Visual Basic Concepts
Digital Signing for ActiveX Components
Internet Explorer's default security settings require that any software available for download must have a digital signature before download can occur. A digital signature provides a way to verify:
The contents of a file.
That the file comes from a responsible source.
Signatures verify content by providing a means of ensuring that a file's contents have not been altered since it was first made available for download. A digital signature verifies the source by identifying the legal entity that created the software. When you include a signature with a piece of downloadable software, you are the legal entity. The legal entity may be held responsible for any destruction caused by signed software when it is downloaded or run.
Software That Should Be Signed
There are five types of files to which you can apply a digital signature:
.exe files
.dll files
.ocx files
.vbd files
If you are providing one of these types of files for download, you should establish a digital signature for it.
Note Normally, it is sufficient to sign only the .cab file in which your components are packaged. However, if you intend to distribute an .ocx, .exe, .vbd or .dll without packaging it in a .cab file, you should sign the component itself.
You provide a digital signature by purchasing a certificate from a certificate authority. A certificate authority is a company that validates your identity and issues a certificate to you. The certificate contains your digital signature and is a verification of your credentials. In the event of any problems, the certificate authority becomes a witness to your identity.
Public Keys and Private Keys
You use a technology called Authenticode™ when working with digital signatures. The goal of Authenticode is to deter the distribution of potentially harmful code by creating accountability. Authenticode verifies the publisher of a piece of code to Internet end users who are downloading it. In addition, Authenticode ensures users that the code has not been altered after the signature was applied.
Authenticode technology is derived from public key signature technology. Public key signature technology uses what are known as key pairs to encrypt data. Key pairs are used to encrypt and decrypt files. In public key technology, a public key and a private key ensure the privacy of files. A public key is used to encrypt the data, and a private key is used to decrypt it. While this is a successful means of protecting smaller files such as e-mail messages, the process is time consuming for larger files. Authenticode is the modified form of this technology, designed for use with larger files.
Authenticode and Signing
The following steps occur in the Authenticode process:
When the developer signs the file, a number called a hash is calculated. The hash number represents the total bytes in the file. This number is encrypted using a private key and inserted into the file. The developer then packages and deploys the file to a Web server.
When a user downloads or installs the file, their computer calculates a second hash number and compares it to the original. If the numbers match, the content is verified.
The browser uses the public key to determine your identity and the certificate authority that provided the digital signature.
The certificate authority verifies the source's identity and issues a certificate that contains the source's name encrypted with the private key.
The browser uses the private key to decrypt the file. Installation proceeds.
The Authenticode software utility you need to apply a digital signature can be found in the ActiveX SDK, available for download from Microsoft's Internet site. The digital signature must be obtained from an issuing authority such as GTE or VeriSign, Inc.
For More Information See the Internet/Intranet/Extranet Services SDK on your MSDN Library CD-ROM for more information on how to download the ActiveX SDK. For more information on public and private encryption, search the Internet for RSA or public-key signatures.
Safeguarding Your Certificate
It is very important to keep your certificate safe because your firm guarantees any file signed with the certificate, regardless of whether the signature was authorized or not. You should keep the certificate with the certificate authority that issued it and send files there for signing or, if you keep the certificate on site, strictly control access to it.
For More Information See the Authenticode link on the Microsoft Security Advisor table of contents on the Microsoft Web site at https://www.microsoft.com/security to learn the latest about security and digital signing.
How to Sign Your Code
You can sign any .ocx, .exe, .dll, .vbd or .cab file you intend to distribute. There are two main steps to perform when you sign code. First, you must apply for a certificate, then you sign your code.
To sign your code
Apply for a certificate from a certificate authority. See https://msdn.microsoft.com/workshop/security/authcode/certs.asp for instructions on obtaining a certificate.
Get the latest tools for signing files and checking signatures. See https://msdn.microsoft.com/library/default.asp?URL=/library/psdk/crypto/cryptotools\_4739.htm.
Prepare your files to be signed. If you are signing any .exe, .ocx, .vbd or .dll file, you do not need to do anything special. If you are signing a .cab file, you must add the following entry to your .ddf file and remake your .cab file:
.Set ReservePerCabinetSize=6144
Sign your files using signcode.exe. The following is an example of how you might sign a file:
Signcode -prog myfilename -name displayname -info http://www.mycompany-inc-10.com - spc mycredentials.spc -pvk myprivatekey.pvk
Test your signature:
To test a signed .exe, .dll, .vbd or .ocx file, run chktrust *filename
*where filename is the name of the file you signed.To test a signed .cab file, run chktrust -c cabfilename.cab
where cabfilename is the name of the .cab file you signed.
If your signing process was successful, either of these tests will display your certificate.