WinBatch Tech Support Home

Database Search

If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.

TechHome

64-bit

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

Code Signing an EXE

 Keywords: Code Sign Signing Certificate UAC Vista Trusted Authority 

Buying a Certificate for WinBatch scripts

Why? Windows Vista and UAC. In order to run a compiled WinBatch EXE, that contains Control Manager Extender functions, on a Windows System with UAC enabled requires that the EXE is 'Signed' by a 'Trusted Authority'.

Also, If you do not sign your exes then Windows Vista makes your program to appear as if it's a malware or a virus program. When you run an EXE on Vista you may recieve a message asking you whether or not you trust the application you are about to run. If your EXE is not digitally signed then the popup message will reference an "Unknown Publisher". If the EXE is digitally signed it will reference your own information in the popup message.

The Control Manager Extender functions require a Trusted Signed EXE inorder to run on Windows Vista with UAC enabled. Down the road, Vista will require any EXE, regardless of functionality, to be signed and trusted.

What is a certificate?

Code Signing certificates allow you to 'digitally sign' your exes for secure delivery of your scripts. By digitally signing your EXE you are letting the user know the software is safe.

To create a digital signature you will need 'a key pair'. A public key and a private key. The private key is known only to its owner and is used to sign the data. The public key can be distributed to anyone and is used to verify the signature on the data.

Digital certificates bind YOU to the specific public and private key pair. Digital certificates are like an electronic ID that verifies your identity.

You can obtain a certificate from a certificate authority (CA), which vouches for the certificate. A CA generally requires you to provide unique identifying information. The CA uses this information to authenticate your identity before giving you a certificate.

Sources for digital certificates

  1. You can use the self-signed method for generating a digital certificate. The selfcert.exe tool from Microsoft can be used to create one. This approach allows you to test the operation of digital certificates, but it has limited practical use because no independent party verifies the authenticity of the certificate.

  2. You can use Windows Certificate Services within an organization to create certificates recognized by those within the organization and other groups, such as suppliers or consultants that work closely with an enterprise-based issuer of certificates. These certificates are trusted by those in the organization as well as close associates.

  3. You can use certificates issued by a widely recognized trusted certifying authority. The two certifying authorities that I'm most familiar with are VeriSign and Thawte. This article demonstrates the steps for acquiring, installing, and using a Thawte certificate to sign WinBatch scripts.

Where do I buy a Certificate?

Apparently there are many different Certificate Authorities. Here are a few of the better known:

For a more complete list check out 'Microsoft Root Certificate Program Members' list at microsoft's web site. http://msdn2.microsoft.com/en-us/library/ms995347.aspx

Buying a Certificate

WinBatch itself has been signed using the Certification Authority 'Thawte'. Here are the steps to buy your own 'Code Signing' 'Digital Certificate'. Go to https://www.thawte.com/ssl-digital-certificates/code-signing/index.html. Follow all of the prompts.

Here are some of the things you may be asked for:

  1. Choose Type of certificate: 'Microsoft Authenticode (Multi-Purpose) Certificate'
  2. Install Addon: 'Microsoft Enrollment Control'
  3. Enter 'organization name and location '
  4. Web server domain name
  5. Path to store private key 'c:\mykey.pvk'
  6. Enter Corporate, technical and Billing Contact information.
  7. Credit card info.
  8. Description of your organization
  9. Company Tax ID (EIN) number, if you have one.
  10. Password for your Thawte account
  11. Password for the private key.

Note: Your private key (.pvk file) will be stored where ever you specified.

Once you have completed the purchasing process you will be given a 'certificate request code' and a 'payment reference number'. You will then recieve an email confirming your order. Next you will recevie an email asking you to confirm that you approve the digital certificate order and it asks you to start the final verification step by clicking on a link. You then simply follow all of the various prompts at 'Thawte Automated Order Versfication' website.

