Digital Signing Complete Guide

What are the goals of Digital Signing?

A digital signature is based on a digital certificate that helps authenticate the identity of the creator of digital information.

Digital certificates verify the identity issued by a trusted third party – what we call a Certification Authority (CA).

CAs issue digital signatures and act as a trusted third party by:

• accepting
• authenticating
• issuing
• maintaining digital certificates

Digital signatures help establish the following authentication measures:

1. Authenticity (the developed software comes from a verified organization)
2. Integrity (the code is not changed or tampered with in any way)

Code signing certificates and timestamp

When a digital signature is applied, a timestamp is also recorded. Timestamping ensures that a signed code is valid even after the digital certificate expires.

Unless you’re adding additional code or making changes to the existing code, you don't need to apply a new signature (even if the initial digital certificate used to sign the code expires).

Let's not confuse code signing certificates with SSL certificates. An SSL certificate is a piece of software that enables HTTPS on a website through the use of public key encryption. It enables the Secure label and padlock in your browser.

If you want to find out more about code signing certificate timestamping, read our Digital Signing: Why You Should Always Include A Timestamp article.

What are the types of code signing certificates?

There are a few options to code sign a certificate. Let's go through them:

1. Standard Code Signing Certificate

Standard code signing certificates are validated by the standard organization.

Applications that are signed with standard code signing certificates will need to build a good reputation.

What does this mean?

From past experience, there is a chance that the reputation gets lost with the renewal. Before purchasing a certificate, always ask the issuer what happens to the reputation when renewing the certificate.

2. EV Code Signing Certificate

EV (Extended Validation) Code Signing certificates provide instant reputation with Microsoft Smart Screen.

Microsoft SmartScreen is a cloud-based anti-phishing and anti-malware component found in various Microsoft products.

EV Code Signing Certificates are SHA256 only, which is one of the strongest hash functions available and the one recommended by Microsoft(Secure Hash Algorithm 256-bit is used for cryptographic security).

3. Self-Signed or Private Code Signing Certificates

Most commonly known as Self-Signed or Private certificates, you can also use a test certificate to sign an application.

This digital signature will be recognized only if the certificate is trusted on the machine. It is also common for large organizations to implement a private CA, internal to the organization, that provides the same features as public CAs, but it is only trusted within the organization.

Where can you get your code signing certificate?

You can purchase a Code Signing certificate from one of the Certificate Authorities below:

• Certum EV code signing certificate
• Entrust EV code signing certificate
• GlobalSign code signing certificate
• Sectigo (formerly Comodo) code signing certificate
• DigiCert code signing certificate

It is worth mentioning that some Certificate Authorities also provide their own tools that you can use to digitally sign your files (from pdf to doc to msi and exe files).

For more information about how to get, add, and update a code signing certificate, check out Manage code signing certificates - Windows drivers | Microsoft Docs documentation.

What are the User Account Control & SmartScreen Filter?

User Account Control is the prompt that we see when we are running an application, be it a setup package or any application that requires admin privileges, signed or not.

Unsigned applications should look like this:

Signed applications look like this:

The SmartScreen filter automatically scans applications, files, downloads, and websites – it blocks dangerous content and warns you before you run unknown applications.

That's why you should keep SmartScreen enabled. It provides an additional layer of security that helps protect your PC, whether you’re using antivirus software or not.

Even if SmartScreen automatically blocks an unknown application that you know is safe, you can always click through the warning to run the application anyway.

How to generate a self-signed certificate?

To generate a self signed certificate, you can use the New-SelfSignedCertificate PowerShell cmdlet:

$cert = New-SelfSignedCertificate -DnsName AdvInstTesting -Type CodeSigning -CertStoreLocation Cert:\CurrentUser\My

To verify that the certificate has been generated, you can use the following command:

Get-ChildItem -Path Cert:\CurrentUser\My | ? Subject -EQ "CN=AdvInstTesting"

To export the certificate, you can use the Export-PfxCertificate cmdlet:

$CertPassword = ConvertTo-SecureString -String "testing" -Force –AsPlainText
Export-PfxCertificate -Cert "cert:\CurrentUser\My\$($cert.Thumbprint)" -FilePath "d:\AdvInstTesting.pfx" -Password $CertPassword

By default, self-signed certificates are valid for 1 year.

Adding a self-signed certificate to the Trusted Root Certification Authorities

Self-signed certificates are not trusted by default, so they need to be added to the Trusted Root Certification Authorities.

The certificate needs to be added under the Trusted Root Certification Authorities for the Local Device and not for the Current User.

To add the certificate, double click on the .pfx file. The Import Certificate wizard will be launched:

Now, you need to enter the password that you set when generating the certificate:

Since it is a self-signed certificate, it needs to be added under the Trusted Root Certification Authorities store:

If the import was successful, then all software products signed using the specific self-signed certificate are trusted.

Check out our Installing a test certificate directly from an MSIX package article to learn how you can quickly install the self-signed certificate embedded within the MSIX package.

Signing your code with a certificate

Microsoft SignTool is the most popular utility tool used to digitally sign timestamp files and verify signatures in files. Since it's a command line tool, it can be easily integrated to automate your code signing process, especially if you need to sign multiple products at once.

For more information about where to get SignTool and the command line options, you can check out our How does code signing work with Microsoft SignTool? article.

Below, you can see how it looks when a code signing process is automated:

Conclusion

Organizations globally are understanding and focusing on the importance of security. They are aware that protecting their infrastructure and using digital signature offers them an extra layer of security.

Moreover, Microsoft itself has started to enforce code signing as a mandatory requirement for those software programs that are delivered using MSIX technology. So, if you plan to migrate to MSIX, then you need to take this into consideration.

If you have questions about MSIX, Advanced Installer is here for you! Just leave a comment below!