WIXLIB

D r. D o b b ’s C o d e S i g n i n gYou should see output similar to the following (although muchof it has been omitted in the interest of space):5008 Thu Jul 08 23:29:20 EDT 2010 META-INF/MANIFEST.MF5104 Thu Jul 08 23:37:26 EDT 2010 META-INF/MYKEY.SF1088 Thu Jul 08 23:37:26 EDT 2010 META-INF/MYKEY.DSAsmk6148 Thu May 13 21:49:42 EDT 2010 com/sun/javafx/runtime/.DS Storesmk462 Thu May 13 21:49:42 EDT 2010 com/sun/javafx/runtime/main/Main.classsmk804 Thu May 13 21:49:42 EDT 2010 libraryapp/AddBook 1.class.smk108 Thu May 13 21:49:42 EDT 2010 org/netbeans/javafx/design/md5sums.md5smki signature was verifiedentry is listed in manifestat least one certificate was found in keystoreat least one certificate was found in identity scopejar verified.You want to be sure that within the output, you see the messages that the signature was verified (the “s” message), the trustedFigur e 6: NetBeans will self-sign your JavaFX application after eachbuild.certificate was found in the keystore (the “k” line), and that thedigital signature (MYKEY.DSA certificate file) is indeed within thesigned JAR file.Using NetBeans to Sign JAR FilesWhen releasing signed JAR files for your application, rememberthat you need to follow these steps with each build. This canbecome tedious, error-prone, and time consuming. However,NetBeans will come to your rescue. For a JavaFX application project, for example, you simply choose “Self Signed Jar” in theApplication section of the Project Properties window, and NetBeanswill self-sign your JAR file each time it’s built (see Figure 6).This lengthens the build time somewhat, but there’s really noway around that if you want to test your JavaFX application withWeb Start or in a browser as an applet. When the developmentand testing phases are complete, and you’re ready to release yourapplication to the world, you’ll need to sign the JAR file(s) manually in order to use a real certificate authority, as opposed to selfsigning.The same process applies to any Java application (not justJavaFX), although the properties appear a slightly different. Again,open Project Properties, choose the Application entry, and select“Self Signed” under the Web Start page; see Figure 7.Once again, you’ll need to use a real certificate authority to signyour Java application’s JAR files if you wish to ensure security forWeb Start users. Doing so builds confidence, and helps ensureyour code will reach a wider audience via the Web. Proving yourself as a trusted source with certificate authorities such as Verisign,for example, will build instant trust with your customers.ConclusionThe process of creating digital certificates and applying them toany resource that can or needs to be distributed over the Internetis not as complicated a process as it may first appear. In fact, it’sa relatively simple process considering the security it provides.The Java SE JDK along with browser plug-ins come with all thetools needed to create digital signatures, sign JAR files withthem, and then use those artifacts to verify the integrity of thecontained code. Add NetBeans to your toolbox and it will saveyou a lot of accrued time by automating the signing process witheach build.— Eric J. Bruno is a Dr. Dobb’s Contributing Editor and theauthor of the books Java Messaging, Real-Time Java Programming,and JavaFX.Figur e 7: NetBeans will self-sign a Java application for Web Star tlaunching.DR. DOBB’S CODE SIGNINGRetur n to Table of Contents5www.drdobbs.com

