Ask a Question

Solution ID : SO20528

Last Modified : 05/02/2018

Extended Validation (EV) Code Signing Certificate Signing Instructions

Problem

Sign Microsoft Windows software using an Extended Validation (EV) Code Signing Certificate.

Solution

To sign software using an Extended Validation (EV) Code Signing Certificate, you will first need to download and install the following:

  1. Microsoft Windows SDK 7 or
    Microsoft Windows SDK 8.1
  2. SafeNet eToken Drivers
     

This below examples use several of the arguments that SignTool supports. For a complete list of signing options, please click here for documentation.

  • Sign: Configures the tool to sign the intended file
  • Verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
  • /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
  • /fd: Specifies the file digest algorithm to use for creating file signatures. The default is SHA1.
  • /n: Specifies the Common Name of a certificate.  Use this option if you have certificates issued to more then one organization in your certificate store.
  • /p: If the file is in PFX format protected by a password, use the /p option to specify the password
  • /pa: Specifies that the Default Authentication Verification Policy is used.
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is MY)
  • /t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
  • /tr: Specifies the URL of the RFC 3161 time stamp server.  This option cannot be used with the /t option.
  • /v: Specifies the verbose option for successful execution and warning messages.

Important: Symantec recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.

Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
            (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp

The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp
 

Signing using command line

  1. Insert the Safenet USB token into the computer .
  2. Go to: Start > Run
  3. Type CMD > click OK
  4. At the command prompt, enter the directory where signtool exists, the default directory is:
     
    C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin

    NOTE: The directory above may vary.

     
  5. Run one of the following signing commands below:

    SHA-1 with Timestamp:
     
    signtool.exe sign /s my /t http://timestamp.verisign.com/scripts/timstamp.dll /v "C:\filename.dll"


    NOTE: If there are multiple certificates installed in your Personal certificate store, use the /sha1 option to specify the hash value of the EV Code Signing Certificate.
    This would be the thumbprint value of your EV Code Signing Certificate. Please ensure to remove all spaces for the thumbprint value.
    For example:
    signtool.exe sign /s my /sha1 sha1_thumbprint_value /t http://timestamp.verisign.com/scripts/timstamp.dll /v "C:\filename.dll"

    SHA-256 with RFC 3161 Timestamp:
     
    signtool.exe sign /s my /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /v "C:\filename.dll"
     

     NOTE: If there are multiple certificates installed in your Personal certificate store, use the /sha1 option to specify the hash value of the EV Code Signing Certificate.  For example:

    signtool.exe sign /s my /sha1 SHA1_hash_value /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /v "C:\filename.dll"

     
  6. After running one of the above commands, you will be prompted to enter in your Token Password:

     

    Note: If you want to batch sign your files, you will need to enable single logon for the SafeNet Token.  Please refer to the following solution:  SO20695.  Once you have enabled single logon and have logged into the Token, you will be able to batch sign your files without being prompted for the Token Password every time.
     
  7. Enter in the Token Password and click OK
  8. You will receive a message that the file has been successfully signed.
     

Test Your Signature
 
The Platform SDK SIGNTOOL.EXE utility contains a command to check a digital signature before distributing your file.

  1. Go to: Start > Run
  2. Type CMD > click OK
  3. At the command prompt, enter the directory where signtool exists
  4. Run the following:
     
    signtool.exe verify /pa /v "C:\filename.dll"

     

For additional information, refer to the following documents from the Microsoft knowledge base:

http://www.microsoft.com/whdc/driver/64bitguide.mspx

http://msdn.microsoft.com/en-us/library/aa388170

http://msdn.microsoft.com/en-us/library/aa387764(v=VS.85).aspx