|
|
|
|
|
Software Publishing Continued from Clients You can also use certificates to sign published software packages for distribution through the Web. As you might expect (considering the potential for liability), a commercial certificate for doing this can be expensive. Another option, of course, is to use CertSrv 1.0, which is likely to be a much more cost-effective solution if the package will be distributed internally. From experience, it is much simpler to use file-based certificates and private keys than to use them in other storage locations. Of course, putting your private key in a file has important security ramifications. On the other hand, doing so also facilitates backing up the certificate and moving it to other machines--handy, because a damaged or lost private key cannot possibly be recreated. You can also export certificates from a store to a file. The following command exports the certificate named signcode--actually, it exports the complete chain of certificates including CA certificates--to a file: certmgr -put -7 -c -n "signcode" -s my TestSign.spc Assuming you've got a code-signing certificate, you are now ready to sign your executable or CAB file using the Signcode.exe utility that comes with the Windows Platform SDK. With file-based parameters, you will need to supply filenames for SPC and PVK files. The SPC file is a PKCS7 message containing multiple certificates in a chain and the PVK file contains the private key. If you just want to experiment with this utility, make a copy of Notepad.exe and call it--for example--Foo.exe. Of course, you should not redistribute this file. Assuming all the files are in the current directory, then, enter: signcode foo.exe -spc testsign.spc -v testsign.pvk -n "Spiffy Program"where the -n parameter is used to specify a program name to appear in the certificate dialog. You should receive a confirmation that the file was signed, but not time-stamped. Time-stamping lets a software publisher specify that a particular program is "valid" even after the certificate used to sign the program is no longer valid. VeriSign operates a time-stamping server for its customer, but CertSrv 1.0 does not include this service (it will be in CertSrv 2.0). If the certificate and private key are in a system store, use a command like: signcode foo.exe -cn "signcode" -n "Spiffy Program" To see the trust dialog that users will see when they attempt to download and install your program, use Chktrust.exe, another SDK utility. The command chktrust foo.exe should produce a dialog similar to that in Figure 2. This dialog gives your users the option to install and run your program and to trust all content published using the same certificate. Choosing this option lets users install and run other programs you publish without seeing this dialog again.
Next: Not Just Microsoft Published as PC Tech Feature in the 4/20/99 issue of PC Magazine. Related Links |
||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
| TOP | 
Copyright (c) 1999 Ziff-Davis Inc. |