D r. D o b b ’s C o d e S i g n i n gCode Signing and MicrosoftAuthenticodeEnsure the integrity and authenticity of code distributed over the InternetBy Joydip KanjilalThere is always a potential risk whendistributing (or receiving) code (orcontent) over the Internet, which istoo bad since, at minimum, users ofthe code (or content) should be able to trust thepublisher and its content. Thanks to the practiceof code signing and tools such as MicrosoftAuthenticode, developers can now thwart potential threats from the intruders.In this article, I examine code signing in lightof Microsoft’s Authenticode and howAuthenticode can be used to ensure integrity andauthenticity of code distributed over the Internet.In the process, I’ll examine digital signatures anddigital certificates and discuss how you can usethem with Authenticode technology.What is Code Signing?According to Wikipedia, code signing ‘is theprocess of digitally signing executables andscripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.”How do you make potential users of your software know that it is trusted? How can the usersof your software know whether the code theywould use in their systems is trustworthy? Codesigning lets you authenticate and protect yourcode and data. It can be used to prevent intrudersfrom distributing software in your name, thenhaving it downloaded and installed in user systems. In short, code signing reduces this potentialrisk and also authenticates the author, the distributor or the publisher of the code and data.DR. DOBB’S DIGEST6Code signing provides the following benefits: Authenticity Integrity ReliabilityAgain from Wikipedia: “Code signing can provide several valuable features. The most commonuse of code signing is to provide security whendeploying; in some languages, it can also be usedto help prevent namespace conflicts. Almostevery code signing implementation will providesome sort of digital signature mechanism to verify the identity of the author or build system, anda checksum to verify that the object has not beenmodified. It can also be used to provide versioning information about an object or to store othermeta data about an object.”Understanding Digital Signaturesand Digital CertificatesDigital signatures — created using public-key signature algorithms — help you to make softwaresafe to be downloaded and installed in user systems. A digital signature lets you distribute yourcode and data in a trusted manner, i.e., the usersof the software would come to know that thesource is trusted. Note that digital signaturesdon’t in any way alter the code or the data — theysimply make your software trusted for the endusers.Note that the most recent code signing utility from Microsoft is SignTool, a new version ofthe old SignCode utility. The SignTool.exe command-line tool can be used to digitally sign andwww.drdobbs.com

D r. D o b b ’s C o d e S i g n i n gverify signatures. You can find more details about this tool (VS.80).aspxDigital certificates are read-only structures, the content ofwhich can only be viewed and not altered. A certificate typicallycomprises of the following information: Issuer of the CertificateSubject of the CertificateDisplay NameDescription of the CertificateAllowed UsesPublic KeyExpiry dateCRL distribution pointThumbprint and thumbprint algorithmExtended error informationNote that out of the aforementioned information, you can editthe associated properties that comprise of the following: Display Name Description of the Certificate Allowed UsesIf you would like to create your own digital certificate, you canmake use of the makecert.exe command-line tool as shown in thiscode snippet:What is Microsoft Authenticode?Authenticode is a Microsoft technology that can be used to identify and authenticate the author or publisher of a particular program.It uses digital certificates and hashing algorithms to identify andauthenticate the author and publishers of such programs. Usage ofAuthenticode ensures the authenticity (the source of piece of software is trusted) and integrity (ensures that the software hasn’tbeen changed or tampered with since it was last published) of thesoftware. According to MSDN, “Microsoft Authenticode, which isbased on industry standards, allows developers to include information about themselves and their code with their programsthrough the use of digital signatures.” You can download theMicrosoft Authenticode SDK at .80).aspx#securityToolsAuthenticode consists of a set of programs that can be used todigitally sign code files. The files that can be signed usingAuthenticode include: .cab files.cat files.ctl files.dll files.exe files.ocxSome of the common Authenticode tools include:makecert.exe -sv TestKey.pvk -n ‘CN JK Techno Consultants PvtLimited.’ JK.cerOnce you type this command in the command window, thesetwo files would be created: TestKey.pvk JK.cerNow, you can use the cert2spc.exe command-line tool to convert the digital certificate JK.cer to a Software PublisherCertificate:cert2spc.exe JK.cer JK.spcIf you are using the signcode.exe tool, you would first need toimport the private key and software-publisher certificate in a single file. To do this, you can type the following in your commandwindow:pvk2pfx.exe -pvk TestKey.pvk -pi password -spc JK.spc -pfxJK.pfx -po password You can then use the signtool.exe command-line tool like this:signtool.exe sign /f JK.pfx /p password /t timestamp URL /v‘ file to be signed ’You can find further information on how to create, view, andmanage certificates at http://msdn.microsoft.com/en-us/library/aa379872(v VS.85).aspxDR. DOBB’S DIGEST tTo digitally sign a catalog file using Microsoft Authenticodetechnology, follow these steps:1. Obtain a digital certificate from the respective digital certificate authority.2. Download and Install the necessary CryptoAPI tools from Microsoft.3. Create a catalog file using thte MakeCat tool.4. Sign and Verify the catalog file using SignCode.Why Do You Need Microsoft Authenticode?Microsoft Authenticode Certificates let you digitally sign Windowsexecutable files and code that includes .dll, .cox, .cab and .xpi files.So, what is the benefit of digitally signing your code usingAuthenticode Certificates? Well, if your code is signed usingMicrosoft Authenticode Certificates, the users of this code wouldknow that it is being downloaded from a source that is trusted andno warning messages about downloading a piece of code that is nottrusted will appear in the web browser. In essence, with MicrosoftAuthenticode Certificates, you can digitally sign your piece of soft7www.drdobbs.com

