Digital Code Signing Your Script

[Emiel Wieldraaijer]

@Ptrex

I'd like to say THANK YOU

Someone created a GUI to sign files with a FAQ and download links

http://www.briggsoft.com/signgui.htm

[ptrex]

@Emiel Wieldraaijer / jackit

Thanks for mentioning SingTool.exe.

But I haven't used the SingTool.exe (yet).

I explained two approaches to create a Certificate for codeSigning.

The first one use a Windows Server (see post 1)

The second uses makecert.exe (see post 9).

You can download makecert as well from the link mentioned in post 9.

regards

ptrex

[ptrex]

@Emiel Wieldraaijer / jackit

Thanks for mentioning SingTool.exe.

But I haven't used the SingTool.exe (yet).

I explained two approaches to create a Certificate for codeSigning.

The first one use a Windows Server (see post 1)

The second uses makecert.exe (see post 9).

You can download makecert as well from the link mentioned in post 9.

regards

ptrex

[Wooltown]

Unfortunately I can't get it to work, I get the following message, see attached file:

I have imported my self generated file as you have written in the instructions.

[ptrex]

@Wooltown

If you are not familiar with certificates it will be hard to debug your problem.

One this to check before proceeding is go to MMC open the Certificates and see if you find the certificate you installed.

Check the name and friendly name of it and compare it to what you referred it into your script.

Check also the properties of that certificate to see if it is made for code signing purposes.

regards,

ptrex

[Wooltown]

It looks ago, I attach a new screenshot

[Wooltown]

I tried signtool, it works brilliant to sign an *.exe file, but Windows Vista still complains, but that is anouther problem, UAC is enabled as a company standard.

I will continue the search.

[ptrex]

@Wooltown

I have not tested this on any VISTA machine yet ?!

I hope you find the problem.

regards

ptrex

[Wooltown]

I will try, and I will write down the progress here for everyone, no idea inventing the wheel more than once.

[Wooltown]

I have experimented with all kinds of self made certificates on Vista, but I can't get it to work, I will have to get a real certificate to sign the programs if UAC is enabled.

[PsaltyDS]

Is this free?

For clarification: It is free if you sign it yourself. But since few people know you, they have no reason to trust your authority.

Correct authentication at run time will require the end user to trust the certificate authority that issued the certificate. The root authorities are BIG organizations like US GOVT, DOD, RSA, Visa, VeriSign, and Microsoft. You can be a root authority too, but you have to maintain a certificate verification server that can be reached, and convince people to trust you enough to add your Root CA certificate to their trusted roots list.

To sign your script in a way that someone who didn't know you might be able to do something with, you need to get your certificate from one of the big boy, and that means Cha-Ching! $$$

If you right-click on AutoIt2.exe, select Properties, and the Digital Signatures tab, you can see that Jon signed it, but not with himself as root. Rather, he bought a certificate from GlobalSign. Most browsers come with GlobalSign's root certificate pre-loaded as a Root Authority because they are a well known and trusted Certificate Authority. The AutoIt3.exe file was signed by Jon, and Joh'n certificate was signed by GlobalSign, so we can be reasonably sure it wasn't somebody pretending to be Jon.

Since your free certificate is not signed by anybody I trust, it doesn't tell me anything.

[ptrex]

@PsaltyDS

If I sign it, I hope you trust it

regards,

ptrex

[gseller]

Thanks ptrex! I finally figured it out and it will be great for me. I create for my folks in a corporate structure and the group I code for trust me so they can just add the cert. Thanks again!

[PsaltyDS]

@PsaltyDS

If I sign it, I hope you trust it

regards,

ptrex

Thanks ptrex! I finally figured it out and it will be great for me. I create for my folks in a corporate structure and the group I code for trust me so they can just add the cert. Thanks again!

It's not a matter of trusting you guys personally. The problem is if I can't follow the chain of certs back to a root authority I trust, then ANYBODY could have created their own root and signed a cert for "ptrex" or "gesller" (or your real names, of course).

In the case of the signed AutoIt3.exe that I used for an example: Of course I trust Jon, but how do I know some Romanian hacker didn't just create his own root and sign a hacked version of AutoIt3.exe with the text string "Jonathan Bennett"? I know because Jon didn't create a new root I never heard of, he got his certificate from a well known root authority that IE, Firefox, and most other browsers come pre-loaded with: GlobalSign

Right-click on AutoIt3.exe, select Properties, the Digital Signatures tab, highlight Jon's cert and click on the Details button. On the Digital Signatures Details dialog, click on the View Certificate button, and then on the Certificate Path tab. Now you can trace the cert all the way back to the root. This verifiable path to his certificate is what Jon paid $$$ for (or , £££, whatever).

