Code-signing Windows executables using Authenticode

by

I’ve recently made a Windows installer (in the form of a WinRAR self-extracting archive) available for download to one of our clients. When testing out the download link (which is currently just secured using HTTP Basic Auth), I chose to “Run” the installer directly and was presented with Microsoft’s SmartScreen Application Reputation feature, introduced with IE9 in 2010. For an infrequently downloaded, unsigned installer package, the dialog that appears after the installer has downloaded and Windows has run its security scan looks like this:
SmartScreen Application Reputation warningThis is obviously fairly intimidating to the end user. To complete the download and run the installer, the user must click “Actions”, which displays a screen noting that the publisher is unknown, that SmartScreen Filter “reported that this program is not commonly downloaded and is not signed by its author” and presenting three options:

  • Don’t run this program (recommended)
  • Delete program
  • Run anyway

The “Don’t run this program” option is selected by default. This is bespoke software, so it’s never going to be “commonly downloaded”, but is there anything we can do to make the process less user hostile? The first port of call was to obtain a code-signing certificate to use with Microsoft’s Authenticode program. The process is summarized in this MSDN blog post from 2011, but I thought it would be worth documenting the process here since the nuts and bolts of it don’t all seem to be in one place anywhere else:

1. Obtain a code-signing certificate

Since DigiCert were on our client’s list of approved certificate providers, we ordered a 1-year code signing certificate which, at the time of writing, cost $223. After an email asking to confirm the order and a telephone call from DigiCert to confirm contact details, DigiCert emailed through a link to create and download the certificate. Since I was downloading the certificate onto an OS X machine in Chrome, the certificate was automatically added to the login Keychain. If you downloaded the certificate using IE or Chrome in Windows, you can skip to step 3 as the certificate should already be in the Windows certificate store.

2. Export certificate to a .p12 file from Keychain Access

Select the downloaded certificate in your Keychain, ensuring that you’ve first selected the appropriate Keychain and the “My Certificates” category to the left:
Keychain export
Then choose File > Export Items… and save the certificate in “Personal Information Exchange (.p12)” format. After choosing the file location, you’ll be prompted to set a password for the exported certificate (and then for the Administrator password to actually export the certificate):Keychain export 3

3. Install signtool in Windows

With the certificate exported to a .p12 file, it’s now time to sign your Windows executable. This is best done in Windows using Microsoft’s signtool command line utility. More information about the utility can be found over at MSDN, but you’ll first need to ensure that it’s installed. The utility is bundled with Microsoft Visual Studio 2005 or later and is included in the Microsoft Windows SDK. If you’ve gone down the route of installing the Windows SDK, you should find that signtool is installed here: C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin

4. Sign the executable

Since I downloaded the certificate in OS X, the appropriate signtool incantation references the .p12 file exported in step 2:

>signtool sign
/t http://timestamp.digicert.com
/f "C:\path\to\certificate.p12"
/p password_you_set_during_p12_export
/a "C:\path\to\the\executable\you\want\to\sign.exe"

Note that the timestamp server option specified by \t is optional, but since it adds a cryptographically-verifiable timestamp to the signature, it proves that the executable was signed when the certificate was still valid, obviating the need to re-sign every signed executable at the time of certificate expiry. Each certificate authority has its own timestamp server, which you should be able to locate in their documentation.

After running the above command (without the /f and /p options if you downloaded the certificate in Windows in the first place), you should see the following at the command prompt:

Done Adding Additional Store
Successfully signed and timestamped: C:\path\to\the\executable\you\want\to\sign.exe

And that’s it. Your executable is now cryptographically signed. You can verify this in Windows, by selecting the executable in Windows Explorer, selecting File > Properties and switching to the Digital Signatures tab, under which the timestamped signature should be listed.

Conclusion

The process of signing a Windows executable with a cryptographic signature is relatively straightforward, but unfortunately this isn’t the end of the road for bespoke software providers who are trying to appear reputable to their users. Once we re-uploaded the file to our web server and downloaded it again, the only change from the end-user perspective was that the SmartScreen warning had a yellow banner in place of the red banner and the red warning “shield” from the original dialog had disappeared:
SmartScreen Application Reputation warning after signing
Clicking “Actions” brings up a dialog with exactly the same layout as with the unsigned executable (including a red “shield”), but the publisher is now listed and the text changes from this:

SmartScreen Filter reported that this program is not commonly downloaded and is not signed by its author.

to this:

SmartScreen Filter reported that this program is not commonly downloaded.

Both dialogs still include the text “If you received this program as an unexpected solicitation, link, or attachment, it might be an attempt to fool you. We recommend that you delete it.” and the recommended option is still “Don’t run this program”:
SmartScreen filter after signing

So the problem we’re having is now exclusively one of “reputation” from the perspective of Microsoft’s SmartScreen Application Reputation software, the workings of which are entirely opaque to us. So the next step here is to upgrade to an Extended Validation (EV) certificate and sign the installer using that. From the MSDN article:

“These certificates tend to be more expensive and harder-to-use (requiring security token hardware) but have the benefit of providing faster accumulation of reputation for SmartScreen.”

