MS Authenticode CMS Signer

ENTERPRISE EDITION This is a SignServer Enterprise Edition (EE) feature.

The signer has the fully qualified class name: org.signserver.module.msauthcode.signer.MSAuthCodeCMSSigner.

Overview

The MS Authenticode CMS signer is special-purpose version of the extended CMS signer, producing Authenticode-compatible CMS signatures suitable for embedding into portable executables (.exe, .dll) and MSI installer packages. This is intended for use with client-side hashing, where a client does the hashing of the original file and requests this hash to be signed by SignServer, giving a resulting signature which is then inserted into the resulting output file by the client.

This signer has all the properties of the Extended CMS Signer, and also the same Authenticode-specific properties as the MS Authenticode Signer. Note however that setting CONTENTOID or allowing overriding content OID (by setting ALLOW_CONTENTOID_OVERRIDE to true) is not supported (as the content OID will be set to be compatible with Authenticode specification).

The signdocument command can be used with client-side hashing and construction to sign a portable executable or MSI installer by hashing on the client-side, signing the hash server-side using this signer, and finally assembling the final signed binary or installer on the client-side. For more information, see Client-Side Hashing.

The MS Authenticode CMS signer only supports RFC#3161 timestamps.

Available Properties

Property

Description

PROGRAM_NAME

Program name to embed in the signature. Optional, default: none.

ALLOW_PROGRAM_NAME_OVERRIDE

If the requestor should be able to override the program name by supplying it as a request metadata property. Optional, default: false.

PROGRAM_URL

Program URL to embed in the signature. Optional, default: none.

ALLOW_PROGRAM_URL_OVERRIDE

If the requestor should be able to override the program URL by supplying it as a request metadata property. Optional, default: false.

Request Properties

This worker can accept the following request metadata properties, given that they are configured to be allowed:

Field

Description

FILE_TYPE

The file type for which the signature should be used in. Currently supported values are PE (for portable executables, such as Windows .exe and .dll files), or MSI (for Windows installers). This affects the layout of the content in the CMS structure. If not specified, PE is assumed.

PROGRAM_NAME

Program name text to use instead of the configured one (if any). Specifying an empty value removes the configured program name. Without ALLOW_PROGRAM_NAME_OVERRIDE configured in the worker request, including this request property will not be allowed.

PROGRAM_URL

Program URL to use instead of the configured one (if any). Specifying an empty value removes the configured program URL. Without ALLOW_PROGRAM_URL_OVERRIDE configured in the worker request, including this request property will not be allowed.