Skip to content

Authenticode

General Information

Authenticode is a Microsoft technology used to identify who has published software. It uses cryptographic techniques to verify the integrity of the code and who published it. These are digital signatures combined with trusted entities including certificate authorities.

Environment configuration

Signatures based on SHA1 can be made without any additional configuration, but to sign in SHA256 it is necessary to enable CNG.

  1. To enable CNG, open the DINAMOcon console with administrator permission (right-click and select Run as Administrator). Once open, click on Local Configuration.

    Console home screen Console home screen
    Console home screen

  2. Select the MS CAPI tab and check the CNG Enabled option.

    MS CAPI parameters MS CAPI parameters
    MS CAPI parameters

  3. Apply it and return to the start screen. Remember that for this to work, the certificate must also be enabled for the local machine and it must be able to access the HSM. To validate this, simply go to Certificates on the start screen and check the table in the Certificates menu. The certificate icon must appear in the Windows column. If not, simply right-click on the certificate and click Enable.

Signature

Signtool, a Microsoft command-line tool designed for signing, verifying and inserting time stamps into files, will be used as an example.

To use the tool you need - The certificate file. - The name of the related MSCAPI container.

  1. To obtain the certificate, simply save it to file; in the DINAMOcon certificate table, double-click on the certificate.

    Table of certificates Table of certificates
    Table of certificates

  2. Then click on Details and the Copy to file option.

  3. Choose the option No, do not export the private key.

  4. Select the binary X.509 format encoded by DER (*.cer).

  5. Save the file.

  6. In the same certificate table, write down the name of the key container, which is in one of the columns of the certificate table. Ex: 523D55BE1A_d282f562-098a-480e-a3ac-88d429900767

    You can also get the name of the container with the command certutilby locating the specific certificate in the output list:

    certutil command
    certutil -user -store "My"
    Output of the certutil command
    My "Pessoal"
================ Certificado 0 ================
Número de Série: ff000000000000000000000000000001
Emissor: C=BR, O=ICP-Brasil, OU=AC Dinamo, CN=AC Dinamo Multipla
 NotBefore: 17/11/2020 17:00
 NotAfter: 04/08/2040 17:00
Requerente: C=BR, O=ICP-Brasil, OU=Autoridade Certificadora Raiz Brasileira v2, OU=AC Dinamo, OU=AC Dinamo     Multipla, OU=Certificado PF A3, CN=Alice Criptografica da Silva:12345670001
Certificado não raiz
Hash Cert(sha1): 523d55be1abbfab08c81b647e77a7861e182b17b
  Contêiner da chave = 523D55BE1A_d282f562-098a-480e-a3ac-88d429900767  # (1)!
  Provider = Dinamo HSM Cryptographic Provider
A chave privada NÃO é exportável
Teste de assinatura aprovado
CertUtil: -store : comando concluído com êxito.
    1. Name of the key container

  7. Then simply open the prompt and use the following command:

    Signature command
    signtool.exe sign /f certificado.cer /csp "Dinamo HSM Cryptographic Provider" /v /kc nome_do_container /fd  sha256 arquivo.exe

    Where:

    • certificate.cer is the previously saved certificate
    • container_name is the name of the container that appears in the Container column in the DINAMOcon certificate table
    • file.exe is the file you want to sign

Verification

Checking a code file signed with standard Authenticode can be done with the program signtoolor by displaying the file properties (in the Digital Signatures).

To do the check properly with the program signtool it is necessary to include the option /pa to use the Standard Authentication Verification Policy instead of Windows Driver Verification Policy.

Check command
signtool verify /pa /v dinamo-4.7.31-x64-setup.msi
Command output
Verifying: dinamo-4.7.31-x64-setup.msi

Signature Index: 0 (Primary Signature)
Hash of file (sha256): 9BD26CD80866476402B36FA9EF19C8F72285E4FA8BECA451AC36100F514A562E

Signing Certificate Chain:
   Issued to: AAA Certificate Services
   Issued by: AAA Certificate Services
   Expires:   Sun Dec 31 20:59:59 2028
   SHA1 hash: D1EB23A46D17D68FD92564C2F1F1601764D8E349

      Issued to: Sectigo Public Code Signing Root R46
      Issued by: AAA Certificate Services
      Expires:   Sun Dec 31 20:59:59 2028
      SHA1 hash: 329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692

            Issued to: Sectigo Public Code Signing CA R36
            Issued by: Sectigo Public Code Signing Root R46
            Expires:   Fri Mar 21 20:59:59 2036
            SHA1 hash: 0BC5E76773D2E44FC9903D4DFEFE451553BBEC4A

               Issued to: Dinamo Networks
               Issued by: Sectigo Public Code Signing CA R36
               Expires:   Tue Mar 14 20:59:59 2023
               SHA1 hash: D2E94D57511E818732108F8D56F96397600078B3

The signature is timestamped: Wed Aug 31 19:26:34 2022
Timestamp Verified by:
   Issued to: DigiCert Assured ID Root CA
   Issued by: DigiCert Assured ID Root CA
   Expires:   Sun Nov 09 21:00:00 2031
   SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

      Issued to: DigiCert Trusted Root G4
      Issued by: DigiCert Assured ID Root CA
      Expires:   Sun Nov 09 20:59:59 2031
      SHA1 hash: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6

            Issued to: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
            Issued by: DigiCert Trusted Root G4
            Expires:   Sun Mar 22 20:59:59 2037
            SHA1 hash: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F

               Issued to: DigiCert Timestamp 2022 - 2
               Issued by: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
               Expires:   Mon Mar 14 20:59:59 2033
               SHA1 hash: 8508F386515CB3D3077DB6B4B7C07F1B4A5E41DE


Successfully verified: dinamo-4.7.31-x64-setup.msi

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Digital signature property of the file