Tutorial Overview. This tutorial will guide you through the
steps required to sign a file using Microsoft’s Authenticode. It is
assumed that you have a basic understanding of PKI and are familiar with
the command prompt. This tutorial is broken down into four sections. The
first section is a brief explanation of the Authenticode, .NET, and the
tools used to successfully complete this tutorial. The second section
covers installation of .NET and the third section covers the steps of
the signer/sender. The final section covers the steps of the recipient.
This tutorial is used in
Authenticode. Is Microsoft's answer to ensuring an end user on
the Internet that a piece of code they are about to download has not
been tampered with and identifies the publisher. This allows end users
to make an informed decision as to whether or not they want to download
a piece of code. Authenticode does not guarantee bug free code.
Authenticode relies on certificates and is based on specifications that
have been used successfully for some time. There are a number of tools
you will use to complete this tutorial that can be found in Microsoft
.NET Framework SDK.
Microsoft .NET Framework SDK. This is SDK includes everything you
need to write, build, test, and deploy .NET Framework applications. This
includes the tools that are used to create a certificate, sign a file,
and verify a signature on a file.
MakeCert. MakeCert is the program that is used to make a test
X.509 certificate. A public/private key pair is created and will be used
for digital signatures. This key pair is associated with a name and
associated with a publisher’s name. The certificate is signed by using
the root key or a specified key that binds your name to the public key
Cert2SPC. The Software Publisher Certificate Test tool creates a
Software Publisher's Certificate (SPC) from one or more X.509
certificates. Cert2spc is for test purposes only. You can obtain a valid
SPC from a Certification Authority such as VeriSign or Thawte.
SignTool. The Sign Tool is a command-line tool that digitally
signs files, verifies signatures in files, or time stamps files. You
also have the ability to use the Sign Tool sign wizard, which has a GUI
and allows users to complete the signing process with ease. You have to
use the command-line tool when verifying a signature on a file.