All geek questions in one place

How can I provide an email address when signing a binary?

I use signtool to apply digital signature to various .exe / .dll files. However, viewing the signed files in Windows Explorer shows that the email address is not set, as in this screenshot (I have nothing to do with "Paramount Software UK Ltd." - these screenshots are only the first result I found through Google):

Screenshot of Windows explorer showing signature details without e-mail address

However, I also saw other screenshots showing that it can somehow determine the E-Mail address (even if it is fictitious, as in this case):

Screenshot of Windows explorer showing signature details including e-mail address

Is it possible to set this email address through signtool , or is it really a property of the certificate itself (that is, it must be specified when purchasing the certificate)?

+6
source share
2 answers

The email property that it extracted from emailAddress in the subject distinguished name field of your certificate.

You can perform validation using openssl to create a self-signed certificate (then you can generate a CSR using emailAddress and send it to a certificate authority to create a valid end-entity certificate). To verify this, you can follow these steps:

Create a self-signed certificate using the following openssl command

 openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

Then you will be asked to enter the following parameters (all for the certificate subject):

enter image description here

To avoid this prompt, you can directly specify subject in the previous command with -subj as follows:

 openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -subj "/C=ES/ST=58/L=Barcelona/O=yourOrgName/OU=yourDept/CN=yourAppName/ emailAddress=myEmail@test.com "

Now you can generate p12 (or pfx ) from the generated key and certificate using the following command:

 openssl pkcs12 -export -out myTestWithMail.pfx -inkey key.pem -in cert.pem

Now you have p12 (myTestWithMail.pfx), which you can use to sign exe or dll with the following signtool . For example, I sign notepad++.exe (as in the examples you specify in your question):

 signtool.exe sign /f C:\Users\Albert\myTestWithMail.pfx /p 1234 "C:\Program Files (x86)\Notepad++\notepad++.exe"

Note that /f is for your signature key, and /p is the password for your key.

Now you can see the email in the file you are signing:

enter image description here

So, if you need a certificate from a certification authority, you need to generate a CSR with emailAddress using the openssl command:

 openssl req -new -newkey rsa:2048 -nodes -out yourAppName.csr -keyout yourAppName.key -subj "/C=ES/ST=58/L=Barcelona/O=yourOrgName/OU=yourDept/CN=yourAppName/emai lAddress=myEmail@test.com "

Or, alternatively, without specifying the -subj and enter the correct values โ€‹โ€‹for the distinguished name of the subject when prompted:

 openssl req -new -newkey rsa:2048 -nodes -out yourAppName.csr -keyout yourAppName.key

Hope this helps,

+7
source

Short answer: Yes, the email address is part of the certificate and no, you cannot specify it when signing the binary file.

Long answer: @albciff indicated how to create a certificate with the email address associated with it, but it seems you were out of luck if you bought the certificate from Thawte ; my colleague asked this exact question with the technical support of our certificate provider (Thawte), who answered:

When registering for a code signing certificate, the email address used is not part of the verification process. Unfortunately, since the letter is not part of the verification process, it will not be included in the properties of the signed code.

In addition, technical support led us to this article in the Thawte Knowledge Center, which explains:

When viewing the properties of a signed code, the email address is always displayed as "inaccessible." This is because the certificate validates the organization, but does not require information about the organizationโ€™s email address. Thus, we checked the organization, but did not confirm the email. This in no way reduces the value or usefulness of your identifier.

Thus, not only the email address in the certificate associated with the email address with the certificate also depends on who issued the certificate.

+2
source

Source: https://habr.com/ru/post/982606/

More articles:


All Articles