To complete the 'automated' verification, you must:

This automated process, places a call to the first phone number you specified and the webpage gives you a special 4 digit value to enter from your phone. Next the automated voice message gives you another 4 digit number called a "PIN" number that you will enter when the next call is recieved. Once you hang up you will recieve another phone call to the other phone number and you will be asked to enter the PIN number. Once this is complete the webpage will notify you that The following steps are still in progress: 'Proof of Domain Registration'.

Finally you will receive an email telling your application for a thawte certificate has been successful. It will contain a link to a webpage where you can download your public certificate. Make sure to have your Thawte Account password handy. Confirm that your ceritifcate is Microsoft Authenticode Format. I recommand downloading your public certificate to the same directory you stored your private.

Backing Up Certificates

Please keep copies of the .pvk and .spc files in a safe place. If you lose your .pvk file you will not be able to sign any code and will have to purchase a new certificate.

Install Microsoft Authenticode certificate

Now you need to install your certificate. The process to install the certificate depends on the certificate file type.

.PFX Certificate File

Windows 7 has a certificate installation wizard that can be invoked by simply double clicking on the .pfx file. Using the Wizard, installing a code signing certificate can be done in less than a minute.

.SPC and .PVK Certificate Files

In order to move your certificate and private key to the registry Microsoft has created a tool called PVKIMPRTt, which can be used to copy the .spc and .pvk files to the registry. Moving the certificate and private key to the registry allows you to sign your WinBatch exes.

Download the PVK Digital Certificate Files Importer:

[ Download PVKIMPRT ]

Please read the usage instructions after downloading pvkimprt from Microsoft.

The pvkimprt.exe file that you downloaded from Microsoft is a self-extracting archive which, when executed without any options, will install the real 'pvkimprt.exe' into a directory on your path.

Winbatch offers a script to handle the install and import for you. The InstallCodeSignCertificate.wbt located in your WinBatch\Samples subdirectory. Note: this script requires that you have already downloaded and installed the pvkimprt.exe from Microsoft.

[ Download InstallCodeSignCertificate_wbt.zip ]

Otherwise you can use PVKIMPRT via the windows commandline. Go to the START|Run menu CMD.EXE then type:

 
C:\WINDOWS\PVKIMPRT.EXE -IMPORT "{SPC file path}" "{PVK file path}"

How do I know if the Certificate is installed?

  1. Launch Internet Explorer
  2. Select the 'Tools'|'Internet Options' menu.
  3. Select the 'Content' tab.
  4. Press the 'Certificates' button.
  5. Select the 'Personal' tab.

Give Certificate a Friendly Name

You can view and manage the root certificates on your computer by going to Internet Options in Internet Explorer or the Control Panel. Click the Content tab and then Certificates. Find your desired certificate under the Trusted Root Certification Authorities tab and click View and then the Details tab. Select the Friendly Name field and click Edit Properties. There you can change the Friendly Name.

Sign code with Microsoft Authenticode Certificate

Once the certificate is correctly installed, you should be able to sign your EXE. You have a few options for signing your WinBatch EXEs:
  1. The WinBatch+Compiler allows you to sign code. The SETTINGS button in the WinBatch+Compiler can be used to specify the appropriate options. Under the 'Vista UAC Setting' section, place a check in the 'Sign Code' check box. Next Select the 'Signing Details' button. Specify the 'Friendly Name' of the certificate you would like to use to sign your EXE. Optionally specify a Description and Website URL. Compile. Viola.

  2. You can use the CodeSign.wbt located in your WinBatch\Samples subdirectory to import the certificate for you and then sign your EXE.

    [ Download Codesign_wbt.zip ]

  3. You can write your own 'Code Signing' script using the IntControl 93 function. See the WIL help file for details.

  4. The SignCode.exe provided by Microsoft ( http://msdn2.microsoft.com/en-us/library/9sh96ycy(vs.80).aspx) can be used to sign an exe with the following command (the signcode command is run from the directory where signcode.exe is installed):
    signcode -spc mycert.spc -v mykey.pvk file.exe
    
    There are a variety of switches that you may use in signing of your files. Typing "signcode" at the command prompt without any switches will give you a list of available options. Please consult the SignCode documentation for details.

