· 6 years ago · Feb 20, 2020, 03:10 PM
1To verify digital signature of signed app:
21-Right click the file the main executable file:
3Properties> digital signature
4https://www.sslsupportdesk.com/how-to-verify-a-digital-code-signing-signature-in-windows/
5
6How to check your File Using the Digicert Certificate Utility for win:
7Code Signing:
8Examples:
91.dl DigiCertUtil.exe
102.Riun it
11Using Digicert Certificate Utility to check Code Signing signature
121-click code signing 2- check signature 3- broowse and open to location and path
13of signed app
14https://www.sslsupportdesk.com/how-to-verify-a-digital-code-signing-signature-in-windows/
15check executable code signing signatures?
16By using free osslsigncode : osslsigncode verify my.exe or installed through MSYS2 using this command below:
17pacman -S mingw-w64-{i686,x86_64}-osslsigncode
18https://security.stackexchange.com/questions/50959/how-to-check-executable-code-signing-signatures
19SignTool
20The SignTool is a command-line tool that digtally signs files, verifies signatures in files,
21or time stamps files. This tool is installed in \Bin folder of Microsoft Win software Development Kit(SDK).
22SignTool as part of win SDK could be download from
23https://go.microsoft.com/fwlink/p/?linkid=84091
24If you are using WinVerify function to verify multple embedded signatures
25or support strong cryptography policy, you must include the follwoing files:
261-Wintrust.dll 2- Microsoft.Windows.Build.Signing.wintrust.dll.manifest
27To perform dual signing and make SHA256 catalog, you must include those files and
28the following additional files: Makecat.exe, Signtool.exe,….
29commands which are supported by SignTool: sign, catdb, verify, timestamp, …
30https://docs.microsoft.com/de-de/windows/win32/seccrypto/signtool?redirectedfrom=MSDN
31once downloaded you can use it from the command line:
32or you can : signtool sinwizard
33signtool sign /a MyFile.exe - this signs a single executable, using the „best certificate“ available. If there is no certificate, it will show a SignTool error message.
34https://stackoverflow.com/questions/252226/signing-a-windows-exe-file
35How-To install and sign the file : example:
36Sign an executable File Using Signtool in Windows:
371- Make sure you’ve already installed your CodeSign Certificate: e.x:
382- SafeNet Authentication Client>open your token > User certificate>GMO GlobalSign
393- Open cmd with administrative privileges
404- Change directory(to signTool.exe)
41C:\Users\eli\program Files (x86)\Windows Kits>10>bin>10.0.16299.0>x64
42Signtool sign /a[or /n] /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 or /standard/td SHA1 myfilename.exe
43Enter
44It should now prompt you for your token password (enter your pass)-> it will then say ‚Done adding additional store‘->successfully signed
45To verify that we’ve signed it correctly, we will type:
46Signtool verify /pa(by verifying executable) /v(more detailed verify when you run the output) MyFile.exe
47Now if you look on properties of file-> under General you can see certificate which you used to sign with common name GMO GlobalSign Inc.
48Certificate Verification Tool (chktrust.exe):
49The Certificate Verification tool checks the validity of a file signed with
50an Authenticode certificate. The Certificate Verification tool only ships with .NET framework
51SDK , use SignTool instead.
52chktrust [/q] [/v] signedFile
53many other parameters: /help, /?- Description in followinf link:
54https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-2.0/z045761b(v=vs.80)?redirectedfrom=MSDN
55How Chktrust checks the validity of a signed file:
561- Extracts the PPKCS #7 signed-data from the file 2- Extracts the X.509 certificates
57from PKCS #7 3- computes new hash of file and compares it with signed hash in the
58PKCS #7 object 4- If the hashes agree Chktrust.exe verifies that the signer’s X.509
59can be traced back to a trusted root certificate.
60O If all steps succeed, the file has not been tampered with and the vendor was authenticated by the trusted root authority.
61O If you provide a signedFile argument that does not have a valid signature, the tool displays Security Warning dialog box.
62Code signing:
63Code signing is the process of digitally signing executables and scripts to confirm
64the software auhor and guarantee that the code has not been altered since it was
65signed. The process employes the use of a cryptographic hash to validate authenticity
66and integrity.
67The efficacy of code signing as an authentication mechanism for software depends on the security of underpinning signing keys. As with other PKI technologies, the integrity of the system relie on publishers securing their private keys against unauthorized access. Keys stored in software on general-purpose computers are susceptible to compromise. Therefore, it is more secure to store keys in secure, tamper-proof, cryptographic hardware devices known as hardware security modules(HSM)
68Code signing is valuable in distributed environments, where the source of given piece of code may not be immediately evident (e.x Java applets, browser scripting code, …).
69Or another Usage of Code signing is to safely provide updates and patches to existing software.
70Win, Mac , Linux provide updates using code signing to ensure that it is not possile for others to maliciously distribute code via patch system.
71CA: (certificate Authority):
72Code signing implementations provides a way to sign the code using a system involving a pair keys(pulic, private). Thedeveloper uses a private key to sign their executables. The developer can either 1- generate this key on their own 2- or obtain one from a trusted certificate authority (CA).
73Trusted identificcation using a certtificate authority(CA):
74The public key used to authenticate the code signature should be traceable back to a trusted authority CA, using a secure public key infrastructure(PKI). This does not ensure that he code itself can be trusted, only that it comes from the stated source(from a particular private key).
75A CA provides a root trust level and is able to assignmo trust to others by proxy. If a user trust a CA , then the user can trust the legitimacy of code that is signed with a key generated by that CA or one of ist proxies. Many operating system and frameworks contain built-in trust for one or more existing CA such as: DigiCert, Comodo, GoDaddy, GlobalSign…
76it is also common place for large organizations to implement a private CA, internal to the organization, which provides the same feature as public CAs.
77
78Problems: code signing can be defeated. Users can be tricked into running unsigned code or into running code that refuses to validate. System remains secure as long as the private key remains private. Code signing ensures merely that the software has not been modified by anyone other than author. But it does not protect the end user from malicious activity.
79https://en.wikipedia.org/wiki/Code_signing
80Data protection for SAP:
81https://www.ibm.com/support/knowledgecenter/SSER83_8.1.4/erp.db2/c_dperp_d_digitalsigning.html
82Office Macro Signing:
83How sign a macro project by using a certificate?
841-obtain a digital certificate
85Description of digital signatures and code signing in workbooks in Excel:
86You can sign workbook or macro project, which ensures that you were the last person to make change to macro project.
87Digital certificates and signatures assures that the file that you are about to use comes from a reliable source. This digital certificate is an ID that a file carries with it. A certifiying authrity validates information about the creator of the file and then issues the digital signature.
88Digital certificates: contains information about to whom the certificate was issued, and about the certifying authority that issued it.
89Digital signature: is a public certificate + the value of signed data as encrypted by a private key. The value is a number that a cryptographic algorithm generates for any data.-> This algorithm makes it impossible to change the data without changing the resulting value.: verify the data was not changed.
90
91' Verify a Script Signature‘
92blnShowGUI = False
93Set objSigner = WScript.CreateObject("Scripting.Signer")
94blnIsSigned = objSigner.VerifyFile("C:\Scripts\CreateUser.vbs", blnShowGUI)
95If blnIsSigned Then
96 WScript.Echo "Script has been signed."
97Else
98 WScript.Echo " Script has not been signed."
99End If
100 ---------------------------------------------------------------------------------------------------------------------------
101Sign JScript or VBScript (.vb) files?
102Any of the files interpreted by windows Script Host, such as JScript(.js) or VBScript(.vbs) can be signed using Microsoft’s SignTool. You can sign the following files using SignTool:
103Windows executables (.exe, .dll, .com, .scr, .cpl)
104Windows installer files: .msi, .msp
105Text-based scripts: .js,.vbs, .jse (encoded JScript), .vbe (encoded VBScript)
106PowerShell scripts: .ps1, .psm1, .ps1xml
107Windows Script Files: .wsf
108-------------------------------------------------------------------------------
109
110A file is signed with a certificate. Cryptography is used to verify authenticity(such as PKI). The file is digitally signed witg the private key and public key is used to verify ist identify.
111powerShell – Execution Policy and Coode signing:
112Execution Policy:
113To find the effective execution Policy on the System, type:
114Get-ExecutionPolicy
115To control the validation of scripts, you can use the Set-ExecutionPolicy . There are several Policies :
116Restricted: does not permit any scripts to run either local, remote or downloaded
117AllSigned: All script that are run require to be digitally signe
118RemoteSigned: prevent powershell from running scripts or downloaded that dont have a digital signature.
119Unrestricted: No signature for any type of script is required.
120Set-ExecutionPolicy Restricted -Force
121For obtain identify of the source of code and ensure detection of script modification, you must use a Authenticode Digital Certificate to add a digital signature.
122The certificate can obtain from a CA which allows signing and sharing of scripts or generated self-signed certificate which hosted CA in self Computer.
123For self-signed certificates by using in code signing, first the makecert.exe toorl from the Windows SDK should be downloaded.
124https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html#
125You can export the self signed certificate for use in other systems.
126Signing Certificates via Active Directory Certificate Services:
127From Administration Tools select Certificate Authority Console on your Enterprise Root Certificate Authority, then right click on Certificate Templates and select Manage> click on Code Signing and then add the group that will be able to request code signing certificates. (allow read and enroll)
128
129Again on your Root Certificate Authority, right click on Certificate Templates> New > Certificate Template to Issue > click Code Signing > Ok> close the Certificate Authority Console
130On the developers machine: MMC>File>Add/Remove Snap-in>certificates> click add> select My user account> click finish
131Right click on Personal> All Tasks> Request New Certificate>next>select Active Directory Enrollment Policy >next> code Signing> expand Details>click properties> select private key> make private key exportable > ok
132Using the Code Signing Certificate:
133When a code signing certificate is available from powerShell, you can sign scripts and other files . Two cmlets for Authenticode are :
134Get-AuthenticodeSignature, which checks the Authenticode signatures for files (EXE, PS1, VBS,..)
135Set-AuthenticodeSignature, which adds an Authenticode signature for files
136-CodeSigningCert: which shows code signing certificates when Certificate Store PSDrive is used.
137e.x : PS C:\Users\EG\Desktop> dir Cert:\currentuser\my –CodeSigningCert
138For signing the certificate: we can save it in a variable.:
139PS C:\>$acert=(dir Cert:\currentuser\my –CodeSigningCert)[0]
140PS C:\>Set-AuthenticodeSignature .\hello.ps1 –Certificate $acert
141OR
142PS C:\>Set-AuthenticodeSignature .\hello.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesign)[0]
143 To check the script is signed or not:
144PS C:\>Get-AuthenticodeSignature .\hello.ps1 | ft –AutoSize
145https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
146
147How to digitally sign powershell scripts by creating a self-signed certificate:
148https://sid-500.com/2017/10/26/how-to-digitally-sign-powershell-scripts/
149How to sign Win PowerShell Scripts:
1501- Purchase a Microsoft Authenticode Code Signing ID from Symantec for OS platform or target browser
1512- Download the signing tool : download and install win powershell SDK , then launch powershell
1523- To verify that code signing certificate was generated correctly and obtain information about the certificate:
153Get-childitem cert:\CurrentUser\my –codesigning
1544- To sign the script file, type the following command at Win PowerShell:
155Set-AuthenticodeSignature newtest.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]
1565- To verify the signature, right-click on .ps1 file, on the Properties click digital signature.
157https://knowledge.dig gicert.com/solution/SO9982.html
158CodeSigning Windows Script Host to protect against malicious Scripts:
159¬¬¬¬¬To ensure that a given script file or application comes from the person who claims to have authored it, there is CA. CA issues cerificate that not only verify identify but also assert that the credentialed individual writes trustworthy code. To identify and verify is used public-key cryptosystems, welche have a pair of keys (public key, private key). The Code will be encrypted by private key and reciepeient can decrypt it with the sender’s public key. For code signing the code must have been encrypted eoth private key. Because there is only one owner oft he private key, being able to decrypt a signed script with a public key shows that the owner oft he private key wrote that code.
160Because public key cryptosystems are very slow by encrypting large message and sending both signature and script code would double the length of message. Therefore the script isn’t signed, rather a hash is signed. A hash algorithm is applied to a script, welche returns a large number usually 128 called the hash. This 128-bit hash nuber is signed with the private key, then the key and certificate are added to the text in script file. To sign a script will be performed the following operations:
1611- Obtain certificate containing a private key from a CA (certification authority)
1622- Remove any other existing signature from script text
1633- Hash the script
1644- Sign the hash by encrypting it with the private key
1655- Convert the hash and the certificate into a script comment and append it tot he script
166To verify :
1671- From obtained script text extract the certificate and signed hash
1682- Verify that the certificate was signed by a trusted root
1693- Decrypt the signed hash with the public key in the certificate
1704- Compare the decrypted hash with the hash of the received script text
171By failing one of these four steps , trust can not be verified.
