0

One of my .dll files is unsigned, and every single time I run the program that uses it, it pops up with this warning:

popup

I've tried to edit the following registry key to include both .exe and .dll files HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes, but it still gives me the warning. How can I get rid of this? I don't mind if I have to disable the warning globally or anything, I'm just sick of seeing it. And to be clear, this file is not on a network share or anything--it's just on my hard drive.

I'm running the latest build (not Insider) of Windows 10 Home by the way.

Kurausukun
  • 141

1 Answers1

0

The simplest solution is to create a self-signed CA (Certificate Authority), using it to sign a code signing cert, which then signs BPSRegWD64.dll (provided you 100% trust that library).


Use openssl to create the CA and code signing cert, then SignTool.exe to sign BPSRegWD64.dll

  1. Install OpenVPN, ensuring C:\Program Files\OpenVPN\bin is added to System PATH
    OpenSSL doesn't create Windows binaries, so it's simpler to install software it's bundled within

  2. Download this openssl.cnf to Create Required Certs (KU and EKU info):
    Save as %UserProfile%\Documents\SSL\openssl.cnf; req. commands/info begin on Line 430

    1. Create required directories and files for OpenSSL via a PowerShell terminal:
      WinKey+R > Open: Powershell > OK

      # Create PowerShell variable for $docs:
  $docs = [Environment]::GetFolderPath("MyDocuments")

# Create OpenSSL Directories
  MkDir "$docs\SSL\ca"
  MkDir "$docs\SSL\cert"
  MkDir "$docs\SSL\crl"
  MkDir "$docs\SSL\csr"
  MkDir "$docs\SSL\key"
  MkDir "$docs\SSL\p12"

# Create File: crlnumber
  Echo 01 > "$docs\SSL\crl\crlnumber"

# Create File: index
  Echo > "$docs\SSL\index"

# Create File: rand
  Echo > "$docs\SSL\rand"

# Create File: serial
  Echo 00 > "$docs\SSL\serial"

# Enter SSL Directory
  Cd "$docs\SSL"

    2. Generate self-signed CA:

      OpenSSL req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ".\ca\CA.key.pem" -out ".\ca\CA.crt.pem" -config ".\openssl.cnf" -extensions v3_signing_ica

      CA key should have a secure passphrase of at least 20 characters, containing at minimum:
      2 uppercase letters, 2 lowercase letters, 2 numbers, and 2 symbols

    3. Generate the CSR (Certificate Signing Request) for the Signing Cert:
      Modify openssl.cnf Line 244 (email.1 = user@email.com) with user's email, then:

      OpenSSL req -out ".\csr\Signing.csr" -new -days 3650 -sha512 -newkey rsa:2048 -keyout ".\key\Signing.key.pem" -config ".\openssl.cnf" -extensions v3_codesign

      Cert key should have a secure passphrase of at least 16 characters inline with #2.2

    4. Sign the Signing Cert with the CA:

      OpenSSL x509 -req -sha512 -days 3650 -in ".\csr\Signing.csr" -CA ".\ca\CA.crt.pem" -CAkey ".\ca\CA.key.pem" -CAserial .\serial -out ".\cert\Signing.crt.pem" -extfile ".\openssl.cnf" -extensions v3_codesign

    5. Export the Signing cert as a PKCS12 cert:

      OpenSSL pkcs12 -export -out ".\p12\Signing.p12" -inkey ".\key\Signing.key.pem" -in ".\cert\Signing.crt.pem" -certfile ".\ca\CA.crt.pem"

      PKCS12 should have a secure passphrase of at least 16 characters inline with #2.2

  3. Import Certs into Cert Manager (certmgr.msc):

    1. Register .pem Extension as a Valid Certificate:
      Open an Admin Terminal via: WinKey+R > Open: Powershell > CTRL+SHIFT > OK

      Reg ADD "HKCR\.pem" /T REG_SZ /d CERfile ; Reg ADD "HKCR\.pem" /V "Content Type" /T REG_SZ /D application/x-x509-ca-cert ; Pause ; Exit
    2. Import CA as a Trusted Root Certificate Authority:
      Right-click CA.crt.pem > Install Certificate > Local Machine > Next > Approve UAC >
      Place all certificates in the following store > Browse... > Trusted Root Certification Authorities
      OK > Next > Finish
    3. Import PKCS12 as a Personal Certificate:
      Right-click Signing.p12 > Install PFX > Current User > Next > Filename:
      %UserProfile%\Documents\SSL\p12\Signing.p12 > Next > Enter passphrase > Next > OK

  4. Sign BPSRegWD64.dll via:

    1. Set-AuthenticodeSignature:

      1. Create Sign.ps1 script:

        Cmd /C Echo '#

        ##::[[---  PowerShell Signing Script  ---]]::##

    # Paramaters #
#----------------------------------------------------------------

# Error if no file is specified:
  param([string] $file=$(throw "Please specify a script filepath."))

# Auto select user signing certificate:
  $Cert = Get-ChildItem -Path "Cert:\CurrentUser\My" -CodeSigningCert

# SHA256 TimeStamp server:
  $timeStampURL = "http://sha256timestamp.ws.symantec.com/sha256/timestamp"


    # Script #
#----------------------------------------------------------------
if($cert) {
    Set-AuthenticodeSignature -filepath $file -Certificate $Cert -HashAlgorithm SHA256 -TimestampServer $timeStampURL
}
else {
    throw "Did not find certificate with friendly name of `"$certFriendlyName`""
}' > "C:\Sign.ps1"

      2. Execute Sign.ps1:

        C:\Sign.ps1 "C:\Path\to\BPSRegWD64.dll"


    2. SignTool.exe:

      1. Install the Windows SDK: Signing Tools for Desktop Apps:
        Ensure path to SignTool.exe is added to the System PATH:
        • Control Panel\All Control Panel Items\System > Adv. system settings >
          Env Variables > System Variables > Path > Edit > New > signtool.exe path >
          OK > OK > OK
          Example path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64

          There are certain file extensions PowerShell's Set-AuthenticodeSignature can sign that SignTool cannot, and vice versa, but I'm unsure which can and cannot sign what files, so it's best to also install the SDK's SignTool.

      2. Execute SignTool.exe:

        SignTool Sign /S My /FD SHA256 /TD SHA256 /TR "http://sha256timestamp.ws.symantec.com/sha256/timestamp" "C:\Path\to\BPSRegWD64.dll"
JW0914
  • 9,096