Code signing - a how to guide

Question 1: What is Code signing.

A: dBASE Plus, beginning with version 2.61.4, supports running application exe's that have been code signed.

Code Signing is a method of identifying who the publisher of an executable file is and ensuring that the file has not been altered since publication.

It works by adding a digital signature to the end of an executable file which can then be checked at runtime for its authenticity.

A digital signature consists of a digital certificate along with a publisher's public key that has been issued by a certification authority (such as VeriSign, Thawte, or Comodo). A part of the digital certificate is encrypted using the publisher's private key.

At runtime, the operating system and/or web browser uses the public key to decrypt the digital certificate. If it is successful, the certificate is considered to be authentic. Additional checks are made to ensure that the issuing authority claimed in the digital certificate actually issued the certificate (by checking a higher level or root certificate issued by the certification authority) and that the certificate is still valid (certificates are issued for 1, 2, or 3 year time periods).
If all of these checks are successful, the file being checked is allowed to run without further warnings.
If any of these checks fail, an appropriate warning dialog will be displayed.

(The basis of Private Key/Public Key encryption is that a public key can only successfully decrypt something if it has been signed with the matching Private Key. As long as a publisher's Private key is kept secret, no one else can use it to create .exe's attributable to that publisher.)

The code signing certificate is issued to the person or company applying for it by a certification authority. By issuing a certificate, the certification authority is taking on the
obligation of vouching for the identity of the person or company to whom they are issuing a certificate. Therefore, when purchasing a digital certificate, the purchaser must provide sufficient documentation to the certification authority to convince them that they are who they claim to be.
As mentioned above, code signing certificates are issued for 1, 2 or 3 year time periods.
As the end of the time period approaches you will need to renew your
certificate in order to prevent warning messages from appearing when your signed .exe's are run. In this case the warning would be an "Expired Certificate" type of warning rather than an "Unknown Publisher" warning.

In order for the OS or browser to check the authenticity of an .exe's certificate, it must have a higher level certificate accessible to it for each of the common certfication authorities such as Verisign, Thawte, or Comodo. There are many certificate authorities in existence, but only a
small number have their root level certificates pre-installed in Internet Explorer, FireFox, Safari, and other Web Browsers.

The major OS and browser publishers now include the root certificate for the above 3 certification authorities in their software - so that a user does not have to manually download and install their root certificates - which would otherwise be required by every user before the authentication process can be accomplished.

Wikipedia has a good overview of code signing here: http://en.wikipedia.org/wiki/Code_signing

Question 2: What are the step by step instructions for Code signing?

A: Code Signing Step-by-Step
========================

1. Obtain a digital certificate and your Private Key from one of the certification authorities.

The digital certificate is usually in a file named something like: myCert.spc
The private key is usually in a file named something like: myKey.pvk

When purchasing your certificate, you must specify a Private Key password to use with it.
Make sure you keep a record of your Private Key password as you will need to use it for several steps in the signing process.
Here are links to several of the more well known certification authorities:

Comodo:
http://www.tech-pro.net/code-signing-certificate.html

Thawte:
https://www.thawte.com/ssl-digital-certificates/code-signing/index.html?click=buyssl-buttonsleft

VeriSign:
http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/index.html

2. Obtain code signing utilities.

dBASE Plus 2.61.5 application exe's have been successfully tested using Microsoft's Authenticode code signing utilities. Other code-signing utilities should work but have not yet been tested by dataBased Intelligence.

The Authenticode tools are available as free downloads at the following links as part of several different Platform SDK's (Software Developer's Kits) from Microsoft's website. In addition, these tools are installed as part of Microsoft Visual Studio 2005 or newer:

http://msdn.microsoft.com/en-us/library/ms537359(v=vs.85).aspx

Once you've downloaded the SDK, run the installer.

The main utilities you will need out of the SDK are:
signtool.exe - utility to code sign a file and to verify that a file is signed
pvk2pfx.exe - utility to combine a private key (.pvk) with a certificate (.spc) into a .pfx file


Additional utilities you may use are:
makecert.exe - creates a dummy certificate that can be used for testing
cert2spc.exe - converts a certificate file into an .spc file
signcode.exe - signs a file directly using an .spc file and a .pvk file (superceeded by signtool.exe)


3. Use pvk2pfx.exe to combine your digital certificate and private key into a single file (of type .pfx) as follows:

In a Windows Command prompt enter the following command:

pvk2pfx.exe -pvk mykey.pvk -pi <password> -spc mycert.spc -pfx mycert.pfx -po <password>

where <password> is your Private Key password specified in Step 1 above.

You should only need to run pvk2pfx.exe the first time you obtain a code signing certificate and each time you renew your certificate.


4. If you haven't already, build your dBASE Plus application .exe (using dBASE Plus 2.61.5 or later)


5. Use signtool.exe to sign your application .exe (myApp.exe) as follows:
Note: Your workstation must have Internet Access for signtool.exe to work properly

At a Windows Command Prompt enter:

signtool.exe sign /f myCert.pfx /p <password> /t <timestamp server URL> /v myApp.exe

where <password> is your Private Key password specified in Step 1 above.
<timestamp server URL> is the web address of a time server belonging to one of the Certification Authorities.

Some valid time servers are:
http://timestamp.comodoca.com/authenticode
http://timestamp.verisign.com/scripts/timstamp.dll
http://timestamp.globalsign.com/scripts/timstamp.dll

Here is an example showing everything typed out:

signtool.exe sign /f myCert.pfx /p My123passWord /t http://timestamp.comodoca.com/authenticode /v myApp.exe


If any errors are detected, you will see messages written to your Command Prompt window

If successful, you will completion messages written to your Command Prompt window


6. Test running you signed application .exe