Code signing

c++ / delphi package - dll injection and api hooking
Post Reply
PSLorde
Posts: 11
Joined: Sat Oct 17, 2015 6:15 pm

Code signing

Post by PSLorde »

That code signing you recommend to use?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Code signing

Post by madshi »

I suppose you're asking which certificate provider I recommend?

Depends on whether you need to support Windows 10 with SecureBoot enabled. If you do, you'll have to get one of those "EV" Code Signing Certificates. See more details here:

http://blogs.msdn.com/b/windows_hardwar ... ws-10.aspx

Only a few providers can offer those. E.g. try digicert.
PSLorde
Posts: 11
Joined: Sat Oct 17, 2015 6:15 pm

Re: Code signing

Post by PSLorde »

Yeah, my problem its with secure boot. if i signing my code will work without disable secure boot? You know something about comodo code signing https://cheapsslsecurity.com/comodo/cod ... kQodTO0GEA

i use AppInit_DLLs to load my dlls, but only if secure boot its disabled.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Code signing

Post by madshi »

I don't think Comodo supports EV certificates yet, but I don't really know for sure, you'd need to ask them.

Usually you only need to sign drivers. If you use AppInit_DLLs, then I don't know if you need to sign at all. Of course signing everything helps with avoiding anti-virus false positives. But if we're only talking about user mode dlls and exes, then you probably don't need an EV certificate, and a normal certificate should suffice (if you need one at all). I don't really have any knowledge about AppInit_DLLs, though, so I can't tell you if it needs signed dlls or not.
PSLorde
Posts: 11
Joined: Sat Oct 17, 2015 6:15 pm

Re: Code signing

Post by PSLorde »

if i signin my dll you think i will need disable secure boot?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Code signing

Post by madshi »

As I said, I've no knowledge about AppInit_DLLs.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Code signing

Post by iconic »

@PSLorde

AppInit_DLLs registry key only takes effect after rebooting and can be disabled on newer OS versions via a separate registry key. That method only injects into processes that link against user32.dll so it's no better than SetWindowsHookEx. Why use it?

--Iconic
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: Code signing

Post by choochy2003 »

A note about code signing with an EV code signing certificate; As these certificates use a SHA2 hashing algorithm they are not compatible with anything lower than Windows 8. SHA2 EV Code Signing certificates are not supported on Windows XP, Vista or 7 (for now). So you will either have to ship 2 versions of your files for the different OS groups (The cheaper option), or you can double sign your files with both a SHA1 and a SHA2 certificate. I have not yet tried the latter, however the order of signing is apparently important. The SHA1 certificate must be the first in the chain.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Code signing

Post by madshi »

choochy2003 wrote:A note about code signing with an EV code signing certificate; As these certificates use a SHA2 hashing algorithm they are not compatible with anything lower than Windows 8. SHA2 EV Code Signing certificates are not supported on Windows XP, Vista or 7 (for now). So you will either have to ship 2 versions of your files for the different OS groups (The cheaper option), or you can double sign your files with both a SHA1 and a SHA2 certificate. I have not yet tried the latter, however the order of signing is apparently important. The SHA1 certificate must be the first in the chain.
Interesting! How does double signing work? You simply run signtool twice?
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: Code signing

Post by choochy2003 »

Yes, dual-signing requires you to run SignTool twice, using the /as switch on your second call. The /as switch just commands SignTool to append the signature.The other caveats are that you must use the VS2012 (or newer) developer command prompt for SHA2 signing and that you use the http://timestamp.geotrust.com/tsa timestamp server inplace of the timestamp.verisign.com server that you use for your SHA1 certificate.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Code signing

Post by madshi »

Ok, thank you!
Post Reply