D r. D o b b ’s C o d e S i g n i n gware, prove your identity, your brand, and also let the users knowthat the software is safe to be downloaded and installed in theirsystems.Once the software you are trying to use has a MicrosoftAuthenticode Digital ID, you won’t see the warning message;rather, the publisher’s name (because the publisher is already trusted) will be displayed when you are trying to use the file as inFigure 1.Is Signed Code Always Safe?So, should you trust any piece of software that is digitally signed?Well, that depends. If you trust the publisher of the software component, then it’s always fine to go ahead and use the software component in your system. Note that merely being digitally signeddoesn’t guarantee the authenticity of a software component. Thesafety and trustworthiness of the component depends entirely onthe user’s good opinion. Though code signing doesn’t guaranteethat the code is necessarily “safe” code, it does provide a way tosecure your code from potential hackers and also let the end usersknow that the source of the code is trusted. In essence, ccode signing does provide you a way to mitigate the security concerns to agreat extent.ConclusionCode signing using digital signatures helps software developers toinclude identifying information that makes the software trusted tousers. The end users of such software can then be confident ofusing the code in their systems since the source of the software isknown and trusted. Microsoft Authenticode is a technology that isused to mark your software as safe and secure for use.— Joydip is a Microsoft MVP and author of ASP.NET 4.0Programming among other books.Retur n to Table of ContentsFigur e 1DR. DOBB’S DIGEST8www.drdobbs.com

D r. D o b b ’s C o d e S i g n i n gQ&A: Code SigningWhat’s it all about?by Jonathan EricksonJeff Barto is a senior product manager forThawte. He recently took time to talk withDr. Dobb’s about a favorite topic of his —code signing.Dr. Dobb’s: What is code signing?Barto: Code signing creates a digital “shrinkwrap” to show customers the identity of the company responsible for the code, confirming that thecode has not been modified since being signed.This is in contrast to traditional software saleswhere software is purchased off the shelf, wherethe purchaser can confirm the source of the application and its integrity by simply examining thepackage (is the shrink-wrap still intact? has thebox been opened? have any seals been broken?).Code signing provides an electronic version ofthis examination experience to ensure the integrity of software delivered or used online.With code signing, a developer or softwarepublisher uses a private key to add a digital signature to code or content. Software platforms andapplications use the corresponding public key todecrypt the digital signature during download;next, they automatically compare the hash usedto sign the application against the hash on thedownloaded application. If the hashes do notmatch, the user will be notified that the code hasbeen modified or tampered with. (At the user’soption, signed code from a trusted source may beautomatically accepted or require the end user todecide whether or not to trust the code.Additionally, the user may choose to trust thecode once or always).Dr. Dobb’s: As a software developer, why shouldI care about code signing?DR. DOBB’S DIGEST9Barto: Organizations deploying software benefitgreatly from a business reputation that consumersand partners trust. That you are willing to signyour code sends a clear signal to its users that youwant to ensure its integrity and their safe usage.Further, because signed but altered code will causeerrors and warnings, the user will know that youare not likely the cause of the breach — dissociating you from the risk that the altered code presents, thereby maintaining and actually strengthening your trust relationship with the user.It is possible to sign code yourself, using certificates you create and issue, but there are significant drawbacks: while signing your code withyour own certificate ensures that the code has notbeen tampered with and that it comes from you,the certificate does not provide authentication ofwho you are — that can still be falsified. Forexample, self-signing your code is no protectionagainst a malicious party distributing malwarethat pretends to be from you. Moreover, whensoftware platforms and applications verify thedigital signature for the code, they double-checkagainst a “root” certificate to determine whetheror not to trust whoever issued the certificate.Even if the code has not been tampered with,there’s no guarantee that the browser or application will know who issued the self-signed codewithout you having to additionally deploy andinstall a certificate root hierarchy to support yourdigital signature; without this installed hierarchy,errors or warnings will result — which diametrically counteracts your efforts to instill trust.An established third-party certificationauthority (CA) is more trusted than a self-signedcertificate because the certificate requestor had togo through the CA’s independent validationprocess.www.drdobbs.com