172Script or file(.EXE, .DLL, .OCX,..) can be signed or verifyed using group of code-signing and certificate management tool that called WinTrust. The latest version of WSH plugs into the WinTrust system that does all cryptography . WinTrust tools such as ChkTrust .EXE and SignCode.EXE can be used with script signature manager installed on .VBS, .JS and .WSF files . WSH signature manager will verify file by calling the Win32 API WinVerifyTrust.
173To verify trust by WSH before running code , will be examined registery key :
174In Registierungs-Editor (Win+R-> regedit)
175 HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\TrustPolicy
176The trust policy iss et to one of three values:0,1,2.
1770 means run untrusted scripts. 1 means prompt the user if asked to run an untrusted script. Value of 2 means do not prompt the user and do not run untrusted scripts. To prevent users from changing these keys is good to set access control lists(ACLs) on them.
178Windows Script Host (WSH) is only script host that determines whether a script is trusted or not.
179WSH provides signing and signature verification for VBScript and JScript engines when used by the Windows Script Host engine itself and doesn’t provide it in any other script host. Because WSH treats a script as an executable and other applications such as Internet Explorer have specific security needs.
180Example JScript code to sign a file
181var Signer = new ActiveXObject("Scripting.Signer");
182var File = "c:\\myfile.vbs";
183var Cert = "Jane Q. Programmer";
184var Store = "my";
185Signer.SignFile(File, Cert, Store);
186Sample VBScript code to verify a file:
187Dim Signer, File, ShowUI, FileOK
188Set Signer = CreateObject("Scripting.Signer")
189File = "c:\newfile.wsf"
190ShowUI = True
191FileOK = Signer.VerifyFile(File, ShowUI)
192If FileOK Then
193 WScript.Echo File & " is trusted."
194Else
195 WScript.Echo File & " is not trusted."
196End If
197-----------------------
198JS:
199By signing a script using a valid certificate issued from a CA (such as VerSign) you certify that you are the owner of the script and that the script was not modified before reaching the end user.
200By this model you can sign any JavaScript in an HTML page or referred to by the HTML page with
201<SCRIPT SRC=“…“>
202A signed script can be granted extended privileges by user that give it access to restricted information and abilities.
203Once you have written the script, you sign it using Mozilla’s SignTool, which is one of the NSS tools. SignTool associates a digital signature with HTML and JS files. The digital signature and signed files are placed in a Java Archive (JAR) file.
204https://www-archive.mozilla.org/projects/security/components/signed-scripts.html
205javascript supports codebase principals, welche is a principal derived from the origin of the script and do not offer as strong a proof of identify. Therefore Codebase principals have weaker security . Thereby they are disabled by default in Mozilla. Even by disabling codebase principals, Mozilla keeps tracks of codebase principals to use of same origin security policy. Signed scripts have codebase principals and stronger certificate principals. When codebase principals enabled, by accessing the user to script a dialog displays welche asks the user to grant privileges based on the URL.
206For asking permission to enable a privilege which allows a script to access a target, you can add this line:
207netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesRead")
208when the script calls this function, the signature is valid or codebase principal are anabled, expanded privileges can be granted. If a user has not accessed this principal before, will be asked the user about accepting the signed code.
209If you have not enabled codebase principals and unsigned script attempts to enable privileges, it gets an exception from Java that the „Enabled privilege not granted“. If you did enable codebase principals, you will see a security dialog for assking for permission forz he unsigned code.
210Since all javascript code on a single HTML page runs in the same process , different scripts might change each other’s behavior on the same page. Thereby for ensure security is assumed that javascript signed script security model operate mixed scripts on an HTML page as if they were all signed by the intersection of the principals that signed each script. That means, if you have a web page with signed and unsigned code, the entire page witll be regarded as unsigned. For each JAR file , only one signature should be assigned (Mozilla does not support curently multiple signatures).
211To improve security is minimize the Trusted Code Base (TCB) one way against opportunities for attack. TCB is set of code that has privileges to perform restricted actions.
