Authenticode: Signing a File
1. Creating Public/Private Keys. To create both the public and
private keys you will use the MakeCert tool, which can be accessed via
the SDK command prompt through your start. Open the command prompt by
going to Microsoft .NET Framework SDK v2.0 and selecting the SDK Command
Prompt under the Start Menu. This will open a command window in the SDK
After you have opened the command prompt type makecert –sv
private_key_name.pvk –ss storename –r –n “CN=your name”
public_key_name.cer to create both a public and private key.
The command is explain in detail for better understanding.
- sv private.pvk. The –sv flag will create a private key named
private.pvk if it does not exist.
- ss myNewStore Specifies the subject's certificate store name
that stores the output certificate. If the store does not exist it
will be created.
- n “CN=your name” will set the issuer and the subject fields
with that value
- r public.cer will create a self signed certificate called
public.cer. If this option is not used the certificate will be
signed by the default test root certificate.
This command is one of the basic commands that use the default values
when creating keys. There are numerous flags that can be used to change
or add data to the keys, which you can read about on your own.
You will be prompted to create a private key password and confirm it.
After creating the private key password you will be prompted for it
You should get a “Succeeded” message from MakeCert if the keys were
If you receive an error message the problem is probably due to an
incorrect private key password. Reenter the MakeCert command and you
will be prompted for the private key password again. Reenter the
password to complete the key creation process.
2. Creating a SPC File. This will wrap multiple x.509 certificates into
a public key certificate standard (pkcs) #7. This program is for test
purposes only. A valid SPC must be obtained from a CA. To create a SPC
file using your certificate enter cert2spc public.cer spc.spc. The SPC
file will be used to sign a file.
3. Signing a File. To sign a file you will use the SignTool, which can
be accomplished by the command prompt and Digital Signature Wizard GUI.
This tutorial will use the GUI, which will allow you to see the steps
required to sign a file. To run the SignTool GUI use signtool signwizard.
You will be presented with the Digital Signature Wizard’s welcome
screen. To continue with the wizard click Next. You will then be
presented with the File Selection screen, which will allow you to select
the file you wish to sign. You can only sign .exe, .dll, or .ocx files
You can download the good.dll to sign. However, all you have to do is
choose an executable off your machine to sign.
Click the Browse button and navigate to the location of the file you
wish to sign and select it. After choosing a file to sign click the Next
button to continue with the wizard.
After selecting the file to sign you must chose the certificate to
attach to the signature. This file will be the .spc file that was
created using your public key. To select the .spc file click Select from
File then navigate to the location of the .spc file and select it.
After selecting the certificate to be attached to the signature click
Now you must select the private key you want to use to sign the file. To
do this select Browse and navigate to the location of your private key
and select it.
After selecting the private key select Next where you will be prompted
for the private key’s password. Without this you will not be able to
complete the signing process.
The next step is to select the hash algorithm you want to use to create
the file signature. SHA1 is the default option and is acceptable to
keep. The SHA1 hash algorithm produces a 160-bit (20 byte) message
digest, which will slow implementation but is stronger against a brute
force attack. The MD5 produces a small message digest at 128-bit (16
byte) that makes for a fast implementation but is weaker again brute
You have the option to include additional certificates in the signature,
which is common practice when you obtain a certificate from a CA.
However, in this tutorial you created a self signed certificate so there
are no other certificates that need to be included with the signature,
which is why the default settings were kept. Modifications to the
additional certificate settings depend on your specific requirements
when signing a file. Click Next to continue.
It is a best practice to include information about the data you are
signing and a Web site where a person can find additional information
pertaining to the signature. You can enter this information or just
continue to the next step by clicking Next.
A time stamp should always be included with every signed file, which
indicates to the public when the file was signed and its existence. To
sign a file you need to provide the URL of a timestamping service. You
can use Verisign’s service at http://timestamp.verisign.com/scripts/timstamp.dll.
After you have entered the timestamp URL click Next to continue.
You now can verify the options you will use to create the signature. If
there is anything that you missed or want to double you have the
opportunity to do it here. When you are satisfied click Next to complete
the signing process.
You will be prompted for your private key’s password as the final step
in completing the signing wizard. After you provide the password click
Next to generate the signature for the selected file.
The final step is to make your public key available to the public along
with the file you signed.