Digital signatures for binaries in open source projects

May 25, 2018 0 Comments

Digital signatures for binaries in open source projects



Digital signatures provides proof that the file was authored by a trusted
entity. They allow to verify the integrity of applications distributed in binary
form. On Windows, software authors use Authenticode to sign the application and
its setup package so Windows can verify who made the application and it allows
IT adminstrators to create policies for running only trusted applications.

Open source applications (for Windows) usually are not signed because the
Authenticode certificates are expensive and the learning curve for signing is
quite steap.

I chose Certum to get certificate for my open source applications. The
Authenticode certificate from Certum costs only around 28 EUR. If you does not
have any compatible smart card which would store the certificate private key,
you can buy one from Certum, but this makes the certificate a bit expensive (for
hobby purposes) – the smart card costs 80 EUR and shipping is 30 EUR.

Ordering the certificate from Certum was a bit complicated and painful
process as their website likes to switch to Polish language out of a sudden.
Authenticode certificates must be issued to natural persons (or legal entities)
so the process is not automated (as with Let's Encrypt domain validation) and
you must provide them your ID card and some utility bills or bank statement to
verify you identity.

Out of the box, you can use the certificate to sign applications (EXE, DLL
and MSI files) with signtool.exe using the default SHA1
algorithms. You must run the proCertum CardManager application
so signtool.exe can communicate with the smart card when
signing binaries. Each time you are signing a file, CardManager
will ask for a PIN to the certificate.

Sign application

To sign application named VCardSplitter.exe using certificate
named Open Source Developer, Jozef Izso, use this command:

signtool.exe sign /n "Open Source Developer, Jozef Izso" VCardSplitter.exe

This will just sign the file. You must also add the timestamp to the
signature so the signature will remain valid even after certificate expires.

signtool.exe sign /n "Open Source Developer, Jozef Izso" /fd sha1 /t VCardSplitter.exe

Signing using SHA256 algorithm

Microsoft requires new applications to be signed using SHA256 algorithm. When
you configure signtool.exe to use SHA256, you will receive
error when signing files. To resolve this issue, open proCertum
, click Options, enable EV Code
Signing – replace CSP with minidriver library
and click
Ok. This will reconfigure the system and the SHA256 algorithms
will work correctly. Note: the certificate for open source
developers from Certum is not the EV (Extended Validation) certificate.
It just hapens the CSP method of signing with smart card is only compatible with
the old SHA1 signatures.

With minidriver mode enable, you can sign your binaries like this:

signtool.exe sign /n "Open Source Developer, Jozef Izso" /fd sha256 /tr VCardSplitter.exe

Signing NuGet packages

NuGet 4.6 enables signing of nuget packages. It requires the signature to be
SHA256 so make sure you enabled the minidriver mode. Signing is
similar to the signtool.exe process:

nuget.exe sign library.1.0.0.nupkg -CertificateSubjectName "Open Source Developer, Jozef Izso" -Timestamper

Switching the CSP and minidrive mode in proCertum CardManager

The proCertum CardManager uses special app called
cryptoCardRegister.exe to switch between the CSP
and minidriver modes of signing. This can be change from the
proCertum CardManager user interface:

  1. Open proCertum CardManager application
  2. Click Options button
  3. Enable or disable the EV Code Signing – replace CSP with minidriver library checkbox
  4. Click Ok

If you have troubles with using the UI to change the mode, you can execute
cryptoCardRegister.exe directly from command prompt.

To enable CSP mode manually, use administrative prompt
to run:

"C:\Program Files (x86)\Certum\proCertum CardManager\cryptoCardRegister.exe" csp

To enable minidriver mode manually, use administrative
prompt to run:

"C:\Program Files (x86)\Certum\proCertum CardManager\cryptoCardRegister.exe" md


Digital signatures can ensure your Windows binaries can be verified to come
from trusted source. As open source developer, you must invest about 100–150
EUR to get the first certificate. The certificate from Certum will be issued to
you as a natural person and it will be named Open Source Developer,
<Your Name>
. After correctly changing the CardManager configuration, you can sign you Windows
applications, libraries, installation packages and also nuget packages. Signing
cannot be automated as you must enter the PIN each time you sign a file. This
prohibits scenarios like automatic signing of build output on continous
integrations services like AppVeyor.

I hope code signing certificates will get more available to open source
developers and projects and cloud services could be used to automate signing as
part of the build process. This would make the ecosystem of open source
libraries for Windows more trusted.

Tag cloud