212Following code if executed in a signed script with user’s approval, opens a new window containing the history of browser:
213<SCRIPT>
214netscape.security.PrivilegeManager.enablePrivilege(
215 "UniversalBrowserAccess");
216var win = window.open();
217for (var i=0; i < history.length; i++) {
218 win.document.writeln(history[i] + "<BR>");
219}
220win.close();
221</SCRIPT>
222Since privileges are required only at the beginning to access tot he history, you can reduce the TCB by rewriting the program as follow:
223SCRIPT>
224var win = window.open();
225netscape.security.PrivilegeManager.enablePrivilege(
226 "UniversalBrowserAccess");
227for (var i=0; i < history.length; i++) {
228 win.document.writeln(history[i] + "<BR>");
229}
230netscape.security.PrivilegeManager.revertPrivilege(
231 "UniversalBrowserAccess");
232win.close();
233</SCRIPT>
234International Characters in Signed Script:
235Scripts that contain international characters can not be signed because the process of transforming the character to the local character set invalidates the signature. To work around this limitation you can 1-escape the international characters(‚0x\ea‘), 2-put the data welche enthälts the international characters in hidden form, 3- use international characters in unsigned scripts into different layer, or 4-remove comments that content international chracters.
236Using SignTool
237You can use SignTool to sign scripts and HTML files and packages them in JAR file with the signature.
238The SignTool extracts scripts from HTML files, sign them, and places this digital signature in the the archive apecified in the command line. The SignTool supports external JavaScript files loaded by the SRC attribute of the SCRIPT tag. If SCRIPT tag in the HTML pages specify more than one JAR file, SignTool creates as many JAR files as it needs.
239This command shows that all JavaScript and HTML files in the directory source-files/ will be signed and stored in the JAR file (secure.jar) welche signed by „Cert Name“:
240
241% signtool -k"Cert Name" -Z"secure.jar" secure-files/
242
243Any change to signed script’s byte stream invalidate the script’s signature. This change can be moving the HTML page between platforms that have different representations of text.
244-----
245To sure JS is not altered:
246HTML <script> is used to reference or embed executable code.
247integrity feature of the <script> tag, contains inline metadata that a user agent can use to verify that a resource that fetch are delivered without unexpected manipulation. That works under Name of Subresource Integrity (SRI) by allowing you to provide a cryptographic hash that a fetched resource must match.
248In fact, SRI ables you to mitigate the risks of attacks by ensuring that the files your web application have been delivered without a third-party having injected any additional content or any change into those files. SRI works by specifying a base64-encoded cryptography hash of a resource that browser fetches in the value of integrity attribute of any <script> or <link> element. This integrity value begins with at least one string including a prefix of a hash algorithm (the allowed prefixes are sha256, sha384 and sha512), followed by a dash and then with actual base64-encoded hash.
249Exmple integrity String with a base64-encoded sha384 hash:
250sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC
251To generate SRI hashes from command-line with openssh:
252cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 –A
253To SRI verification of resource from an origin will be used Cross-Origin Resource Sharing (CORS), to ensure the origin the resource allows it to be shared with the requesting origin.Thereyby the resource must be serverd with an Access-Control- Allow-Origin header.
254For eample, we can consider a script, welche is hosted at https://example.com/example-framework.js
255To tell browser to check the resource before executing the https://example.com/example-framework.js script, the browser must compare the script to the expected hash, and verify that there is a match using CORS settings.
256<script src="https://example.com/example-framework.js"
257 integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
258 crossorigin="anonymous"></script>
259If the script doesnt match ist integrity value , the browser must refuse to execute the script and return a network error indicating that fetching oft he script failed.
260https://stackoverflow.com/questions/38700923/how-can-i-make-sure-that-my-javascript-files-delivered-over-a-cdn-are-not-altere
261(((tu in do ta dige link miabi)))
262Interesting:
263https://w3c.github.io/webappsec-subresource-integrity/
264-------------
265Batch Datei :
266
267----------------------------------------------------------------------------------------------------------------------------
268For sign a macro project, you need a digital certificate. (your own self-signing certificate by using Selfcert.exe Tool)
269For obtain a digital certificate you have these options: CA(Certificate Authority) or from internal security administrator or IT professional.
270By using self-signed certificate will be trusted by microsoft only when the self-signing certificate added to Trusted Root Certificate folder.
271Digitally sign a macro project in Excel. PowerPoint, ..:
272https://support.office.com/en-us/article/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01?ui=en-US&rs=en-US&ad=US
273sönke: pex?