I feel like I'm missing something obvious here, but I don't see it written anywhere. I sign my executables using an Authenticode certificate, but as I've started to learn a bit more about it, I am questioning the value as-is. A signed exe has a digital certificate that shows as being a "valid" certificate. When you download such a fi...
We need to verify that binary files are signed properly with digital signature (Authenticode). This can be achieved with signtool.exe pretty easily. However, we need an automatic way that also verifies signer name and timestamp. This is doable in native C++ with CryptQueryObject() API as shown in this wonderful sample: How To Get Informa...
I have a program which is used by a large number of people who are not always super computer savvy. I want to make sure that rather than having my executable say it is from an unknown author that it says it was signed by me. As far as I know this can be done with Microsoft Authenticode. I understand I need a certificate to do this and...
I know that Windows can intrinsically detect and verify signatures of PEs and some types of text file (.vbs, .ps and .wsf). However I'm curious whether there is a way to somehow attach or associate a signature to a file that doesn't directly support signatures, such as .ISO or .zip files. Drivers packages that contain a mixture of bin...
Client purchased a code-signing certificate, and it came with a .pvk file and a .spc file. I am familiar with the .pvk file, but Visual Studio doesn't recognize the .spc file. When I try to load the .spc file as the ClickOnce Certificate, a message box says "The selected file does not contain a private key. You must choose a certificate...
Hi, I have been struggling for days trying to get a simple ActiveX DLL to work with no success despite studying several articles on the subject which I have found online. I suspect I have several things coded incorrectly as I am just not familiar with this and most of the articles on the subject are out of date. I am using Visual Stud...
I'm trying to figure out how best to set up Authenticode signing at my workplace. The security implications are stressing me out. My initial thought is that the person who controls the key should install it to the build server and secure it so that only the build account can access it. This seems reasonably secure, but it actually isn...
Been trying to figure out the best way to integrate Authenticode signing within the build process and its frankly kicking my ass. There doesn't seem to be any way to smoothly and securely do it. I'm interested in hearing your stories on how you integrate Authenticode signing in your build process. Here's my sad story. C# develope...
I have a 3rd party app that is generating an executable for me, but it's putting its own name into the "File description" and "product name" details of the executable. When I sign these with authenticode, it causes the user prompt to show the 3rd party app name rather than my own, even though it's signed with my company's certificate. ...