more by the operating system. And Vista is even more fussy.

Code signing protects against tampering and impersonation. If a signed app is tampered with or modified in some way the signature becomes invalid and so the user will be warned when they try to run it.

How does it work?

A publisher applies for a digital certificate from a Certification Authority. Using the Microsoft Authenticode tools the publisher can sign their applications with their digital certificate. The signing tool basically makes a hash of the code and their private key and appends the signature to the end of the executable. If the code is later modified the signature will therefore be invalid as it is partially based on the application’s code itself.

Should I sign EXEs Compiled with Macro Scheduler?

If you distribute compiled macros to others, or let people download them from the web you should consider signing them. Users can then see who the publisher is and be sure that the file hasn’t been modified in any way, and will no longer see the unknown publisher warning presented by the web browser.

So how do I sign my EXEs?

First you need to obtain an Authenticode Certificate from one of the following Certification Authorities:
Thawte
Verisign
Comodo

You also need the code signing tools. These come with the Microsoft Platform SDK and can be downloaded here:
Platform SDK Redistributable: CAPICOM

Once installed, launch SignTool.exe to sign your EXE. For command line options see: Sign Tool (SignTool.exe)

For more information about Authenticode and Code Signing see Authenticode Overviews and Tutorials on Microsoft.com

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment