Microsoft Corporation
Updated October 21, 1996
Through Microsoft® Internet Explorer version 3.0, Microsoft Authenticode™ technology allows end users, before downloading software from the Internet, identify who published the software and verify that no one has tampered with it . Authenticode provides accountability for code available over the Internet similar to that of a shrink-wrapped software box. Once they have applied for and received their digital certificate, the Microsoft ActiveX™ software development kit (SDK) provides software publishers with the tools they need to sign their code using industry standard digital signature technology.
For software publishers, code signing requires only six steps:
Go to http://www.microsoft.com/ie/download/ and get the latest version of Internet Explorer. You will need Internet Explorer 3.0 build 1154 or later to apply for your credentials and view your signed code.
Go to http://www.microsoft.com/workshop/prog/security/authcode/certs-f.htm for instructions on obtaining a Software Publisher's certificate from a Certificate Authority (CA). From there visit the CA's Web site for an online certificate application and fill in the requisite information.
You will have the option of applying for an Individual or a Commercial Software Publisher certificate. If you are a commercial organization, please apply for the Commercial Software Publisher certificate; otherwise, apply for the Individual Software Publisher certificate.
Once you have completed the application, it will take approximately one week for the CA to verify your information. At the end of this process, you will have credentials issued by the CA and a private key that you must store securely. You will need both to sign your code.
Go to http://www.microsoft.com/intdev/sdk/ and download the latest version of the ActiveX SDK. The tools to sign your code are in the SDK. Consult the code signing documentation provided in the SDK for additional information on using these tools.
If you are building any portable executable (PE) files (.EXE, .OCX, .DLL, or other), you need not do anything special. For cab files, you need to add the following entry to your .DDF file before creating the cab file.
.Set ReservePerCabinetSize=6144
You can now sign your .EXE, or .CAB, .OCX, or .DLL file. (Currently, only 32-bit files can be signed.) Here is an example of how to sign:
signcode -prog myfilename -name displayname -info <a href="">http://www.mycompany.com</a> -spc mycredentials.spc -pvk myprivatekey.pvk
myfilename is the name of the file that needs to be signed
displayname is the description of the file that will show up in the certificate
<a href="">http://example.microsoft.com</a> should provide the user with more information about the file being downloaded
mycredentials is the credentials file that was obtained from the CA
myprivatekey is the private key that was generated during the application process with the CA
(Note that if you run signcode without any parameters, it will invoke a wizard that will step you through the signing process.)
To test a signed .EXE, .DLL, or .OCX file, run chktrust filename
To test a signed cab file, run chktrust -c cabfilename.cab
If your signing process worked, this will bring up a certificate.
Voila! You have just digitally signed your file. When this file is downloaded from a Web site by Internet Explorer, it will display the same certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified of the same and given the option of not installing it on his/her machine.
Software developers who have more questions should contact Microsoft Product Support Services or check the Web site http://www.microsoft.com/workshop/prog/security/authcode/certs-f.htm.