Vernacular digital signature (N)-signature EXE file (I)

Summary

It's cool that Microsoft's software has digital signatures. The software we write should also have a dazzling signature.

Software with signatures is cool

Right-click the QQ Installation File and select "properties" to view the QQ digital signature.

When you use Process Explorer or SREng to view programs running in the system, you can also verify that the program has a digital signature. If our program displays "Unable to verify ", that seems unprofessional.

Add a signature to your program

The mathlover121.exe in is a small software written in C ++ Builder when I went to school. Needless to say, it must have no signature. The following shows how to use the SignTool of Microsoft to sign the EXE file. To sign a certificate, you must first have a digital certificate. If your company has already applied for a digital certificate, it would be better. But since many friends do not have a digital certificate, here we will first introduce how to apply for a free digital certificate on CA365.

Apply for a free digital certificate

Step 1:Log on to www.ca365.com and click the "apply for Certificate in table" link in the "free certificate" column.

Step 2:You can enter a table without any concerns.

Step 3:After you press the "Submit" button in the previous step, the certificate download page is automatically displayed. Click the "download and install Certificate" link to download and save the certificate. The default file name is "NewCert. der ".

Step 4:Install the certificate.
Right-click the "NewCert. der" file and select "Install certificate.

Next, you can sign the EXE file.

Use SignTool to sign the EXE file

Step 1:Open the command line form through the "Start Menu | program | Microsoft Visual Studio 2005 | Visual Studio Tools | Visual Studio 2005 command prompt.
Step 2:Run "signtool signwizard ".
Step 3:Click Next in the "digital signature wizard" to go to the "file selection" Page and select the file to be signed. Note: If the file is placed on the desktop, the error message "the specified file does not exist or is a read-only file" may be caused by folder permissions.
Step 4:Click "Next" to go to the "signature options" Page and select "typical.
Step 5:Click "Next" to go to the "signature certificate" page, click "Select... from storage area", and then select the certificate we just applied for and installed.
Step 6:(Optional) Click Next and enter some description information on the "data description" page.
Step 7:(Optional) Click Next. On the "timestamp for data" Page, enter the URL of the timestamp service. There are two free timestamp server urls: http://timestamp.verisign.com/scripts/timstamp.dll Http://timestamp.wosign.com/timestamp
Step 8:Click "Next", view all settings at the end of the "completing digital signature wizard" page, and click "finish" to start signing.
Step 9:In the pop-up "using your private exchange key signature data" dialog box, click "OK.
Step 10:The digital signature wizard is successfully completed.

Now, select "attributes" on the right side of the resource manager in windows and you will see an additional "Digital Signature" page. Click "details" to view the certificate details.

You can also verify the signature in Process Explorer.

If you copy the signed mathlover121.exe file to my colleague's computer and use Process Explorer to verify the signature, the system still displays "Unable to verify" _ | ￣ | ○ (as if there was a sound of bricks coming in, I am going to Flash first ~~), This is because the root certificate of ca365 is not installed in the "Trusted Root Certificate Authority" list on Windows by default. The verification is successful on my machine because I have imported the root certificate of CA365 in advance. For more information about the relationship between the certificate and the root certificate, see my vernacular digital signature (2 ).
You can run "certmgr. msc" in "Start Menu | run..." to view the "Trusted Root Certificate Authority" list.

So if you want Windows to trust you, you can pay for the company in this list. For example, the QQ installation file is the VeriSign code signature certificate.

There is another strange problem...

However, if we use "C: \ Program Files \ Internet Explorer \ iw.e. EXE ", right-click it, and click" properties ". The digital signature page is not displayed, but the signature can be successfully verified in Process Explorer. What is the problem? Let's talk about it later.