Signature of object code with a certificate from StartSSL. On the steps - paid, received, signed


    Greetings! I want to share my experience as I received a certificate for signing object code. Many articles and posts have been written about digital signatures, and budget StartSSL. I decided to spend almost $ 60, try to go this route and share my experience with the community.
    Everything below is solely related to my personal experience and applies to Windows.

    Startssl


    Step One - Obtaining a personal certificate - on the website www.startssl.com you can enter your personal account using a certificate. On the main page, click "Sign-up" and fill in all the fields. We receive a personal certificate and install. Immediately ran into a problem - it works correctly - only in Mozilla Firefox, in other browsers there are problems logging into your account. Make a backup copy of the certificate and save it to external media.
    Certificate in browser


    Second step- proof of identity - class 2. This step requires payment. In fact, to obtain a certificate, this is a necessary item. Quote from the site: “The cost of checking individuals and organizations is US $ 59.90 each check.” At this stage, you need to provide copies of documents - a passport, a driver’s license, if any, may ask for documents in the process of correspondence - I was asked for some kind of document with a seal and my passport data. Payment was made through “PayPal” - in “Tool Box” - “Add Credit Card | Paypal | Ticket ”you can choose several payment methods. They invoice and wait for payment. After payment is confirmed, a registered letter with a verification code will be sent by mail. This is the longest stage - the letter takes about a month. A notification arrives on the e-mail that sent by mail. After 3 weeks,
    The way of writing in Russia


    The letter itself



    Step three - confirmation of the code from the received letter “Tool Box” - “Submit Verification Code”

    Enter the letter number and the confirmation code. And if everything is correct, then we are congratulated and asked to wait until 6 o’clock.

    After a while, we receive a letter with the contents:
    “Congratulations! Your Class 2 Identity Validation has been confirmed and approved. You are eligible for certificates at Class 2 level until 2015-10-04. ” - Bingo !!! Now there is an opportunity to receive the long-awaited certificate for signing the code!

    Personal Identification Card

    The fourth step - I asked in advance in support how to make a signature - and they sent me a link to the forum.
    At first I started to do everything according to the first instruction, but not successfully. In order:

    Files I needed:
    1. OpenSSL for windows version 0.9.8 or higher. I used OpenSSL version 1.0.1 32 bit - full.
    2. signtool.exe is a utility from the .NET Framework. I downloaded it separately from somewhere on the Internet.

    Install OpenSSL - the default path for me is C: \ OpenSSL-Win32 \ bin - in this folder the binary files needed to create the certificate. Then open the command line and go to this folder and run openssl:

    req -new -newkey rsa:4096 -nodes -keyout codesign_privatekey.pem -out codesign_certificate_request.csr
    


    In the process, questions will be asked:
    1. Country 2 letters - in our case: RU
    2. State or province - full name.
    3. The city.
    4. Name of organization.
    5. The name of the unit.
    6. Domain Name or Name.
    7. Email address.
    - the rest can be left blank.
    In order to leave the field blank, you can put a dot in place of the value.
    You can not set the password for the private key, or rather, it is not recommended to set it, although I set it, read the instructions poorly, but did not notice any problems, the main thing is not to forget the password - the certificate is issued once.

    In the current folder, in my case “C: \ OpenSSL-Win32 \ bin”, two new files will appear:
    codesign_privatekey.pem - private key.
    codesign_certificate_request.csr - certificate request file.
    Both of these files can be opened with a text editor. We need codesign_certificate_request.csr, open it with a text editor - for example, notepad, and copy all the contents to the clipboard.
    On the website www.startssl.com we go to the “Certificates Wizard” section, some items only become validated and in the “Certificate Target:” field select the “Object Code Signing Certificate” item in the drop-down menu - then a window will open where you need to paste the previously copied text. Then press the button to continue. And again, we see a sign asking us to wait a few hours until the request is verified. After verification, a notification arrives in the mail with congratulations. And now you can get the certificate in the “Tool Box” - “Retrieve Certificate” - there we will select our certificate, click next and copy all the text from the “Certificate:” field - and then save it to a file as a text document for example: codesign_certificate.crt . Then run OpenSSL again from the command line.

    openssl pkcs12 -export -out codesign.pfx -inkey codesign_privatekey.pem -in codesign_certificate.crt
    

    The password for the private key will be requested, if you have set it, enter it, then will ask you to enter the password to export the key - leave it blank.
    Another codesign.pfx file should be created - with which we will sign the programs.

    Fifth step , final.

    Now we have codesign.pfx , it contains everything that we need to digitally sign the file.

    To sign a file, you need to run such a command.
    signtool.exe sign /d "%Название проекта%" /du "%http://ВашСайт%" /f "codesign.pfx" /t "http://timestamp.verisign.com/scripts/timestamp.dll" /v "%путь до вашего файла%"
    

    Naturally, the fields need to be filled in accordance with your tasks.

    At first I had a problem when trying to sign the file - it turned out that signtool.exe utility needed capicom.dll after installation, you may have to register this library in the system - run the command line as Administrator, then go to the folder where capicom.dll is located and execute
    regsvr32 capicom.dll 
    
    - after that, everything began to work and the files began to be signed.

    Screenshots of the signed file:





    For convenience, I wrote a small utility in which you can specify all the data and files and sign in batches.
    This certificate is created once, for one year. Signature is valid on WindowsXP SP3 and later.

    You can sign such a signature programs, dlls, services. It is not suitable for signing drivers.
    Do I need a digital signature or not? It is up to everyone to decide. For example, some antiviruses mercilessly delete any unknown program from a flash drive, which happened in my practice - their behavior may change when they see that the file has a signature.
    You need $ 60 and a month of time - and you are a happy owner of a digital signature.

    But you need to understand - if the certificate is not used for peaceful purposes - then it can be revoked and the signature will cease to be valid.

    If you have questions, welcome comments than I can - I will help. Find errors - write in a personal.
    I hope this post will help those who doubt and do not dare to take such a step.

    Also popular now: