MS Authenticode Signer

ENTERPRISE EDITION This is a SignServer Enterprise Edition (EE) feature.

The signer has the fully qualified class name: org.signserver.module.msauthcode.signer.MSAuthCodeSigner.

Overview

The MS Authenticode signer signs portable executable files such as Windows executables and shared libraries (.exe, .dll and .ocx etc) according to the Windows Authenticode Portable Executable Signature Format, and also Windows installer packages (.msi). The signature can optionally include a timestamp response from a TSA using the Authenticode or RFC#3161 format.

Note that MSI files larger than 2 GB are currently not supported.

Available Properties

Property

Description

PROGRAM_NAME

Program name to embed in the signature. Optional, default: none.

ALLOW_PROGRAM_NAME_OVERRIDE

If the requestor should be able to override the program name by supplying it as a request metadata property. Optional, default: false.

PROGRAM_URL

Program URL to embed in the signature. Optional, default: none.

ALLOW_PROGRAM_URL_OVERRIDE

If the requestor should be able to override the program URL by supplying it as a request metadata property. Optional, default: false.

SIGNATUREALGORITHM

Signature algorithm. Optional, default: depending on the signing key, SHA256withRSA, SHA256withDSA or SHA256withECDSA.

DIGESTALGORITHM

Algorithm for the digest of the binary. Optional, default: SHA256.

TSA_WORKER

Worker ID or name of internal (authenticode) timestamp signer in the same SignServer. Optional, default: none. This property cannot be combined with TSA_URL.

TSA_URL

URL of external (authenticode) timestamp authority. Optional, default: none. This property cannot be combined with TSA_WORKER.

TSA_USERNAME

Login username used if the TSA uses HTTP Basic Auth. Optional, default: none.

TSA_PASSWORD

Login password used if the TSA uses HTTP Basic Auth. Required if TSA_USERNAME is specified, default: none.

DO_LOGREQUEST_DIGEST

If a digest of the request should be computed and logged. Optional, default: true.

LOGREQUEST_DIGESTALGORITHM

Algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256.

DO_LOGRESPONSE_DIGEST

If a digest of the response should be computed and logged. Optional, default: true.

LOGRESPONSE_DIGESTALGORITHM

Algorithm used to create the message digest (hash) of the response document to put in the log. Default: SHA256.

TIMESTAMP_FORMAT

Specifies the timestamp format to use. Default: AUTHENTICODE. Allowed values: AUTHENTICODE, RFC3161. If value RFC3161 is set, a standard RFC 3161-compliant timestamp signer is assumed, rather than the legacy Authenticode timestamp format.

Request Properties

This worker can accept the following request metadata properties, given that they are configured to be allowed:

Property

Description

PROGRAM_NAME

Program name text to use instead of the configured one (if any). Specifying an empty value removes the configured program name. Without ALLOW_PROGRAM_NAME_OVERRIDE configured in the worker request, including this request property will not be allowed.

PROGRAM_URL

Program URL to use instead of the configured one (if any). Specifying an empty value removes the configured program URL. Without ALLOW_PROGRAM_URL_OVERRIDE configured in the worker request, including this request property will not be allowed.

Worker Log Fields

Field

Description

REQUEST_DIGEST

A message digest (hash) for the request document in hex encoding.

REQUEST_DIGEST_ALGORITHM

The name of the message digest (hash) algorithm used for the request digest in the log.

RESPONSE_DIGEST

A message digest (hash) for the response document in hex encoding.

RESPONSE_DIGEST_ALGORITHM

The name of the message digest (hash) algorithm used for the response digest in the log.