D r. D o b b ’s C o d e S i g n i n gDr. Dobb’s: How does code signing work?Barto: With a Thawte code signing certificate, the developer signs all code with the same digital signature using public key cryptography.1.2.3.4.A developer or software publisher uses a code signing certificate to add a digital signature to code or content using a unique private key.The content is uploaded to a web site or mobile network, or is otherwise made available for download.When a user downloads or encounters the code, the user’s system software or application uses a public key to decrypt the signature.The system compares the hash used to sign the application against the hash on the downloaded application, then determines whether to warnthe end user, not allow the download, or allow the download without interruption (depending on the platform, application, and client security settings).Different software platforms have different requirements and different tools for signing code. Thawte offers code signing certificatesfor Microsoft Authenticode, Sun Java, Microsoft Office and VBA, Adobe AIR, Macromedia Shockwave, and Authentic IDs for BREW.Dr. Dobb’s: Is code signing language specific?Barto: No.Dr. Dobb’s: What does timestamping have to do with code signing?Barto: A timestamp option shows when code was signed, allowing customers to verify that the code signing certificate was valid at thetime of the digital signature.Dr. Dobb’s: Is it more important to code sign some types of applications (say, e-commerce) than others (such as games)?Barto: No. For optimal security and user trust, all code should be signed. A code signing certificate generates a digital signature thatprovides authentication of the code source and assurance of code integrity. Increasingly, operating systems, software applications,devices, and mobile networks require a digital signature to ensure that the code will not harm or interrupt services.Dr. Dobb’s: What kind of guarantees, if any, come with code signing?Barto: Code signing provides the customer with forewarning of potentially malicious code. Digital signatures contain proof of the content integrity so customers know that the code has not been altered. If the hash used to sign the application does not match the hash ona downloaded application, a security warning will alert the end user or access will be denied. In other words, if a single bit of the codeis modified, code signing will detect the change and warn the customer.Dr. Dobb’s: Does code signing relieve developers of any liability?Barto: As there is no sure-fire way to eliminate 100% of malicious code, code signing materially increases the possibility that code whichis altered during distribution or delivery will be identified and stopped before affecting a user. Because code signing addresses code afterit is published or moved to production, it cannot prevent malicious code from being produced in the first place — hence code signingprevents tampering, but cannot relieve developers of all liability.Dr. Dobb’s: When must developers opt for code signing? Before coding begins?Barto: Developers may use code signing throughout the development, testing, and staging process and again when the finished code ispublished or moved to production.Dr. Dobb’s: Can users apply code signing after the fact?Barto: Original, authentic code can be signed at any time in order to replace unsigned code. However, such that users are not caughtoff-guard, code signing is best done before any first-time deployment, whether that deployment is internal or external.Retur n to Table of ContentsDR. DOBB’S DIGEST10www.drdobbs.com

D r. D o b b ’s C o d e S i g n i n gMaking .NET AssembliesTamper ResistantA strong name for a .NET assembly wards off intrudersBy Richard GrimesTrojans causing havoc usually spreadthrough e-mail, relying on users inadvertently executing attachments. Suchmalware uses the e-mail to hide itself,although often not very well. Some malware ismore devious and comes to your machine byinfecting files you trust. Users often “share” applications through peer-to-peer file-sharing systems,creating an open opportunity for attackers to posta well-known application with viruses attached.Executing such applications runs viruses that canreplicate by searching for similar files on yourhard disk and attaching to new files to be sharedwith other people. Such infections work because itis possible to change application files. In this article, I go into the .NET file structure and show youhow .NET prevents such alterations from beingperformed on your .NET assemblies.HashesAs a reaction to virus infections, some softwarepublishers provide a message digest for each file.A digest is a one-way hash of the contents of thefile. This generates a large number (128 bits forMD5 or 160 bits for SHA) that is essentiallyunique to the file. It is possible (although unlikely) that you could create the same hash for twofiles. However, finding two files that differ only inthe rogue code provided by virus writers isextremely unlikely. In any case

DR. DOBB'S CODE SIGNING 2 www.drdobbs.com Dr. Dobb's Code Signing Java Code Signing E xecutable objects, whether they're scripts, executable files, or bytecode of some sort, pose a potential security risk if you're not sure of their origin or integrity. To guard against this risk, you need to be certain that: Authors are who they .