working with signcode ,makecert , etc

Posted on 2005-04-07
Last Modified: 2012-06-22
dear sir ,
i have a .cab file , i want to sign it ,
i read the msdn library but i couldnt reach the solution
can you please simpify the solution for me ?
i will be grateful
Question by:xodos
    LVL 27

    Accepted Solution

    Have you read this advice:

    1.      The Microsoft .NET Framework software development kit (SDK) 1.1 includes the Crypto API files that you must have to sign a .cab file. To download the SDK, visit the following Microsoft Web site:
    2.      Use the following steps to sign and validate the .cab file:
    a.       Type the following at a command prompt to create a private key file, Mycert.pvk.
    makecert -sv "mycert.pvk" -n "CN=My Company" mycert.cer
    The file created in this step, Mycert.cer, is used to create an .spc file. Type the password in the dialog box.
    b.       Create an .spc file from the certificate file with the correct password. To do so, type the following line at a command prompt:
    cert2spc mycert.cer mycert.spc
    Note that this step involves creation of a test private key. Alternatively, valid certificates can be created through Microsoft Certificate Server for Intranet use or purchased from external vendors for Internet use.
    c.       Use the key information to sign the .cab file:
    signcode -v mycert.pvk -spc mycert.spc -t [Timestamp server URL]
    For more information about signtool, visit the following Microsoft Developer Network (MSDN) Web site:
    Note Specify the timestamp server URL at this step. The timestamp server URL provides a place to enter or edit the location of a timestamp server. A timestamp server validates the date and time that the cabinet file was signed. Certificate files can expire after a certain period of time. Contact your certificate file provider (certificate authority) for the location of their timestamp server.

    Starting with Platform SDK February 2003, signcode.exe has been replaced with signtool.exe.
    3.      Follow this procedure to validate a .cab file:
    a.       Type the following at a command prompt to run Setreg.exe on the client system with the TRUE value so that the test certificates are recognized:
    setreg -q 1 TRUE
    b.       Run Checktrust.exe to ensure that the CAB file is signing correctly:
    Expected results Succeeded

    Author Comment

    all was working properly except the timestamp
    i have an authority server on win2k machine
    i made a certificate
    in this case my authority server is the certificate provider
    but how can i use the timestamp ?

    Author Comment

    now it works
    i run chktrust
    the result is
    and it opens the certificate and it was signed
    i open the browser and i put the path of the html file which loads the activex control
    the browser blocked the control , i allowed it to run , but it said uknown publisher
    and it didnt run
    LVL 27

    Expert Comment


    Yep the problem is you need a trusted certificate provider like verisign, whose public key is part of IE.

    This is what I have found about the timestamp server:

    A timestamp server validates the date and time that the cabinet file
    was signed. Certificate files may expire. Contact your certificate file
    provider (certificate authority, such as, Verisign) for the location of
    their timestamp server.

    You might set your IE security settings to low, or define a trusted zone to make this active x control working.
    Using standard security settings and running an homesigned control is a security breach.


    Author Comment

    i have it ,
    signcode -v mycert.pvk -spc mycert.spc -t
    i put this code ,
    then i run chktrust
    it pops the certificate
    if i have a certificate authority server , where would the timestamp server be ?
    LVL 27

    Expert Comment

    sorry cannot help you any further, since I've never created such a signature.

    But maybe the verisign timestamp server is good enough? Even if you are using a different autority server... give it a try. Good luck.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now