Authenticode Code Signing

Authenticode is a Microsoft format for digital signatures in software binaries. Using Authenticode, the signature is embedded within a Portable Executable (PE) file, (typically file types like .exe, .dll, .sys and .ocx) and Windows Installer packages (.msi). For more information, refer to the Microsoft documentation on Windows Authenticode Portable Executable Signature Format.

The SignServer Authenticode signer is configured just like any other signer in SignServer and the only special requirement for this signer is to use a code signing certificate.

If your organization already has a Certificate Authority (for example PrimeKey EJBCA) configured to be trusted by your users, you can use that CA to issue the certificate. Otherwise, you could buy a certificate from one of the CAs already trusted by default in Windows.

For testing purposes, and also for test environments in general, you can issue the certificate yourself. Just remember to have the extended key usage Code Signing set and to install the CA certificate in your test environment.

The following sections describe the steps required to configure and sign using the SignServer MS Authenticode signer MS Auth Code Signer.

Add MS Authenticode Signer

To add and configure the MS Authenticode signer, do the following:

  1. Go to the SignServer Admin Web Workers page and click Add to a new worker.
  2. On the Add Worker / Load Template page, choose the method From Template.
  3. In the Load From Template list menu, select ms_authcode_signer.properties and click Next.
  4.  On the Configuration page, click Apply to load the sample MS Authenticode signer configuration.
  5. The MSAuthCodeSigner is now added to the listed workers in state ACTIVE.

Submit and Sign File Using MS Authenticode Signer

The following describes how to submit and sign an executable file with the MS Authenticode signer either using the SignServer Client Web or the SignServer Client CLI SignClient:

You can use any unsigned executable file or use the provided example file HelloPE.exe.

Sign Using Client Web

To download an example executable file and then submit and sign the EXE using the Client Web, do the following:

  1. Download the HelloPE.exe to test EXE Signing.
  2. Go to the SignServer Client Web page on https://<yourawsinstancepublicdns>/signserver/clientweb/genericsign.jsp.
  3. Under File Upload, specify MSAuthCodeSigner as the Worker name field.
  4. Click Browse next to File, select HelloPE.exe and click Submit.
  5. You will be prompted to save the signed EXE file HelloPE.exe.

Sign Using Client CLI

To download an example executable file and then submit and sign the file using the SignServer Client CLI SignClient, do the following. Note that the Client CLI requires Java.

  1. Download the SignServer ClientCLI from the location: https://<yourawsinsancepublicdns>/signserver/clientcli-dist/signserver-clientcli.zip.
  2. Unzip signserver-clientcli.zip to the signserver-clientcli directory.
  3. Copy HelloPE.exe to the bin directory inside the signserver-clientcli directory.
  4. Open a command (cmd) window if on a Windows system, or a terminal on Linux or Mac and change directory (cd) to the bin directory.
  5. Sign HelloPE.exe using SignClient:
    1. If you are on a Windows system, use the following command:

      # signclient.cmd signdocument -host yourawsinsancepublicdns -port 80 -workername MSAuthCodeSigner -infile HelloPE.exe -outfile HelloPESigned.exe
    2. If you are on a Linux or Mac system, use the following command:

      ./signclient signdocument -host yourawsinsancepublicdns -port 80 -workername MSAuthCodeSigner -infile HelloPE.exe -outfile HelloPESigned.exe

Verify the Signature

Verify that the file is signed by inspecting the signature attached to HelloPE.exe in the Windows environment.

To view the signature details, do the following:

  1. Right-click the file and select Properties.

  2. Click the Digital Signatures tab.

  3. Select the signature in the Signature list and click Details.