≡ Menu

How to Digitally Sign Microsoft Files (.exe, .cab, .dll, .ocx, .msi, .xpi)

Sometimes Unix system administrators may end-up managing few Windows servers. If that ever happens to you, be prepared to do some basic administrative tasks on Windows. In this article, let us discuss how to sign microsoft executables and DLL.

Why digitally sign executable and other windows files?

You will get the following ‘Unknown Publisher’ message when a file is not digitally signed.

Fig: Unknown Publisher Message (If not digitally signed)

If you select the file -> right-mouse click -> properties -> There will not be a ‘Digital Signature’ tab for those files that are not signed.

Fig: Digital Signatures Tab (For valid signed files)

Purchase Microsoft Authenticode Certificates

You can purchase Microsoft authenticode certificate from either verisign or thawte.

During the purchase process, you’ll provide the following information:

  • Certification Information: Company name, Department, City, State, Country
  • Cryptographic service provider: Use the default Microsoft Enhanced Cryptographic Provider v1.0
  • Location to save the private key: During the certificate purchase process, you will be given an option to save the private key that was generated by the system.
  • Private key password

Sign Using the Digital Signature Tool Wizard

Call the digital signature tool signtool.exe that is located in your Microsoft SDK toolkit as shown below.

C:>"E:\Microsoft Platform SDK\Bin\signtool.exe" signwizard

Fig: Select the file that needs to be digitally signed

Choose ‘custom’ in the digital signing options, as shown below.

Fig: Digital signing option

Choose ‘Select from File’ option from this screen, and select the digital certificate that you have purchased.

Fig: Select the digital certificate

Choose ‘Private key file on disk’ option and select the private key that was given to you when you purchased the digital certificate.

Fig: Choose the private key

Fig: Enter private key password

Choose ‘sha1’ as the hasing algorithm

Fig: Select a hash algorithm

Leave all the fields to default value in this screen.

Fig: Additional certificate information

Leave the description and web location field empty.

Fig: Data Description

Add the following timestamp service URL:

http://timestamp.verisign.com/scripts/timstamp.dll

Fig: Add timestamp service url

This will successful sign the Microsoft executable with the digital signature. After the above steps, when you view the file properties, you’ll see the Digital-Signatures tab.

Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • Ron October 13, 2010, 6:59 am

    Is there any other way to do this without the SDK?

  • Igor June 10, 2011, 1:36 am

    How much weight does it add to an executable?

  • Gary December 2, 2011, 5:52 pm

    What about all of the above if I have XP?

    Thanks, I’m trying to load drivers from Echo, for my Gina24 Sound card and I can’t
    get “Digital” outputs, and that’s the only thing I see that could be stopping me from
    getting them?

    Gary

  • pallavi September 10, 2012, 11:04 pm

    is there any code in c/c++ for signing and then verifying that the executable is signed or not