Windows Vista product compatibility lecture-sign executable files with code signing procedure

Since Windows 2000, Microsoft began to implement digital signatures on the operating system module, which was first implemented in the driver program, but it has not been particularly emphasized. Starting from Vista, Microsoft enforces digital signatures on x64-bit systems. drivers without whdl and RDS authentication and signature cannot be loaded on Vista x64. For common applications, Microsoft also began to implement digital signatures. Although applications without signatures can still run on Vista, if isV wants to pass Microsoft logo authentication, all executable files must be digitally signed. In later versions of Vista, Microsoft will gradually strengthen its requirements for digital signatures, and ultimately require all applications to be signed before they can run on Windows systems. Of course, this is a long-term goal, and there is still a long way to go.

For ISVs, we should prepare digital signatures now. Here I will use a simple example to illustrate a rough process. If the actual operation is performed, there will be different requirements. Step 1: You need to generate a certificate on your own and export the private key to slave. Step 2: Submit the generated certificate to a third-party certification authority, such as Verisign and thawte, these organizations will need you to provide some information to authenticate your identity. This is easy to understand, because they need to be responsible for your identity in the future when you use the certificate, and all of them must first authenticate your identity. Step 3: these organizations will provide you with a digital ID to authenticate your identity information. You will be notified by email. Step 4: Use a tool to sign your executable files. After the signature is complete, you can use the certificate to publish your product. When the program runs on Vista, it will be considered as an identifiable application. The following is a specific example: 1) generate a certificate first:

Makecert-SV dotnetchina. PVK-n "cn = dotnetchina.com.cn"-B 01/01/2006-e 01/01/2008 dotnetchina. Cert

Note:-SV dotnetchina. PVKExport the private keyDotnetchina. PVKIn this file, so that we can use-N "cn = dotnetchina.com.cn"Specify the Certificate Name-B 01/01/2006Specify the certificate start date01/01/2006-E 01/01/2006Specify the end date of this certificate01/01/2008Dotnetchina. CertStore the generated Certificate in this file, including the Public Key/Private key pair2) Now you can submit the certificate to the organizations mentioned above for authentication. 3) the authentication is complete, use the following command to convert the certificate to SPC (Software publishing certificate software issue Certificate)

Cert2spc dotnetchina. Cert dotnetchina. SPC Finally, use the following command to sign the EXE

The signtool signwizard command opens the following graphic interface to guide you through the signing process:
Figure : Use signtool Open the signature Pilot Program
Figure : Select the file to be signed
Figure : Select the custom method. The common signature method is to use the certificate installed on the local computer, because our signature only generates the file certificate and is not imported to the local computer, therefore, you cannot use this option.
Figure : Select the generated software release certificate file
Figure : Select the exported private key file and provide the password.
Figure : Select Encryption Algorithm
Figure : After other options are selected, the signature is complete. You can find the "Digital Signature" tab in the property of the signed executable file, which contains a signature list.
Figure : File property to be signed
Figure : Compare the property cards without signatures Note: Only the signed certificate that has been authenticated by a third party and the authentication information that has been completed can be considered as a recognizable application by VISTA, and a gray warning window is displayed, the above process is just an example. Some resources are for your reference:
Verisign: http://www.verisign.com
Thawte: http://www.thawte.com/Verisign Windows logo certification Description: http://www.verisign.com.au/codesigning/windesign.shtml
Verisign description of the signature process: http://www.verisign.com.au/codesigning/howitworks.shtml
Http://www.verisign.com/support/code-signing-support/code-signing/identity-authentication.html
MakeCert usage instructions: http://msdn2.microsoft.com/en-us/library/bfsktky3 (VS.80). aspx
SignTool instructions for use: http://msdn2.microsoft.com/en-US/library/aa906251.aspx other related articles:
Http://www.enterprisedt.com/products/edtftpnetpro/doc/manual/privatekeyaccessproblems.html
Http://www.inventec.ch/chdh/notes/14.htm

All the tools used here can be found in the Windows Server 2003 R2 Platform SDK. You can download the full version from the following address:
Http://www.microsoft.com/downloads/details.aspx? FamilyId = 483479e2-3b89-47e3-8eb7-1f2be6d7123a & displaylang = en