Discuss this help topic in SecureBlackbox Forum

Sign executable with Authenticode

SecureBlackbox allows you to sign executable files (.exe and .dll files) using its TElAuthenticodeManager component. The whole process is fairly simple and is described step-by-step below.

  1. Load the signing certificate into a TElX509Certificate object. The signing certificate must contain an associated private key. The private key may be non-exportable (e.g., kept on a hardware device), but it must be usable for signing.
    
    TElX509Certificate signingCert = new TElX509Certificate();
    int res = signingCert.LoadFromFileAuto("signingCert.pfx", "password");
    
  2. Create a new TElAuthenticodeManager object: TElAuthenticodeManager manager = new TElAuthenticodeManager();
  3. Open your executable file with the TElAuthenticodeManager.Open() method: bool signed = manager.Open(@"C:\Bin\program.exe"); This method returns true if the binary is already signed (i.e. it has at least one signature inside). Otherwise, false is returned. If an error occurs, an exception is thrown containing one of the error codes.
  4. Add one or more authenticode signatures with AddSignature():
    
    TElAuthenticodeSignature signatures = signer.AddSignature(
        TSBAuthenticodeDigestAlgorithm.acdSHA256,   // authenticode message digest algorithm
        signingCert,                                // signing certificate you loaded on step 1
        TSBAuthenticodeStatementType.acsIndividual, // statement type - individual or commercial
        "My Authenticode",                          // description of the signature and/or the signer
        "https://www.eldos.com/authenticode",       // originator's URL
        false                                       // pass 'true' to include current time to the signature (in UTC)
    );
    
    This call returns an instance of TElAuthenticodeSignature class for the newly created signature. You can use it to add a timestamp or even to remove the signature and create another one. If an error occurs, an exception is thrown.
  5. Optionally, load the rest of the certificate chain for the signing certificate into TElAuthenticodeSignature.Certificates storage as described here.
  6. Call Save() method and pass a file name for the signed executable: manager.Save(@"C:\Bin\signed_program.exe");
  7. Call Close() in order to close the original file and release allocated resources: manager.Close();
That's it, your file is signed.

How To articles related to MS Authenticode

Discuss this help topic in SecureBlackbox Forum