Author Topic: Code-sign certificate  (Read 577 times)

JonasS

  • Regular Member
  • *
  • Posts: 15
Code-sign certificate
« on: January 13, 2020, 12:21:44 AM »
Hi, I need to produce a self-signed codesign certificate for both SHA1 and SHA256 to be used inside the company.
I can make a certificate with the PowerShell or with Makecert.
I know I can do it using the API but have not much of a clue about it. Does anybody have experience with that?
Thanks!

AW

  • Member
  • *****
  • Posts: 2583
  • Let's Make ASM Great Again!
Re: Code-sign certificate
« Reply #1 on: January 13, 2020, 06:28:14 AM »
Hi, I need to produce a self-signed codesign certificate for both SHA1 and SHA256 to be used inside the company.
I can make a certificate with the PowerShell or with Makecert.
I know I can do it using the API but have not much of a clue about it. Does anybody have experience with that?
Thanks!

Some Platform SDKs have a section on CryptoApi and a sample on how to create a certificate, I think only for SHA1. I don't know if the SHA1 sample can be adjusted for SHA256 and further on to dual signing.

JonasS

  • Regular Member
  • *
  • Posts: 15
Re: Code-sign certificate
« Reply #2 on: January 13, 2020, 10:00:58 PM »
Hi AW,
Thank you. I found the example you refer I will have a look at it.
This is very difficult.
I need 2 certificates to sign an application for SHA1 and SHA256.

AW

  • Member
  • *****
  • Posts: 2583
  • Let's Make ASM Great Again!
Re: Code-sign certificate
« Reply #3 on: January 14, 2020, 01:56:41 AM »
Yes, these matters are indeed difficult.

I need 2 certificates to sign an application for SHA1 and SHA256.

I think one certificate can do both (The SHA256 covering both), I have seen certificates doing it.
But I will check that in more detail in the next few days.

AW

  • Member
  • *****
  • Posts: 2583
  • Let's Make ASM Great Again!
Re: Code-sign certificate
« Reply #4 on: January 17, 2020, 05:01:19 AM »
After a lot of experimentation, since this matter has been brought up by Jonas, I got it right.
I am going to turn it into a full blown software, because I think it fills a market need - there is really nothing with this scope.
The market need is that people hates warnings about unknown publishers and there is no straighforward work around.
Notice that my software also produces certificates with the time stamp countersignature from know Authorities (no trick, they are real).




Thank you Jonas! I will come back to you when I have finished all this.

 :thumbsup:

jj2007

  • Member
  • *****
  • Posts: 10468
  • Assembler is fun ;-)
    • MasmBasic
Re: Code-sign certificate
« Reply #5 on: January 17, 2020, 05:33:03 AM »
Hi, I need to produce a self-signed codesign certificate for both SHA1 and SHA256 to be used inside the company.

Your boss feels ok with it?

Self-Signed Certificates: Cyber-criminals Are Turning This Strength into a Vulnerability

AW

  • Member
  • *****
  • Posts: 2583
  • Let's Make ASM Great Again!
Re: Code-sign certificate
« Reply #6 on: January 17, 2020, 06:29:38 AM »
Most of these articles are financed by the great digital certificate ripoff invented by Microsoft.

For internal company use, self-signed certificates may be safer than the ones issued by the Certification Authorities (see links below). Self-signed does not mean that any one can produce one and sign as if it were the original. Clones have different fingerprints, so it is easy to detect that they are not the original.

https://www.securityweek.com/use-fake-code-signing-certificates-malware-surges
https://www.zdnet.com/article/hackers-are-selling-legitimate-code-signing-certificates-to-evade-malware-detection/


JonasS

  • Regular Member
  • *
  • Posts: 15
Re: Code-sign certificate
« Reply #7 on: January 17, 2020, 08:59:15 PM »
Hi AW,
It looks great. I am also working on it but no much progress. :(

Hi  jj2007,
My boss is the Government. They feels OK with that. :)