If ptrex, or anybody else calling themselves "ptrex" creates a free signing certificate on their own and gives me a signed file, I will get warnings that the cert couldn't be verified by a trusted root, and the Certificate Path will lead back to an authority I can't know for sure is really from him.

A work-around would be for ptrex to pass me the public key for his homemade root authority, and I can add it to my trusted roots. Now if some stranger signs as "ptrex" I'll know it's fake because it doesn't verify with my "ptrex" root. But that requires us to find some secure route for me to get his root cert, and know THAT wasn't spoofed by some man-in-middle hacker, etc. What if three different ptrex'es email me a root cert and tell me use that to verify all the ptrex software I use. How do I know which one, if any, is real? What if Jon just created his own root and posted the public key on his web site to save money? Now how sure are you that is the real cert and not a spoof? The well known and trusted GlobalSign Root Cert keeps me from having to worry about that.

[ptrex]

@gesller

You are welcome

@PsaltyDS

Just joking.

Regards

ptrex

[Pies]

hi, i'm just curious of the topic that you are talking about. Sorry but I really don't know what that certificate is. Can somebody explain to me what that is and what's the use or purpose of that? Thanks! muttley

[James]

Read through this.

[ken82m]

Question, how can I generate a CSR for this.

I found a site that supposedly will issue a free certificate for public use.

Now I've played with certificate services before but I've never delt with an actual site.

How can I generate an x.509 CSR so I can paste it into the site?

nevermind, the "email" certificate they issued was unrestricted so works for me lol

Edited January 4, 2009 by ken82m

[Automania]

Hello,

I created the .cer file as described in posting #8 by makecert.exe on my local PC, then double clicked and installed it (received a success message).

However, the script keeps saying it can't find the certificate and the private key, where's my mistake here?

These are the cert details I used for makecert.exe

makecert.exe -sk "mycert123" -r -n "CN=mycompany,O=myorg,E=me@test.com" test_cert.cer

(as said, I then double clicked the .cer file and installed it)

and this is the modified script:

; Initialize error handler 
$oMyError = ObjEvent("AutoIt.Error","MyErrFunc")

$Script = @ScriptDir & "\testscript.vbs"

; --------------------------------- Sign it ----------------------------------
$oSigner = ObjCreate("Scripting.Signer")
$oSigner.SignFile ($Script, "mycert123") 

$oSigner = ""
; Use a valid certificat 
; you can do this by going to a server that has a certificate service running. 
; And than export a certificate that is OK for Signing Code.
; Then import this on the client.
;This is custom error handler

Func MyErrFunc()
  $HexNumber=hex($oMyError.number,8)
  Msgbox(0,"AutoItCOM Test","We intercepted a COM Error !"       & @CRLF  & @CRLF & _
             "err.description is: "    & @TAB & $oMyError.description    & @CRLF & _
             "err.windescription:"     & @TAB & $oMyError.windescription & @CRLF & _
             "err.number is: "         & @TAB & $HexNumber              & @CRLF & _
             "err.lastdllerror is: "   & @TAB & $oMyError.lastdllerror   & @CRLF & _
             "err.scriptline is: "     & @TAB & $oMyError.scriptline     & @CRLF & _
             "err.source is: "         & @TAB & $oMyError.source         & @CRLF & _
             "err.helpfile is: "       & @TAB & $oMyError.helpfile       & @CRLF & _
             "err.helpcontext is: "    & @TAB & $oMyError.helpcontext _
            )
  SetError(1)  ; to check for after this function returns?oÝ?÷ Ûp?  Ú¶êÞ??)àIÊâ¦Ö®¶?­sc²ÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒ6?V6²?BÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒТb33c¶&Æå6?÷tuT?ÒG'VP¢b33c¶ö&¥6?væW"Òö&¤7&VFR?gV÷Cµ67&?F?ærå6?væW"gV÷C² ¢b33c¶&Æä?56?væVBÒb33c¶ö&¥6?væW"åfW&?g?f?ÆR?b33cµ67&?BÂb33c¶&Æå6?÷tuT? ¤?bb33c¶&Æä?56?væVBF?Và¢6öç6öÆUw&?FR?gV÷Cµ67&?B?2&VVâ6?væVBâgV÷C²fײÄb??¤VÇ6P¢6öç6öÆUw&?FR?gV÷C²67&?B?2æ÷B&VVâ6?væVBâgV÷C²fײÄb??¤VæD?` ¢b33c¶õ6?væW"ÒgV÷C²gV÷C°
  EndFunc

Edited March 29, 2010 by Automania

[IchBistTod]

Is there any way to modify a certificate.

Example lets say we find a microsoft certificate on our pc.

Can we modify our name into it so it will show as a trusted root authority, without paying $$$?