Although we don’t have the certificate just yet, DigiCert customer service have already been very good about the upgrade to an EV certificate. They credited back the $223 for our standard certificate back within a couple of hours and won’t revoke the certificate until we confirm receipt of the hardware “e-token” required for EV certificate signing. More to follow!

Update June 25th, 2014: Success with the EV certificate!

The science behind Spaces

by

Spaces, as I’m sure you’re aware, is one of Leopard’s headline features and (finally) adds virtual desktops to Mac OS X. AppleInsider’s “Road to Leopard” feature covers Spaces in quite some detail from a user perspective, but what about from a developers point of view?

As it turns out, there’s a fair bit of history behind virtual desktops on Mac OS X, even though they’ve only become officially supported in Leopard. Over the years, there have been at least three implementations of virtual desktops on OS X, including Desktop Manager, VirtueDesktops and VirtualDesktop Pro.

Crucial to the emergence of the first two of these virtual desktop solutions is Richard Wareham, who did some sterling work on reverse engineering numerous private Core Graphics (CG) system calls. (Core Graphics is an umbrella term that includes Quartz 2D, Quartz Display Services and Quartz Events Services and is often used interchangeably with Quartz.)

Wareham was the sole developer behind Desktop Manager, which relied on his CG reverse engineering for the core of its functionality. He kindly made his work freely available to the developer community in the form of CGSPrivate.h, a header file containing the low-level graphics calls he’d uncovered. In 2005, Wareham actually wrote an OSNews article about some of his reverse engineering efforts when he was updating CGSPrivate for Tiger.

So Desktop Manager was, in Wareham’s words, the “original ‘virtual desktop on a cube’ application for OS X”. A little later, sometime in mid-2004, Thomas Staller made public a Desktop Manager rival project called VirtueDesktops, based in part on CGSPrivate.h (and, like all the aforementioned virtual desktop managers, Wolf Rentzsch’s mach_inject for Dock code injection — unsupported virtual desktops are a messy business if you’re not Apple!). VirtueDesktop development stalled for a while, but was revived in late 2005 by Tony Arnold who worked alongside Rentzsch to get it working under Tiger. There’s a great post Spaces-announcement interview with Arnold on MacApper, which reveals a lot of history about virtual desktops on OS X.

Specifically, Arnold shares two interesting titbits: 1. The Core Graphics calls that Wareham uncovered (the likes of CGSSetWorkspaceWithTransition and CGSGetWorkspaceWindowList) have been present “for at least 2 major revisions” (which I interpret to mean pre-Panther) and 2. Arnold “heard unsubstantiated rumours from a very credible source that Apple has had virtual desktops working internally for longer again.” So it seems that Apple has been working on underpinnings of Spaces for a fairly long time.

How exactly Spaces is implemented in Leopard remains a mystery at the moment, although it would be fair to expect that Apple is building on the functionality exposed in CGSPrivate.h possibly with a bit of Core Animation magic thrown in…

From a third-party developer point of view, there’s a surprising scarcity of programmatic access to Spaces. There is only one class, NSWindow, that has been updated with Spaces-specific methods: -(void)setCollectionBehavior: and -collectionBehavior. These determine whether a window appears on all Spaces (like the menu bar), moves to the current Space (like the Find panel) or just stays put on one Space (like a document window). There’s no (public) programmatic method to switch to a different space (without resorting to clumsy AppleScript), discover the current space or move a window to a difference space.

On the positive side, this does mean that windows won’t be flying around the place at the whim of developers, but it is a bit of a shame that haven’t given developers access to this. Doubly so considering that there’s no native “bringAllDocumentsToSpace:” method in NSDocumentController (or NSWindowController or anywhere).

Anyhow, developer woes aside, it’s great to see virtual desktops finally built in to OS X and (for me, at least) it’s been quite interesting to read how the various third parties had bravely implemented it in previous versions.

Safari enhancements

by

Aside from the improved “resolution independence readiness” and the features on the so-called Sparta list, Safari has seen a couple of extra enhancements:

Improved element inspector
This new inspector has been in the nightly builds since June and is a massive improvement over the previous HUD-style inspector. To my constant amazement, the whole inspector is implemented in Javascript, CSS and HTML and looks like this:
web-inspector.png

It really is a brilliant tool, particularly the global text search field, HTML syntax highlighting and, as shown in the image above, the resource load timeline.

Automatic image downscaling
Finally, Apple has added automatic image resizing when a single image is loaded in a Safari window. Now, when an image is loaded into a Safari window that is too narrow/short to display the whole image, it is scaled down to fit and the mouse cursor changes to a ‘+’ magnifying glass.

Two-up PDF viewing
As well as the advertised PDF HUD (so many TLAs!) interface for zooming, opening in Preview and downloading, Safari in Leopard sees the addition of an option to view PDFs two pages abreast, which is nice for those people with larger screens:
2-up1.png

Mobile Safari user agent string
If you like your Safari with its Debug menu on (defaults write com.apple.Safari IncludeDebugMenu 1), there are a couple of small additions here as well. The first is the addition of a “Start Stress Test” menu item – not massively exciting. The second is the addition of “Mobile Safari 1.0” (and indeed Safari 2.0.4) as a User Agent option, so you can fool websites into thinking you’re browsing from an iPhone or iPod touch. Might be useful on the odd occasion…