You are located in service: Certificates

Code-Signing

Code-Signing

Kurzinformation

Code-Signing or Object-Signing is the signing of programms or scripts, in order to attest their integrity and authenticity. For more information please visit the DFN-PKI FAQ page.


Anleitung

How to apply for a code signing certificate

You apply for a Code Signing certificate as you would for a normal user certificate. The instructions depend on the browser used, so please follow the corresponding ones for user certificates.

Upon receipt of your certificate request, the registration authority will change your certificate profile to "Code Signing". Unfortunately there is no option for you to specify this on the web interface.

When generating the certificate application be aware of the following:

  • "Name (CN)" should be entered as "PN: Firstname Familyname - CodeSigning".
  • "publication of the certificate" should NOT be agreed to. This way your code signing certificate will not be entered into the DFN LDAP Server, which makes it harder for other users to mix up your normal user certificate and your code signing certificate.

Other resources

  1. openSSL
  • Create a p12 file from the browser that contains both the private key and the code signing certificate.

  • Export the private key from it.

    openssl pkcs12 -in $EXPORT_CONTAINER.p12 -nocerts -out $PRIVATE_KEY.pem
      Enter Import Password:
      MAC verified OK
      Enter PEM pass phrase:
      Verifying - Enter PEM pass phrase:
  • Export the certificate as well.

    openssl pkcs12 -in $EXPORT_CONTAINER.p12 -clcerts -nokeys -out $CERT.pem
      Enter Import Password:
  • Extract the "raw" public key from the code signing certificate.

    openssl x509 -pubkey -noout -in $CERT.pem > $PUB_KEY.pem
  • Get test file (here EMET)
     
    wget https://download.microsoft.com/download/8/E/E/8EEFD9FC-46B1-4A8B-9B5D-13B4365F8CA0/EMET%20Setup.msi -O emet.msi
  • Create the digital signature of the test file.

    openssl dgst -sha256 -sign $PRIVATE_KEY -out $SHA256_DIGEST $EXEC_FILE
     
    openssl enc -base64 -in $SHA256_DIGEST -out $BASE64_ASCII

    (as EXEC_FILE e.g. emet.msi)

  • Verify digital signature.

    openssl enc -base64 -d -in $BASE64_ASCII -out $SHA256_DIGEST
       
    openssl dgst -sha256 -verify $PUB_KEY.pem -signature $SHA256_DIGEST $EXEC_FILE

    (as EXEC_FILE e.g. emet.msi)

     
  1. osslsigncode
  • Create a p12 file from the browser that contains both the private key and the code signing certificate.
  • Install the required files.

    sudo apt-get install osslsigncode
  • Get test file (here EMET)

    wget https://download.microsoft.com/download/8/E/E/8EEFD9FC-46B1-4A8B-9B5D-13B4365F8CA0/EMET%20Setup.msi -O emet.msi
  • Sign file

    • using the p12 file

      osslsigncode sign -pkcs12 $EXPORT_CONTAINER.p12 -askpass -n "Enhanced Mitigation Experience Toolkit" -i "https://support.microsoft.com/de-de/kb/2458544" -in $EXEC_FILE -out $EXEC_FILE_SIGNED
        Password:

      (as EXEC_FILE e.g. emet.msi)

       
    • using the private key and the certificate

      osslsigncode sign -certs $CERT.pem -key $PRIVATE_KEY -n "Enhanced Mitigation Experience Toolkit" -i "https://support.microsoft.com/de-de/kb/2458544" -in $EXEC_FILE -out $EXEC_FILE_SIGNED
        Enter PEM pass phrase:

      (as EXEC_FILE e.g. emet.msi)

       
    • the signed file can be additionally provided with a time stamp - the time stamp service of DFN-PKI is preferred here

       Alternative:
       
      osslsigncode sign -pkcs12 $EXPORT_CONTAINER.p12 -askpass -n "Enhanced Mitigation Experience Toolkit" -i "https://support.microsoft.com/de-de/kb/2458544" -t http://timestamp.verisign.com/scripts/timstamp.dll -in $EXEC_FILE -out $EXEC_FILE_SIGNED
        Password:
      (as EXEC_FILE e.g. emet.msi)

last changed on 01/29/2021

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License