We have a .pfx and use the windows signtool to sign a DLL with it. I want to programmatically verify that the DLL is signed with our certificate when I load it. I use WinVerifyTrust, but that just verifies that is signed by a trusted publisher (I think). To verify that it is signed with our certificate, I think I should use CryptVerifyCertificateSignature. How do I create the "BLOB" of "CERT_SIGNED_CONTENT_INFO" from my DLL to pass to this function?
Or... is there a better or easier way to verify that the DLL is signed with our cert?
Have a look at this answer: C# implementation to get SignedCms from signed file
If you would provide some more details - for instance programming language - the community would be able to help you further and answer more accurate :-)
Can anyone help me in signing the .sys files for windows 7 64 bits? I have created the self signed certificates using Openssl and I want to sign the the .sys files with that certificates using signTool.exe
I have done this process by following the Life saving Link :D
Thanks Roger Lipscombe, DBolton and all those who visited :p
I got only .cer format certificate from the OWASP ZAP 2.5.0 but the curl which I am using as CLI browser requires .key and/or .pem formats as well. How can I obtain that as I have only cer file.
I have published a basic unsigned windows form application using ClickOnce on Visual Studio. I took the .exe file and .exe.config file and moved it to a folder on my desktop. I signed the .exe file with a legitimate digiCert signing tool, and I created the application manifest and deployment manifest using MageUI and signed it with the same signing tool. I moved all the files to the FTP server that I want the users to download from. When I enter the URL in the browser everything works fine, but it prompts me to Install, and it says that the Publisher is Unknown. After I click install, the app runs as it should.
Also, I have already added my certificate to the Trusted Publisher store, and verified that the issuer of my certificate is in the Intermediate Certification Authority store, and their issuer is in the Root Certification Authority Store.
I have also opened the deployment and application manifest using notepad, and can see my signature on them, and I can see that my .exe file is signed by right clicking on it and selecting properties, then the signature tab.
I have followed the Steps outlined in this site: https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/
I used the : "#1: Signing the application executable post-publish." steps.
So my main question is why is it saying that the publisher is Unknown when I download and run the .application file?
Note: that the SmartScreen filter is not picking up my app as being unsafe
I have (sadly) the same problem.
Microsoft doesn't accept anymore the SHA-1 certificate since 1. january 2016:
Windows Enforcement of Autheticode:
Code Signing Certificates: Windows will no longer trust files with the Mark of the Web attribute that are signed with a SHA-1 code signing certificate and are timestamped after 1/1/2016. With the exception of issuing certificates to developers who intend to develop only applications for Windows Vista, Windows Server 2008, CAs may not issue new SHA-1 code signing certificates after January 1, 2016.
I tried to sign with a SHA256 hash and with a SHA2 timestamp certificate but this is not enough. What I can't understand is why an unsigned exe is threated as more secure as a signed SHA1 exe in smartscreen!
The other answer tells you what's going on, and here's what's working for me. I pivoted another's work for my CI pipeline, but the script can be used in any capacity:
https://github.com/erikest/SignClickOnce
I am trying to convert my apns cert to p12 so i can use it with .net
http://code.google.com/p/apns-sharp/wiki/HowToCreatePKCS12Certificate