Code Signing: Microsoft Authenticode

Global Support Centre > Code Signing > MS Authenticode

PART 1: Set up a directory for signing

Create a top-level directory for the signing. Within that directory, create a subdirectory containing all the .class files for your applet (if you have several class files). Within the subdirectory, place copies of all .class files in their directories. Top level .class files should be right inside this directory, and all package .class files should be in subdirectories with the package names.

PART 2: Create the CAB file

Gather all your files in a cab file. To do so on the command prompt type the following command:

cabarc -s 6144 N Sample.cab Sample.class

or

cabarc -r -p -s 6144 N Sample.cab c:\Myfiles\*.*

PART 3: Signing your files

  1. Using The command prompt
    • Signcode –cn “GlobalSign” test.exe
      (Replace GlobalSign by your CN (common name)).
    • This can be found in internet explorer in Tools > Internet Options > Content > Certificates > click on your objectsign certificate > View > Details > Item Subject.
  2. Using the Digital Signature Wizard
    • The Digital Signature Wizard is a graphical user interface (GUI) to run SignCode.exe. The wizard can be used instead of the command prompt.
    • The Digital Signature Wizard provides the following options:
    1. Selecting and using a specific certificate to sign a file.
    2. Selecting and using a specific private key.
    3. Selecting a key type.
    4. Selecting a hash algorithm for the signature.
    5. Adding a timestamp to the signed file.
  3. The Digital Signature Wizard is a CryptoAPI Tool available with Internet Explorer 5.0+ and Microsoft® Windows NT® version 4.0 SP4 or later. The wizard can be started by calling the SignCode.exe utility with no options from the command prompt
  4. When launching signcode, you get this following window:

    5. 1

  5. Click Next

    6. 2

  6. Here browse or enter the file path to be signed, click Next

    7. 3

  7. Here you have 2 options, let's proceed with Typical first, click Next:

    8. 4

  8. Click on Select from Store:

    9. 5

  9. Choose your ObjectSign Certificate and click OK:

    10. 6

  10. Here you still have the option to view your certificate, click Next:
  11. On the following screen you have the option to enter a description or/and a web location.

    12. 7

  12. Click Next:

    13. 8

  13. Here you have the possibility to add a timestamp. Click Next:

    14. 9

  14. That is the summary, click Finish:

    15. 1

  15. Now we come back to Signing Options screen to choose Custom:

    16. 2

  16. Click Next

    17. 3

  17. Select from Store

    18. 4

  18. Click Next

    19. 5

  19. The Second Option is automatically selected as the Private key is in the IE Certificate Store, click Next

    20. 6

  20. Select a hash algorithm and click Next

    21. 7

  21. Leave the default options, all certificates in the certification path, including the root certificate, and no additional certificates, click Next

    22. 8

  22. The following options are exactly the same as the previous ones.

PART 4: Verifying the signed archive

The first time you create a signed archive you'll want to verify it. Do this using chktrust:

chktrust SimpleEdit.cab If the archive is signed properly, you'll get a “Security Warning” dialog asking if you want to install and run “Super Duper Applet”, which was signed by you (signature verified by your CA). If not, you won't.

PART 5: Installing the signed archive

Put the signed .cab archive into the web server directory containing the main class of your applet. Change the .html file that invokes the applet so that it mentions the archive:

  • <title>GlobalSign Signed Applet</title>
  • <hr>
  • <applet code="Sample.class" ARCHIVE="Sample.jar" width=600 height=350>
  • <param name="CABBASE" value="Sample.cab">
  • </applet>
  • <hr>

Note: If you need to have an applet with multiple .cab archives, you can use the CABINETS applet parameter:

<param name="CABINETS" value="MyApplet.cab,MyApplet2.cab">

PART 6: Installing Signed applets for both Internet Explorer and Netscape

Once you've created both .cab (Internet Explorer) and .jar (Netscape) archives for a given applet, you can use both in the same piece of HTML code; each browser will select the archive it understands. Use code like this: