- SignServer Introduction
- SignServer Installation
- Worker Setup
- Configure Client Certificate Authentication and Authorization
- Certificate Renewals Using Peer Systems
- Setting up Key Wrapping
- Setting up One-time Keys
- Setting up OpenPGP Signer
- Client HTTP Interface
- Client WS Interface
- Client CLI
- Admin WS Interface
- Legacy Interfaces
- Apache HTTP Server as Reverse Proxy
- Stresstest CLI
- P11NG CLI
- Deploy-time Configuration
- Common Configuration
- Common Properties
- Time Stamp Signer
- MS Authenticode Time Stamp Signer
- Extended Time Stamp Signer
- MRTD Signer
- MRTD SOD Signer
- PDF Signer
- ODF Signer
- XML Signer
- XAdES Signer
- OOXML Signer
- CMS Signer
- Extended CMS Signer
- MS Authenticode Signer
- MS Authenticode CMS Signer
- JArchive Signer
- JArchive CMS Signer
- Master List Signer
- Plain Signer
- OpenPGP Signer
- Debian Dpkg-sig Signer
- OpenPGPPlain Signer
- SignServer Document Validators
- SignServer Dispatchers
- SignServer Validation Service Framework
- SignServer Timed Services
- Other Workers
- Alias Selectors
- SignServer Authentication and Authorization
- Status Repository
- Health Check
- SignServer TimeMonitor Application
SignServer User Interfaces
- Administration CLI
- Administration GUI
- Main Page
- Workers Activation Page
- Workers Deactivation Page
- Workers Key Generation Page
- Workers Test Key Page
- Workers CSR Page
- Workers Install Certificates Page
- Workers Renewal Page
- Workers Removal Page
- Workers Reload from Database Page
- Workers Export Page
- Workers Add Page
- Worker Page
- Global Configuration Page
- Administrators Page
- Audit Log Page
- Archive Page
- Database CLI
- Peer Systems
- Client-Side Hashing
- Key Wrapping
- Developer Reference
- SignServer Release Information
Code Signing How-to Guides
- Code Signing Technical How-to
- Authenticode Code Signing Technical How-to
Authenticode Code Signing
Authenticode is a Microsoft format for digital signatures in software binaries. Using Authenticode, the signature is embedded within a Portable Executable (PE) file, (typically file types like .exe, .dll, .sys and .ocx) and Windows Installer packages (.msi). For more information, refer to the Microsoft documentation on Windows Authenticode Portable Executable Signature Format.
The SignServer Authenticode signer is configured just like any other signer in SignServer and the only special requirement for this signer is to use a code signing certificate.
If your organization already has a Certificate Authority (for example PrimeKey EJBCA) configured to be trusted by your users, you can use that CA to issue the certificate. Otherwise, you could buy a certificate from one of the CAs already trusted by default in Windows.
For testing purposes, and also for test environments in general, you can issue the certificate yourself. Just remember to have the extended key usage Code Signing set and to install the CA certificate in your test environment.
The following sections describe the steps required to configure and sign using the SignServer MS Authenticode signer MS Auth Code Signer.
Add MS Authenticode Signer
To add and configure the MS Authenticode signer, do the following:
- Go to the SignServer Admin Web Workers page and click Add to a new worker.
- On the Add Worker / Load Template page, choose the method From Template.
- In the Load From Template list menu, select ms_authcode_signer.properties and click Next.
- On the Configuration page, click Apply to load the sample MS Authenticode signer configuration.
The MSAuthCodeSigner is now added to the listed workers in state ACTIVE.
Submit and Sign File Using MS Authenticode Signer
The following describes how to submit and sign an executable file with the MS Authenticode signer either using the SignServer Demo Web or the SignServer Client CLI SignClient:
You can use any unsigned executable file or use the provided example file HelloPE.exe.
Sign Using Demo Web
To download an example executable file and then submit and sign the EXE using the Demo Web, do the following:
- Download the HelloPE.exe to test EXE Signing.
- Go to the SignServer Generic Signing and Validation Demo page on https://<yourawsinstancepublicdns>/signserver/demo/genericsign.jsp.
- Scroll down on the page to the Sign by File Upload section and specify MSAuthCodeSigner in the Worker name field.
- Click Browse next to File, select HelloPE.exe and click Submit.
- You will be prompted to save the signed EXE file HelloPE.exe.
Sign Using Client CLI
To download an example executable file and then submit and sign the file using the SignServer Client CLI SignClient, do the following. Note that the Client CLI requires Java.
- Download the SignServer ClientCLI from the location:
- Unzip signserver-clientcli.zip to the
- Copy HelloPE.exe to the bin directory inside the
- Open a command (cmd) window if on a Windows system, or a terminal on Linux or Mac and change directory (cd) to the
- Sign HelloPE.exe using SignClient:
If you are on a Windows system, use the following command:
# signclient.cmd signdocument -host yourawsinsancepublicdns -port 80 -workername MSAuthCodeSigner -infile HelloPE.exe -outfile HelloPESigned.exe
If you are on a Linux or Mac system, use the following command:
./signclient signdocument -host yourawsinsancepublicdns -port 80 -workername MSAuthCodeSigner -infile HelloPE.exe -outfile HelloPESigned.exe
Verify the Signature
Verify that the file is signed by inspecting the signature attached to HelloPE.exe in the Windows environment.
To view the signature details, do the following:
Right-click the file and select Properties.
Click the Digital Signatures tab.
Select the signature in the Signature list and click Details.