Background

      Authenticode technology has been available since Internet Explorer 3.0. When Internet Explorer 4.0 was released, it included an upgrade to the Microsoft CryptoAPI, the code that performs the basic functions needed to create, manipulate, and authenticate X.509 digital certificates. There was a corresponding upgrade to the tools used to sign code using this API. However, because Internet Explorer was distributed primarily through user and not developer channels, many developers were not aware that they had to update their toolkit.

Trouble(shooting) in Version City

      Of all the calls to developer support regarding Authenticode, about 19 out of 20 can be solved by checking the version of signcode.exe in the binaries directory of the Internet Client SDK or ActiveX® SDK install directory (typically C:\InetSDK\bin or C:\AxSDK\bin). Chances are, if you are using Internet Explorer 4.0 or greater and code-signing tools that were installed with the ActiveX SDK, you can take for granted that you have the wrong or mismatched versions of Signcode and its dependent DLLs. This is because changes to the Microsoft CryptoAPI for Internet Explorer 4.0 required changes to tools such as Signcode that manipulate certificates using CryptoAPI.
      There are a number of different software errors that can occur when using mismatched DLLs to sign code. These frequently return unhelpful numeric error codes. For the purpose of this column, I will lump these errors together; the steps I'll outline shortly are sufficient to resolve most Authenticode problems.
      To find out what version of Signcode you have, use Windows® Explorer to open the directory where Signcode is installed. Right-click on Signcode.exe, and choose Properties from the Context menu. Click on the Version tab of the property page to see the file version. If you are using any version of Internet Explorer 4.0 or greater, you should have at least version 5.101.1663.1. If your version is below this, your first step should be to download and install a fresh version of the code-signing tools from the Microsoft Web site. (Later I'll go over what you need to do if you are still using Internet Explorer 3.02 with the Authenticode update and you do not want to upgrade.)
      If you already have the Internet Client SDK installed and you are still having problems signing code, you might have inadvertently gotten a mixed set of DLLs by installing to the same directory that contains the ActiveX SDK. If you have only the ActiveX SDK installed and you no longer need any of the documentation or tools, you can safely uninstall the entire thing. Be sure to uninstall using the Add/Remove Programs item in the Windows Control Panel.
      The ActiveX SDK and the Internet Client SDK can live peacefully on the same machine. However, it is not recommended to keep both sets of code-signing tools.
      If you have uninstalled the ActiveX SDK, reboot your machine before installing the new tools. If you have the Internet Client SDK installed, make a new folder within the InetSDK folder called old bin. Move the following files from the InetSDK/bin directory to InetSDK/old bin: imagehlp.dll, certmgr.exe, cert2spc.exe, chktrust.exe, ChkJava.exe, JavaSign.dll, Makecert.exe, makectl.exe, setreg.exe, signcode.exe, and signer.dll. Then start up Internet Explorer and navigate to http://msdn.microsoft.com/downloads/tools/authcodeie4/authcodeie4.asp. Click on the Download Codesign.exe link and save Codesign.exe to a temporary directory. Once the download has completed, open the temporary directory where you saved Codesign.exe and double-click to run the installer. You will be prompted for a directory to unzip the files to (the default is C:\InetSDK\ bin). Once the files have successfully unzipped, you're done!

Verify the Fix

      Once you've completed the installation, verify that you can successfully sign code. Create a new folder and place the following files into it:

• Your software publisher's certificate (.spc) file
• Your private key (.pvk) file
• An .ocx, .exe, or .cab file to sign

 Path = C:\InetSDK\bin
 Signcode -spc MySPC.spc -v myPrivateKey.pvk -n "Test version of Mycontrol" -i 
 http://MyServer.Mydomain.com/ -$ individual -t 
 http://timestamp.verisign.com/scripts/timstamp.dll Mycontrol.cab

Still Using Internet Explorer 3.02?

      Microsoft strongly advises upgrading from Internet Explorer 3.x to Internet Explorer 4.0 or greater. The older versions of the Authenticode tools should still work for those who have Internet Explorer 3.02 with the Authenticode update, and who have never installed any version of Internet Explorer 4.x or the Internet Client SDK. Note that the command line parameters are different for 3.02. To perform the previous signcode step using the Internet Explorer 3.02 version of signcode, you would type the following:

 SignCode -prog MyControl.cab -spc MySPC.spc -pvk myPrivateKey.pvk -timeStamper
 http://timestamp.verisign.com/scripts/timstamp.dll

      If you are still receiving errors after performing these steps, there are three more things that could be causing errors: RSABase.dll could be incorrectly registered, your certificate file could be corrupt, or your Verisign root could be out of date.
      Open a command prompt to your system directory (C:\ Windows\System or C:\WinNT\System32), and reregister RSABase.dll by typing:

 RegSvr32 RSABase.dll

Further Information

      There are a number of useful sites which can help your Authenticode work. A complete reference to the Authenticode tools can be found on the Site Builder Network Workshop site at http://msdn.microsoft.com/downloads/tools/authenticode/authcode.asp.
      If you want to find out more about Signcode, its error messages, and general component development, reference the FAQ at http://msdn.microsoft.com/workshop/components/support/FAQ.asp under "Deployment."
      If you just want to find out how to create cabinet files for signing, see the following sites: Internet Component Download at http://msdn.microsoft.com/workshop/delivery/download/icd.asp and The Cabinet SDK at http://msdn.microsoft.com/workshop/management/cab/cabdl.asp.