Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Keywords: Code Sign Signing Certificate UAC Vista Trusted Authority
Also, If you do not sign your exes then Windows Vista makes your program to appear as if it's a malware or a virus program. When you run an EXE on Vista you may recieve a message asking you whether or not you trust the application you are about to run. If your EXE is not digitally signed then the popup message will reference an "Unknown Publisher". If the EXE is digitally signed it will reference your own information in the popup message.
The Control Manager Extender functions require a Trusted Signed EXE inorder to run on Windows Vista with UAC enabled. Down the road, Vista will require any EXE, regardless of functionality, to be signed and trusted.
To create a digital signature you will need 'a key pair'. A public key and a private key. The private key is known only to its owner and is used to sign the data. The public key can be distributed to anyone and is used to verify the signature on the data.
Digital certificates bind YOU to the specific public and private key pair. Digital certificates are like an electronic ID that verifies your identity.
You can obtain a certificate from a certificate authority (CA), which vouches for the certificate. A CA generally requires you to provide unique identifying information. The CA uses this information to authenticate your identity before giving you a certificate.
For a more complete list check out 'Microsoft Root Certificate Program Members' list at microsoft's web site. http://msdn2.microsoft.com/en-us/library/ms995347.aspx
Here are some of the things you may be asked for:
Note: Your private key (.pvk file) will be stored where ever you specified.
Once you have completed the purchasing process you will be given a 'certificate request code' and a 'payment reference number'. You will then recieve an email confirming your order. Next you will recevie an email asking you to confirm that you approve the digital certificate order and it asks you to start the final verification step by clicking on a link. You then simply follow all of the various prompts at 'Thawte Automated Order Versfication' website.
To complete the 'automated' verification, you must:
Finally you will receive an email telling your application for a thawte certificate has been successful. It will contain a link to a webpage where you can download your public certificate. Make sure to have your Thawte Account password handy. Confirm that your ceritifcate is Microsoft Authenticode Format. I recommand downloading your public certificate to the same directory you stored your private.
Download the PVK Digital Certificate Files Importer:
Please read the usage instructions after downloading pvkimprt from Microsoft.
The pvkimprt.exe file that you downloaded from Microsoft is a self-extracting archive which, when executed without any options, will install the real 'pvkimprt.exe' into a directory on your path.
Winbatch offers a script to handle the install and import for you. The InstallCodeSignCertificate.wbt located in your WinBatch\Samples subdirectory. Note: this script requires that you have already downloaded and installed the pvkimprt.exe from Microsoft.
[ Download InstallCodeSignCertificate_wbt.zip ]
Otherwise you can use PVKIMPRT via the windows commandline. Go to the START|Run menu CMD.EXE then type:
C:\WINDOWS\PVKIMPRT.EXE -IMPORT "{SPC file path}" "{PVK file path}"
signcode -spc mycert.spc -v mykey.pvk file.exeThere are a variety of switches that you may use in signing of your files. Typing "signcode" at the command prompt without any switches will give you a list of available options. Please consult the SignCode documentation for details.
Timestamping ensures that code will not expire when the certificate expires. VeriSign offers a timestamping service http://timestamp.verisign.com/ scripts/timstamp.dll . We recommend that you specify VeriSign’s timestamp server url when you sign the WinBatch exe file.
The timestamp server validates the date and the time that the file was signed therefore the certificate can expire but the signature will be valid for as long as the file is in production. A new certificate is only necessary if you want to sign additional code or re-sign code that has been modified.
If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out.
To verify if your file has been timestamped, use the chktrust.exe utility included with the Authenticode SDK tools. The date and time will be displayed when the file has been timestamped. "Unknown date and time" will appear when the file has NOT been timestamped.
The WinBatch Compiler and InstallCodeSignCertificate.wbt both use this timestamp server when signing code for you. However if you choose to use IntControl 93 or SignCode.exe to sign your EXEs then you should specify this time server.
Hopefully this will help step you through the harrowing process of purchasing a Code signing certificate, installing it and signing your very first WinBatch EXE. Good Luck!
Is there a limit to the number of applications that are allowed to be signed with a Code Signing Certificate?
No, it should not limit you to any specific number. You can sign as many winbatch exes with a Code Signing Certificate as you wish, provided that the applications are used for and distributed by the organization that owns the certificate.
How long can I use a Code Signing Certificate for?
Code Signing Certificates are valid for 1 or 2 years depending on which life cycle you choose when you purchase the certificate. Please note: For Microsoft Authenticode, you should also timestamp your signed code to avoid your code expiring when your certificate expires. (You timestamp your exe when you 'sign' it).
Is timestamped code valid after a Code Signing Certificate expires?
Microsoft Authenticode allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired.
Please specify VeriSign’s timestamp server url when you sign the WinBatch exe file. The timestamp server validates the date and the time that the file was signed therefore the certificate can expire but the signature will be valid for as long as the file is in production. A new certificate is only necessary if you want to sign additional code or re-sign code that has been modified.
If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out.
To verify if your file has been timestamped, use the chktrust.exe utility included with the Microsoft Authenticode SDK tools. The date and time will be displayed when the file has been timestamped. "Unknown date and time" will appear when the file has NOT been timestamped.
You can use the Verisign timestamping server by adding "-t http://timestamp.verisign.com/ scripts/timstamp.dll to the 'signcode' command line.
Enter a Password for the Private Key
It is very important that that you remember the password when your browser generates this private key. Failure to remember the password will result in a complete inability to use the Certificate, and you will need to re-issue your Certificate free of charge.
However, having password protection on the private key requires that you enter the password every time you 'sign' an object. If you are going to automate the signing procedure, you can choose not to have password protection on the private key. Click on the "None" button to do without a password. This is a big security risk, and is not recommended
Known Issues
Microsoft has published information about a known bug in the signcode and pvkimprt utilities they currently make available to clients. This vulnerability will only be addressed in the release of Windows XP. When clients attempt to move certificates and keys between e.g. Windows NT and Windows ME or Windows XP, they may encounter problems when importing the files into the registry. This is caused by a default key length discrepancy between the platforms. For further information about this bug, please refer to the article published on Microsoft?s website at the following url, http://www.microsoft.com/mind/0299 /faq/faq0299.asp
Microsoft 'Code-Signing Best Practices'
http://www.microsoft.com/whdc/winlogo/drvsign/best_practices.mspx
CryptoAPI Tools
http://msdn2.microsoft.com/en-us/library/aa380259.aspx
PVKIMPRT.EXE (Digital Certificate Files Importer)
http://officeupdate.microsoft.com/2000/downloaddetails/pvkimprt.htm
http://www.microsoft.com/downloads/details.aspx?familyid=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=en
Article ID: W16901
File Created: 2019:08:14:09:06:18
Last Updated: 2019:08:14:09:06:18