-
Notifications
You must be signed in to change notification settings - Fork 0
/
Authenticode.mw
155 lines (101 loc) · 8.67 KB
/
Authenticode.mw
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
{{Header}}
{{title|title=Authenticode - Windows Digital Software Signatures}}
{{#seo:
|description=Using signtool.exe to sign or verify digital signatures for Windows programs.
}}
{{verification_tools_mininav}}
{{intro|
Use [https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe <code>signtool.exe</code>] to <code>sign</code> or <code>verify</code> digital signatures for Windows applications.
}}
= Introduction =
{{Always_verify_signatures_reminder}}
{{Quotation
|quote=Authenticode employs digital signature technology to ensure the authorship and integrity of binary data, such as installable software.
|context=[https://learn.microsoft.com/en-us/windows/win32/seccrypto/time-stamping-authenticode-signatures Microsoft Windows website]
}}
{{Quotation
|quote=Authenticode enables vendors of downloadable executable code (like plug-ins or ActiveX controls) to attach digital certificates to their products. This reassures end users about the code's source and confirms it hasn't been altered. It allows users to decide whether to accept or reject online software components before downloading.
|context=[https://learn.microsoft.com/en-us/windows/win32/secgloss/a-gly Microsoft Security Glossary]
}}
= Install SignTool =
This guide provides steps to install SignTool on Windows 11 (stable release). If you're using earlier versions of Windows (Windows XP, Vista, 7, 8 or 10), replace the Windows 11 SDK installer mentioned below with the appropriate SDK Installer from the [https://developer.microsoft.com/en-us/windows/downloads/sdk-archive Windows SDK archives].
[https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe SignTool] is a Windows command-line utility using [https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode Authenticode] to digitally sign and verify files, as well as timestamp them. It's part of the [https://en.wikipedia.org/wiki/Microsoft_Windows_SDK Microsoft Windows SDK]. After setting it up, you can use SignTool to verify the <code>gpg4win</code> package prior to installation.
{{Box|text=
'''1.''' Get the Installer:
* Visit [https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk this link].
* <code>Right-click</code> on the installer download option → <code>Save</code> → Once downloaded, <code>Run</code> it.
'''2.''' Specify Installation Path:
Upon the installer's launch:
* <code>Continue</code> → set the installation path to <code>C:\Users\<user_name>\Downloads\Windows Kits\<windows_version>\WindowsSDK</code> → <code>Next</code>.
'''Figure:''' ''Choose SDK Installation Path''
[[File:sdk_installer_specify_download_path.png]]
'''3.''' Choose the Correct Package:
The Windows SDK installer offers various packages. You only need <i>Windows SDK Signing Tools for Desktop Apps</i> (SignTool). Note that package names might vary across SDK versions. For instance, in SDK for Windows 8.1, the package containing SignTool is labeled as <i>Windows Software Developmental Kit</i>, different from its counterpart in Windows 10.
'''Figure:''' ''Select SignTool Package''
[[File:select_sdk_features_for_download.png]]
After selecting the necessary package, click on Download. Once the installation finishes, you can close the installer.
'''Figure:''' ''SDK Installation Completion''
[[File:sdk_installer_download_complete.png]]
'''4.''' Done.
Installation of SignTool has been completed.
}}
= Usage =
[https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe <code>signtool.exe</code>] can be utilized to <code>sign</code> and <code>verify</code> applications. Note the consistent lowercase usage for both commands.
Details on installing and using Authenticode and <code>signtool.exe</code> are currently [[undocumented]] in the {{project_name_long}} wiki. Implementing Authenticode is [[unspecific|not specific to {{project_name_long}}]].
It's essential to understand that while {{project_name_short}} provides documentation on many topics relevant to its users, it isn't the primary source for all Windows tools or processes, especially those created and maintained by external entities like Microsoft. If a tool like <code>signtool.exe</code> lacks user-friendly documentation from Microsoft, it isn't inherently the responsibility of {{project_name_short}} to fill that gap.
