MS Authenticode CMS Signer
ENTERPRISE This is a SignServer Enterprise feature.
The signer has the fully qualified class name: org.signserver.module.msauthcode.signer.MSAuthCodeCMSSigner.
Overview
The MS Authenticode CMS signer is special-purpose version of the extended CMS signer, producing Authenticode-compatible CMS signatures suitable for embedding into portable executables (.exe, .dll), MSI installer packages, and Cabinet archives (.cab). This is intended for use with client-side hashing, where a client does the hashing of the original file and requests this hash to be signed by SignServer, giving a resulting signature which is then inserted into the resulting output file by the client.
This signer has all the properties of the Extended CMS Signer, and also the same Authenticode-specific properties as the MS Authenticode Signer. Note however that setting CONTENTOID or allowing overriding content OID (by setting ALLOW_CONTENTOID_OVERRIDE to true) is not supported (as the content OID will be set to be compatible with Authenticode specification). Note also that setting DER_RE_ENCODE is not supported (as the sign method is overwritten to implement an authenticode-style signing). The resulting data structure will always be DER encoded.
The signdocument command can be used with client-side hashing and construction to sign a portable executable or MSI installer by hashing on the client-side, signing the hash server-side using this signer, and finally assembling the final signed binary or installer on the client-side. For more information, see Client-Side Hashing.
The MS Authenticode CMS signer only supports RFC#3161 timestamps (and not the legacy Authenticode timestamp format).
Available Properties
| Property | Description |
|---|---|
| PROGRAM_NAME | Program name to embed in the signature. Optional, default: none. |
| ALLOW_PROGRAM_NAME_OVERRIDE | If the requestor should be able to override the program name by supplying it as a request metadata property. Optional, default: false. |
| PROGRAM_URL | Program URL to embed in the signature. Optional, default: none. |
| ALLOW_PROGRAM_URL_OVERRIDE | If the requestor should be able to override the program URL by supplying it as a request metadata property. Optional, default: false. |
Request Properties
This worker can accept the following request metadata properties, given that they are configured to be allowed:
| Field | Description |
|---|---|
| FILE_TYPE | The file type for which the signature should be used in. Currently supported values are PE (for portable executables, such as Windows .exe and .dll files), MSI (for Windows installers), PS1 (for PowerShell scripts), or CAB (for Cabinet archives). This affects the layout of the content in the CMS structure. If not specified, PE is assumed. |
| PROGRAM_NAME | Program name text to use instead of the configured one (if any). Specifying an empty value removes the configured program name. Without ALLOW_PROGRAM_NAME_OVERRIDE configured in the worker request, including this request property will not be allowed. |
| PROGRAM_URL | Program URL to use instead of the configured one (if any). Specifying an empty value removes the configured program URL. Without ALLOW_PROGRAM_URL_OVERRIDE configured in the worker request, including this request property will not be allowed. |
Algorithm Support
For information on supported algorithms, see MS Authenticode Signer Algorithm Support.
Related Content
-
Page:
-
Page:
-
Page: