Authenticode

You are currently browsing articles tagged Authenticode.

If you are a serious developer releasing software to the public you are surely already using Authenticode signatures to sign your code and let the world know it came from you. You can obtain an Authenticode certificate at some certification authority (e.g. Verisign). These certificates are normally valid for one, two or three years, depending on how much cash you want to spend upfront. Normally, you get discounts the more years you purchase.

Once you get your Authenticode certificate you can start signing your executables and libraries (DLLs) both managed and unmanaged as well as setup packages (MSI). You can only sign your target files while your certificate is valid. The day your certificate expires, you can no longer sign your files with it. If you want to continue signing, you must purchase a renewal or a brand new certificate.

To do the actual signing you need to run your Visual Studio 2008/2010 Command Prompt and issue a command similar to this:

signtool sign /f key-file /p password /v your-target-exe-dll-or-msi-file

Ok, let’s say you have signed your installer (SETUP.EXE). If you run it from some untrusted location (e.g. download it from the Internet), double-clicking it will produce a dialog similar to this:

Looks good! This is exactly what you want to make your software look professional, right? Well, yes and no. The way we have just signed our file is only good enough for as long as our Authenticode signing certificate is valid! Now, what does that really mean? Well, let’s put it this way. Say you purchased your code signing certificate on January 1st and its validity period is one year. On January 1st next year it is no longer valid. All software you signed with the above method will only show as signed in the current year for as long as signing certificate is valid. As soon as your certificate expires, your software will show as *unsigned* like in the image below!

To prevent this from happening be sure to timestamp your signed files. Timestamping is really just another command line option to the above signing syntax but with a big significance. With timestamping you supply an URL to your certification authority’s timestamp service (this varies depending on where you purchased your certificate).

signtool sign /f key-file /p password /t http://timestamp.verisign.com/scripts/timstamp.dll /v your-target-exe-dll-or-msi-file

Timestamping really means “please make this file be known as valid from here to eternity”. So timestamped files never expire. They will always show as valid regardless of whether your certificate expired or not.

There is another implication of timestamping. You may purchase your Authenticode code signing certificate, use it for say one year for an unlimited number of timestamped code signings. Even if you stop producing software at some point and your certificate eventually expires, your previously signed files will remain signed and shown as valid even to users  in the 23rd century and beyond.

For more information you can also take a look at this Verisign article.

Tags: , ,