  5. The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. http://msdn2.microsoft.com/en-us/library/aa387764.aspx

Timestamp an .EXE file

Timestamping ensures that code will not expire when the certificate expires. VeriSign offers a timestamping service http://timestamp.verisign.com/ scripts/timstamp.dll . We recommend that you specify VeriSignís timestamp server url when you sign the WinBatch exe file.

The timestamp server validates the date and the time that the file was signed therefore the certificate can expire but the signature will be valid for as long as the file is in production. A new certificate is only necessary if you want to sign additional code or re-sign code that has been modified.

If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out.

To verify if your file has been timestamped, use the chktrust.exe utility included with the Authenticode SDK tools. The date and time will be displayed when the file has been timestamped. "Unknown date and time" will appear when the file has NOT been timestamped.

The WinBatch Compiler and InstallCodeSignCertificate.wbt both use this timestamp server when signing code for you. However if you choose to use IntControl 93 or SignCode.exe to sign your EXEs then you should specify this time server.

Hopefully this will help step you through the harrowing process of purchasing a Code signing certificate, installing it and signing your very first WinBatch EXE. Good Luck!


FAQs


Is there a limit to the number of applications that are allowed to be signed with a Code Signing Certificate?

No, it should not limit you to any specific number. You can sign as many winbatch exes with a Code Signing Certificate as you wish, provided that the applications are used for and distributed by the organization that owns the certificate.


How long can I use a Code Signing Certificate for?

Code Signing Certificates are valid for 1 or 2 years depending on which life cycle you choose when you purchase the certificate. Please note: For Microsoft Authenticode, you should also timestamp your signed code to avoid your code expiring when your certificate expires. (You timestamp your exe when you 'sign' it).


Is timestamped code valid after a Code Signing Certificate expires?

Microsoft Authenticode allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSignís server to record a timestamp for your code. A userís software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired.

Please specify VeriSignís timestamp server url when you sign the WinBatch exe file. The timestamp server validates the date and the time that the file was signed therefore the certificate can expire but the signature will be valid for as long as the file is in production. A new certificate is only necessary if you want to sign additional code or re-sign code that has been modified.

If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out.

To verify if your file has been timestamped, use the chktrust.exe utility included with the Microsoft Authenticode SDK tools. The date and time will be displayed when the file has been timestamped. "Unknown date and time" will appear when the file has NOT been timestamped.

You can use the Verisign timestamping server by adding "-t http://timestamp.verisign.com/ scripts/timstamp.dll to the 'signcode' command line.


Enter a Password for the Private Key

It is very important that that you remember the password when your browser generates this private key. Failure to remember the password will result in a complete inability to use the Certificate, and you will need to re-issue your Certificate free of charge.

However, having password protection on the private key requires that you enter the password every time you 'sign' an object. If you are going to automate the signing procedure, you can choose not to have password protection on the private key. Click on the "None" button to do without a password. This is a big security risk, and is not recommended

Known Issues

Microsoft has published information about a known bug in the signcode and pvkimprt utilities they currently make available to clients. This vulnerability will only be addressed in the release of Windows XP. When clients attempt to move certificates and keys between e.g. Windows NT and Windows ME or Windows XP, they may encounter problems when importing the files into the registry. This is caused by a default key length discrepancy between the platforms. For further information about this bug, please refer to the article published on Microsoft?s website at the following url, http://www.microsoft.com/mind/0299 /faq/faq0299.asp


References:

Microsoft 'Code-Signing Best Practices'
http://www.microsoft.com/whdc/winlogo/drvsign/best_practices.mspx

CryptoAPI Tools
http://msdn2.microsoft.com/en-us/library/aa380259.aspx

PVKIMPRT.EXE (Digital Certificate Files Importer)
http://officeupdate.microsoft.com/2000/downloaddetails/pvkimprt.htm
http://www.microsoft.com/downloads/details.aspx?familyid=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=en



Article ID:   W16901
File Created: 2017:08:29:10:37:14
Last Updated: 2017:08:29:10:37:14