Internet Explorer's default security settings require that any software available for download must have a digital signature before download can occur. A digital signature provides a way to verify:
Signatures verify content by providing a means of ensuring that a file's contents have not been altered since it was first made available for download. A digital signature verifies the source by identifying the legal entity that created the software. When you include a signature with a piece of downloadable software, you are the legal entity. The legal entity may be held responsible for any destruction caused by signed software when it is downloaded or run.
There are five types of files to which you can apply a digital signature:
If you are providing one of these types of files for download, you should establish a digital signature for it.
Note Normally, it is sufficient to sign only the .cab file in which your components are packaged. However, if you intend to distribute an .ocx, .exe, .vbd or .dll without packaging it in a .cab file, you should sign the component itself.
You provide a digital signature by purchasing a certificate from a certificate authority. A certificate authority is a company that validates your identity and issues a certificate to you. The certificate contains your digital signature and is a verification of your credentials. In the event of any problems, the certificate authority becomes a witness to your identity.
You use a technology called Authenticode™ when working with digital signatures. The goal of Authenticode is to deter the distribution of potentially harmful code by creating accountability. Authenticode verifies the publisher of a piece of code to Internet end users who are downloading it. In addition, Authenticode ensures users that the code has not been altered after the signature was applied.
Authenticode technology is derived from public key signature technology. Public key signature technology uses what are known as key pairs to encrypt data. Key pairs are used to encrypt and decrypt files. In public key technology, a public key and a private key ensure the privacy of files. A public key is used to encrypt the data, and a private key is used to decrypt it. While this is a successful means of protecting smaller files such as e-mail messages, the process is time consuming for larger files. Authenticode is the modified form of this technology, designed for use with larger files.
The following steps occur in the Authenticode process:
The Authenticode software utility you need to apply a digital signature can be found in the ActiveX SDK, available for download from Microsoft's Internet site. The digital signature must be obtained from an issuing authority such as GTE or VeriSign, Inc.
For More Information See the Internet Client SDK on your MSDN Library CD-ROM, or at http://www.microsoft.com/workshop/prog/inetsdk/ for more information on how to download the ActiveX SDK. For more information on public and private encryption, search the Internet for RSA or public-key signatures.
It is very important to keep your certificate safe because your firm guarantees any file signed with the certificate, regardless of whether the signature was authorized or not. You should keep the certificate with the certificate authority that issued it and send files there for signing or, if you keep the certificate on site, strictly control access to it.
For More Information See the Authenticode link on the Microsoft Security Advisor table of contents on the Microsoft Web site at http://www.microsoft.com/security to learn the latest about security and digital signing.
You can sign any .ocx, .exe, .dll, .vbd or .cab file you intend to distribute. There are two main steps to perform when you sign code. First, you must apply for a certificate, then you sign your code.
To sign your code
.Set ReservePerCabinetSize=6144
Signcode -prog myfilename -name displayname -info http://www.mycompany.com - spc mycredentials.spc -pvk myprivatekey.pvk
If your signing process was successful, either of these tests will display your certificate.