Using certificates for signing parcels

Running an unknown program is a risk – by running it, you grant it access to your computer, and there always is a possibility that the program you have just started is not what you expect it to be. An executable parcel is a program, and like any program, it may be infected or modified to do something harmful.

Signing a parcel solves this problem. Digital signature assures the recipient that it is really a legitimate parcel and not a trojan, just pretending to be sent by someone the recipient knows. A valid signature guarantees that the sender is indeed the person to whom the certificate belongs, and that the parcel has not been modified or infected during transfer.

Signing non-executable (i.e. standard or hidden) parcels is not necessary, as they don't contain any executable code.

Silver Key Enterprise edition can create digitally signed executable parcels. All you need is to provide the paths to your certificate and your private key files:

Crypto Settings Panel

Certificate file has either .cer (Certificate) or .spc (Software Publisher Credentials) extension. Private key file's extension is .pvk.

Compare the warning boxes for an unsigned

Opening a non-signed parcel.

and for a signed parcel:

Opening a properly signed parcel.

Where Do I Get a Certificate?

There are two ways to obtain a certificate – either to create it yourself, or to buy it from a Certificate Authority.

A self-created (or more precisely, self-signed) certificate will not be recognized on other computers because you are not an established well-known Certificate Authority (well, unless you are). You need to send your certificate to your correspondents first, and to provide them instructions on how to install your certificate on their computers.

A certificate, signed by a CA (Certificate Authority) is recognized everywhere. Such a certificate has only one, but a huge drawback: it is not free, and you will have to pay for it annually.

Summing up,

  • Self-signed certificate can be used when your parcels are being sent to a small circle of well-known correspondents, and when it is possible to install your certificate on the recipients' computers
  • CA-signed certificate is necessary when there are too many recipients, or when the audience is not defined, in short, whenever it is not possible to install a self-signed certificate.

CA-issued Certificates

There are several Certificate Authorities you can obtain a certificate from. The certificate type that you need is called Code Signing Certificate or Microsoft Authenticode Certificate. After verifying your identity the Certificate Authority will send you your certificate in some form and instructions how to convert it to the pair .spc/.pvk (or equivalent .cer/.pvk).

Open Settings panel, select the Digital Signature page, and enter the paths to the .spc and the .pvk files. Create any executable parcel, right-click it, select Properties, and check the tab Digital Signature.

Self-signed Certificates

You will need MakeCert tool, which is a part of Windows SDK. If there is no makecert.exe on your computer, download Windows SDK from Microsoft Web site.

The first step is a creation of the root (CA) certificate. Open Windows Command Prompt and enter

makecert -r -pe -n "CN=Head & Feet Research Institite"
    -ss CA -sr CurrentUser -a sha1 -cy authority
    -sky signature -sv hfri.pvk hfri.cer

The command above must be entered as a single line.

It creates two files in the current directory – hfri.cer (certificate) and hfri.pvk (private key) issued to an organization Head & Feet Research Institite. Store the private key in a safe place; it must not be kept in the open.

File hfri.cer contains the organization's root certificate, which will be used for signing children certificates, which, in turn, will be used for signing parcels. The root certificate must be installed either by using CertUtil command-line tool

certutil -user -addstore Root hfri.cer

or simply by right-clicking the certificate file and selecting Install.

The next step is creating the certificate, which will actually be used for parcel signing:

makecert -pe -n "CN=HFRI Feet Department" -a sha1 -cy end
    -sky signature -iv hfri.pvk -ic hfri.cer
    -sv hfri-fd.pvk hfri-fd.cer

The command above must be entered as a single line.

Now open Settings panel, select the Digital Signature page, and enter the paths to the just created files hfri-fd.cer and hfri-fd.pvk. Any newly created executable parcel will now be signed with this certificate. Create an executable parcel, right-click it, select Properties, and make sure that the tab Digital Signature correctly displays your certificate.

In order for your certificate to be recognized on recipients' computers, send your correspondents the root certificate file hfri.cer (not hfri.pvk!) and ask them to install the certificate by right-clicking it and selecting Install.

Timestamp or not Timestamp?

Timestamping adds the date of signing to the digital signature record. Its purpose is best illustrated by a simple example: let's assume that your certificate expires at 1st May 2013, and you are signing your parcel at 1st April 2013. What will happen with your digital signature at May 1st?

  • If you have not timestamped the parcel, at May 1st the signature will also expire and will become invalid.
  • If the parcel is timestamped, the signature will remain valid, as the system will be able to determine that the certificate was valid at the moment of signing.

Timestamp is necessary if your parcel is supposed to live longer than your certificate.