CONTENTS

Authenticode

Tutorial Overview. This tutorial will guide you through the steps required to sign a file using Microsoft’s Authenticode. It is assumed that you have a basic understanding of PKI and are familiar with the command prompt. This tutorial is broken down into four sections. The first section is a brief explanation of the Authenticode, .NET, and the tools used to successfully complete this tutorial. The second section covers installation of .NET and the third section covers the steps of the signer/sender. The final section covers the steps of the recipient.  This tutorial is used in IS2771 Security in E-Commerce.

Authenticode. Is Microsoft's answer to ensuring an end user on the Internet that a piece of code they are about to download has not been tampered with and identifies the publisher. This allows end users to make an informed decision as to whether or not they want to download a piece of code. Authenticode does not guarantee bug free code. Authenticode relies on certificates and is based on specifications that have been used successfully for some time. There are a number of tools you will use to complete this tutorial that can be found in Microsoft .NET Framework SDK.

Microsoft .NET Framework SDK. This is SDK includes everything you need to write, build, test, and deploy .NET Framework applications. This includes the tools that are used to create a certificate, sign a file, and verify a signature on a file.

MakeCert. MakeCert is the program that is used to make a test X.509 certificate. A public/private key pair is created and will be used for digital signatures. This key pair is associated with a name and associated with a publisher’s name. The certificate is signed by using the root key or a specified key that binds your name to the public key pair.

Cert2SPC. The Software Publisher Certificate Test tool creates a Software Publisher's Certificate (SPC) from one or more X.509 certificates. Cert2spc is for test purposes only. You can obtain a valid SPC from a Certification Authority such as VeriSign or Thawte.

SignTool. The Sign Tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. You also have the ability to use the Sign Tool sign wizard, which has a GUI and allows users to complete the signing process with ease. You have to use the command-line tool when verifying a signature on a file.