{{project_name_short}} focuses on its specific domain and features, ensuring that users have the best experience within that scope. While we strive to offer comprehensive guidance, we cannot be expected to compensate for the documentation shortfalls of every third-party tool or process. For more in-depth details or tutorials on using such tools, users are encouraged to consult the tool's official documentation or forums.
= User Account Control =
User Account Control (UAC) is closely related to <code>Authenticode</code>.
'''Figure:''' ''Windows signature verification window for VirtualBox''
[[File:Virtualbox_windows_digital_software_verification.png|400px|border]]
= Authenticode vs. User Account Control =
SignTool verifies the digital signature of a file, particularly checking the signing certificate's issuer, revocation status, and validity.
Although manually using <code>signtool verify</code> can enhance security, many users might skip this step.<ref>
How frequently do you notice websites providing Windows software downloads along with digital software signatures?
</ref>
Windows automatically validates the digital signatures of drivers and downloaded apps, especially those needing elevated privileges for installation, through User Account Control (UAC). However, this auto-validation is less comprehensive than manual <code>signtool verify</code> checks.
= Authenticode vs. Other Verification Tools =
Authenticode is based on [[SSL|The Broken Certificate Authority System]], which is dependent on trustworthy third parties.
Alternative verification standards or tools like [[OpenPGP]] or [[signify]] can deliver end-to-end digital software signatures without relying on third parties. If available, these alternatives are recommended.
= VirtualBox =
Windows' VirtualBox isn't signed using OpenPGP / gpg / signify but with Authenticode. This method is standard for most Windows downloadable applications.
On Linux based operating systems, <code>osslsigncode</code> can be used to verify the integrity of VirtualBox. See {{whonix_wiki
|wikipage=Dev/Windows_Installer#Verification_of_VirtualBox
|text=Verification of VirtualBox
}}.
= Troubleshooting =
== SignTool is not Recognized ==
'''Figure:''' ''SignTool not Recognized Error''
[[File:signtool_command_not_recognized.png]]
This error means the SignTool executable is not accessible through <code>cmd.exe</code>. A common cause for this error is SignTool was not installed in the user's [https://web.archive.org/web/20220707004040/https://john-dugan.com/path-variable-in-windows/?PageSpeed=noscript PATH]. To fix this issue add <code>signtool.exe</code> to your system PATH. <ref> https://www.godaddy.com/help/windows-cmd-signtool-is-not-recognized-as-an-internal-or-external-command-operable-program-or-batch-file-19987
</ref>
<u>Note</u>: This solution is temporary and works only until the command prompt is closed. When the command prompt is restarted <code>signtool.exe</code> must be added to the system PATH again.
{{Box|text=
'''1.''' Open a command prompt.
In the Windows Start menu, run.
{{CodeSelect|code=
cmd.exe
}}
'''2.''' Add the path to <code>signtool.exe</code> to your system PATH.
The default installation path for <code>signtool.exe</code>:
<pre>
x86 systems: C:\Program Files (x86)\Windows Kits\<windows_version>\bin\x86
x64 systems: C:\Program Files (x86)\Windows Kits\<windows_version>\bin\x64
</pre>
Run the following command to add "path\to\signtool.exe" to your system PATH. Also be sure to add the Windows version to the path.
{{CodeSelect|code=
set PATH="path to signtool.ext";%PATH%
}}
For example, the following command adds the path for an <code>x64</code> system.
{{CodeSelect|code=
set PATH="C:\Program Files (x86)\Windows Kits\<windows_version>\bin\x64";%PATH%
}}
}}
== SignTool Certificate Chain Error ==
'''Figure:''' ''Root Certificate Error''
[[File:signtool_error_root_certificate_not_trusted.png]]
This error message occurs if the <code>/pa</code> switch is not used with SignTool. This is because the default SignTool verify <code>some_file.exe</code> command uses the Windows Driver Verification Policy. <ref> See stackoverflow for further information: [https://stackoverflow.com/questions/11230091/whys-my-root-certificate-not-trusted Why's My Root Certificate Not Trusted?]</ref> In order for the file to verify properly the <code>/pa</code> switch must be used so SignTool uses the Default Authentication Verification Policy.
= Footnotes =
<references />
{{Footer}}
[[Category:Documentation]]