Code-Signing
Code-Signing or Object-Signing is the signing of programms or scripts, in order to attest their integrity and authenticity. For more information please visit the DFN-PKI FAQ page.
How to apply for a code signing certificate
You apply for a Code Signing certificate as a "Pseudonymzertifikat". The process is generally comparable to that for a normal user certificate; including the need for an identity check and the delivery of the certificate by signed e-mail from dfnpki-mailsender-noreply@dfn-cert.de.
Upon receipt of your certificate request, the registration authority will change your certificate profile to "Code Signing". Unfortunately there is no option for you to specify this on the web interface.
When generating the certificate application be aware of the following:
- "Name (CN)" should be entered as "PN: Firstname Familyname - CodeSigning".
- "publication of the certificate" should NOT be agreed to. This way your code signing certificate will not be entered into the DFN LDAP Server, which makes it harder for other users to mix up your normal user certificate and your code signing certificate.
Other resources
- OpenSSL-based signcode utility
- Code Signing and Verification with OpenSSL
- The signing of the "Enhanced Mitigation Experience Toolkit (EMET)" from Microsoft using openSSL and osslsigncode is shown here as an example:
- openSSL
Create a p12 file from the browser that contains both the private key and the code signing certificate.
Export the private key from it.
openssl pkcs12 -in $EXPORT_CONTAINER.p12 -nocerts -out $PRIVATE_KEY.pemEnter Import Password:MAC verified OKEnter PEM pass phrase:Verifying - Enter PEM pass phrase:Export the certificate as well.
openssl pkcs12 -in $EXPORT_CONTAINER.p12 -clcerts -nokeys -out $CERT.pemEnter Import Password:Extract the "raw" public key from the code signing certificate.
openssl x509 -pubkey -noout -in $CERT.pem > $PUB_KEY.pem- Get test file (here EMET)wget https://download.microsoft.com/download/8/E/E/8EEFD9FC-46B1-4A8B-9B5D-13B4365F8CA0/EMET%20Setup.msi -O emet.msi
Create the digital signature of the test file.
openssl dgst -sha256 -sign $PRIVATE_KEY -out $SHA256_DIGEST $EXEC_FILEopenssl enc -base64 -in $SHA256_DIGEST -out $BASE64_ASCII(as EXEC_FILE e.g. emet.msi)
Verify digital signature.
openssl enc -base64 -d -in $BASE64_ASCII -out $SHA256_DIGESTopenssl dgst -sha256 -verify $PUB_KEY.pem -signature $SHA256_DIGEST $EXEC_FILE(as EXEC_FILE e.g. emet.msi)
- osslsigncode
- Create a p12 file from the browser that contains both the private key and the code signing certificate.
Install the required files.
sudo apt-get install osslsigncodeGet test file (here EMET)
wget https://download.microsoft.com/download/8/E/E/8EEFD9FC-46B1-4A8B-9B5D-13B4365F8CA0/EMET%20Setup.msi -O emet.msiSign file
using the p12 file
osslsigncode sign -pkcs12 $EXPORT_CONTAINER.p12 -askpass -n "Enhanced Mitigation Experience Toolkit" -i "https://support.microsoft.com/de-de/kb/2458544" -in $EXEC_FILE -out $EXEC_FILE_SIGNEDPassword:(as EXEC_FILE e.g. emet.msi)
using the private key and the certificate
osslsigncode sign -certs $CERT.pem -key $PRIVATE_KEY -n "Enhanced Mitigation Experience Toolkit" -i "https://support.microsoft.com/de-de/kb/2458544" -in $EXEC_FILE -out $EXEC_FILE_SIGNEDEnter PEM pass phrase:(as EXEC_FILE e.g. emet.msi)
the signed file can be additionally provided with a time stamp - the time stamp service of DFN-PKI is preferred here
Alternative:(as EXEC_FILE e.g. emet.msi)osslsigncode sign -pkcs12 $EXPORT_CONTAINER.p12 -askpass -n "Enhanced Mitigation Experience Toolkit" -i "https://support.microsoft.com/de-de/kb/2458544" -t http://timestamp.verisign.com/scripts/timstamp.dll -in $EXEC_FILE -out $EXEC_FILE_SIGNEDPassword:
