How to digitally sign a program

Summary of ActiveX development and automatic cab file upgrade 1. Compile ActiveX controls and implement the isafeobject security interface; 2. Set the ActiveX control version and the dll version that the control depends on. 3. Compile the INF file, note that the version involved must be consistent with the actual version of the control and DLL; 4. Use the makecab program to package the cab file; 4.1.5. Use makecert to create a private key certificate; 6. Export or generate a Public Key Certificate (based on the specific Command Used in step 1 to determine whether the public key has been exported from IE or has been generated); 7. Use cert2spc to convert the public key to the SPC file; 8. Use pvk2pfx to generate a pfx file for the private key and SPC file; 9. Use signtool to sign the cab file ;----------------------------------------------- --------------------------------------------------------------------- 10. Call the ActiveX control on a Web site. Note that the version parameter in codebase must be consistent with the actual version of INF and ActiveX; 4.1.11. Ask the user to download the Public Key Certificate and install it in the Trusted Root Certificate Authority area. 12. Enjoy it!

1. Create a private key file

2. Create a digital certificate

3. Sign the program

Do you know? Microsoft releases digital-Signed SP2 in the official version. What is this?
I. Windows File Protection
In Windows Versions earlier than Windows 2000, software installed outside the operating system may overwrite some shared system files, such as dynamic link library (*. DLL files), executable files (*..
To completely solve this problem, Microsoft introduced the "Windows File Protection" mechanism in Windows 2000 and Windows XP to prevent replacement of protected system files, including *. sys ,*. DLL ,*. OCX ,*. TTF ,*. fon ,*. files such as EXE, Windows files are protected to run automatically in the background, and all files installed by Windows Installer can be protected.
Windows File Protection can detect the intention of other programs to replace or move protected system files. So what is the basis for detection? In fact, Windows File Protection checks the digital signature of the file to determine whether the version of the new file is the correct Microsoft version. If the file version is incorrect, windows File Protection will automatically call the dllcache folder or the backup file stored in Windows to replace this file. If Windows File Protection cannot locate the corresponding file, it will prompt you to enter this location or insert the installation disc.
2. Recognize Digital Signatures
A digital signature allows user verification. If a file does not have a valid digital signature, it cannot be ensured that the file actually comes from the declared source, or it cannot be ensured that it has not been tampered with after release (possibly by virus tampering ). In this case, it is safer to open the file securely unless you are sure that the file creator knows its content. Otherwise, it is recommended that you do not open the file easily. For any hardware or software that has passed Microsoft's digital signature
Windows XP design (designed for Microsoft Windows XP) logo.
When new software is installed on a computer, system files and device driver files are sometimes overwritten by unsigned or incompatible versions, resulting in system instability. Both the system files and the device driver files provided with Windows XP have Microsoft digital signatures, which indicates that these files are original and unchanged system files, or they have been approved by Microsoft for use in windows. The file signature verification tool is provided in Windows 2000/XP (see figure 1 ).
9x provides the "System File Checker". We can use these tools to check the digital signature status of system files.

The issuer of the digital signature file generated by according to makercer.exe is "rootagency". In this way, authentication cannot be passed directly. The following are the related documents.

1. What is root?
Agency digital certificate?

The root agencydigital certificate is the root certificate generated by makecert.exe. It is mainly used to test the signature of a digital certificate. This type of certificate is currently untrusted in the system.
2. Does the root agency Digital Certificate harm the system?

Based on the ipvs system settings, Root
The digital certificate issued by agency is untrusted. However, in most ghost systems, root agency digital certificates are set as trust items, which means virus Trojans can easily be used for visas.
Solution:
1) Right-click IE and click Properties to enter the Internet option;
2) Click the content tab and select the publisher;
3) Delete the certificate named root agency from the Trusted Root Certificate Authority and intermediate Certificate Authority;
3. Can I use the root agency digital certificate to sign the file?
Sorry, because the ipvs system does not trust it by default and conflicts with China's Electronic Signature Law, even if the file is signed, it is invalid;
4. Is the file with the root agency Digital Certificate Signature secure?
Since this type of certificate is easy to create and takes only a few seconds, there are too many uncertainties. At that time, I would like to ask anti-virus software to solve the problem;

1. Create a private key file:

I. "Digital Certificate" production software makecert
Makecert.exe is a software developed by Microsoft to create "digital signatures". It is a command line interface that allows you to easily create your own "digital signatures ", of course, this digital signature made by myself does not belong to a trusted certificate, but it does not affect your use.
Ii. Cab compression software package production tool iexpress
Is makecab. exe gui program is used to compress the files required by the program into the cab format for easy transmission. Of course, if your program is an independent EXE file, you do not need to use this tool for packaging. However, most free space currently does not support file upload in the EXE format. We recommend that you package it! The specified tool also has the imperative cabarc.exe;
Iii. signcode
You can use signcode.exe and your "Digital Certificate" to sign your software and add a digital signature to the software so that it can run on the web page.
Are you ready? Let's join me in my own digital signature control, lets go ......
Step 1: create a digital certificate"
Go to the signtool folder and run the following command on the console:
The command for makecert is as follows:

Makecert-SV "talent. PVK"-n "cn = talentcompany, O = frankiewang"-SS my-r-B 08/20/2013-e 08/20/2015

Where

-SV talent. PVK indicates to generate a private key file talent. PVK
-N "cn = talentcompany" where "talentcompany" is the name of the certificate owner displayed in the signature. Remember to change it to your own or your desired name!
-SS my indicates that the generated certificate is saved in the personal certificate.-R indicates that the certificate is issued to you by yourself.
-B 08/20/2013: Specifies the certificate validity period start date, in the format of month/day/year. The minimum value is 1900-e 08/20/2015. The certificate validity period ends. The format is the same as above.
I will not introduce any other commands.
 
Do you need to enter the private key password? Click the "NONE" button to pull it. If you like it, enter the password and remember it. Okay! Your private key file talent. PVK has been generated in the directory, but where is the certificate? Don't worry. Open Internet Options of IE and switch to the content tab. Do you see the certificate button? Click it! In the figure above, the "talentcompany" with the deadline of 08/20/2015 is the certificate you just generated,Go to "certificate" in "content" in "Internet Options" of IE, import talentcompony to "Trusted Root Certificate Authority", and then select talentcompony in "personal, select export,By defaultGenerate the talent. Cer Certificate file

2. Create a digital certificate

The private key file PVK and digital authentication file CER (X.509) have been generated before. Now you need to use the following command to generate the corresponding SPC File

Cert2spc.exe talent. Cer talent. SPC

This completes the generation of all digital signature-related authentication files;

3. Sign and authenticate the program (perform the digital signature operation each time)

Select the previously generated files in signcode.exe.

 
Click Browse and enter the storage address of the. cab file (including the obtained file name). Here testcab. Cab is selected and "store files using long file name inside package" is selected ". Click Next.
 
Select don't save in to generate dsoframe. Cab.
Note: The cab file name must be in the format of 8.3, and the file name cannot be too long. In this process, you can first enter the name of the cab package as dsoframe. cab, and then change it to dsoframer. cab
Step 3: sign a digital signature for dsoframer. Cab

Run signcode.exe and select dsoframer. Cab, for example:
 
 
Select "Custom (c)" for "signature type" in "Signature Option Form", for example:

 
Next, click the "select from file" button in the "digital signature wizard-signature certificate" form and select the Certificate file dsoframer. Cer exported in the first step,

 
 
Next, select the dsoframer. PVK file generated in step 1 as the private key.

! In this way, you can use your "Digital Certificate" to sign a program with "Digital Signature" that can be run on the webpage!

Step 4: Of course, embed the program into the webpage and upload it! The code added to the webpage is as follows:
<Objectclassid = "CLSID: 00460182-9e5e-11d5-b7c8-b8269041dd57" id = "framercontrol1"
Style = "Left: 0px; top: 0px; width: 100%; height:
16px "codebase =" ../dsoframer. Cab # V2, 2, 1, 2 "> </Object>