3

I have to write an .NET application that should be exportable to .NET Framework 4.0.x, .NET Standard 2.0, and .NET Core 2.2 that is able to sign .NET assemblies (EXE, DLL) using the Authenticode "format" with X509Certificate2 objects.

So far, I have found solutions which are utilizing the SignTool application, or CryptUIWizDigitalSign API which uses the SignerSignEx API. Both methods are not compatible with the project requirements. The assembly may be exportable to the targets mentioned in the first paragraph, but are not working with a different operating system than Windows XP and above, or with Windows XP and above non-desktop installations.

I know how I simply create signatures for blobs using .NET Framework/Standard/Core managed code, but simply appending the signature to an assembly would break the whole assembly since there is no Authenticode markup.

Is there any Authenticode documentation on how the format is designed, so I can reimplement the format with managed code? What about the timestamping which is included in the Authenticode standard?

Or is there already a managed solution available, and I simply didn't found it yet?

The application has to be written in VB.NET or C#. So hints for both language are welcome.

burnersk
  • 3,320
  • 4
  • 33
  • 56
  • What part is not working with the SignTool solution? I don't know about .NET Standards/Core, but SignTool should work for both native and .NET Framework apps on most Windows systems (I've used it for one of my applications and it works on both Windows 7 and 10). – Visual Vincent Feb 26 '19 at 13:20
  • @VisualVincent : SignTool uses the `SignerSignEx` API (same API `CryptUIWizDigitalSign` uses). As from documentation, `SignerSignEx` is only available for Microsoft Windows XP SP3 and above with the "Desktop Experience" feature enabled (non console-only installation). I need to be able to sign .NET assemblies from (not for) Mac OSX, Linux, and Windows (console-only installations). – burnersk Feb 27 '19 at 07:33
  • Ah, so you need it to be cross-platform... That explains why you wanted to implement it yourself (SignTool should work on any Windows installation though, not just XP). I don't know of any documentation for authenticode, but apparently [Mono has a cross-platform code signing tool](https://stackoverflow.com/a/18288049) that can be used on both Mac and Linux (and probably Windows as well). – Visual Vincent Feb 27 '19 at 11:24

0 Answers0