Skip to main content
Cryptography Tools

Cryptography tools provide command-line tools for code signing, signature verification, and other cryptography tasks.

Introduction to Code Signing

The software industry must provide users with the means to trust code including code published on the Internet. Many webpages contain only static information that can be downloaded with little risk. Some pages, however, contain controls and applications to be downloaded and run on a user's computer. These executable files can be risky to download and run.

Packaged software uses branding and trusted sales outlets to assure users of its integrity, but these guarantees are not available when code is transmitted on the Internet. Additionally, the Internet itself cannot provide any guarantee about the identity of the software creator. Nor can it guarantee that any software downloaded was not altered after its creation. Browsers can exhibit a warning message that explains the possible dangers of downloading data of any kind, but browsers cannot verify that code is what it claims to be. A more active approach must be taken to make the Internet a reliable medium for distributing software.

One approach to providing guarantees of the authenticity and integrity of files is attaching digital signatures to those files. A digital signature attached to a file positively identifies the distributor of that file and ensures that the contents of the file were not changed after the signature was created.

Digital signatures can be created and verified by using Microsoft's cryptography APIs. For background information on cryptography and the CryptoAPI functions, see Cryptography Essentials.

For detailed information on digital signatures, certificates, and certificate stores, see the following topics:

Currently, CryptoAPI Tools supports Microsoft Authenticode technology by allowing software vendors to sign the following types of files for Authenticode verification.

File name extensionContents

.appx

Installer files for a Windows Store device app.

.cab

Self-contained files used for application installation and setup. In a cabinet file, multiple files are compressed into one file. They are commonly found on Microsoft software distribution disks.

.cat

Files that contain digital thumbprints of several files. A .cat file can be used to ensure the integrity of the files whose thumbprints it includes.

.dll

Files that contain executable functions.

.exe

Files that contain executable programs.

.js

.vbs

.wsf

Windows shell files for JScript or Microsoft Visual Basic Scripting Edition (VBScript).

.msi

.msp

.mst

Windows installer files.

.ocx

Files that contain Microsoft ActiveX controls.

.ps1

Files that contain PowerShell scripts.

.stl

Files that contain a certificate trust list (CTL).

.sys

Files that contain driver binaries.

 

For information about digital signing, see the following documents:

  • CCITT, Recommendation X.509, The Directory-Authentication Framework, Consultation Committee, International Telephone and Telegraph, International Telecommunications Union, Geneva, 1989.
  • RSA Laboratories, PKCS #7: Cryptographic Message Syntax Standard. Version 1.5, November, 1993.
  • Schneier, Bruce, Applied Cryptography, 2d ed. New York: John Wiley & Sons, 1996.
  • http://www.rsasecurity.com

Note  These resources may not be available in some languages and countries or regions.

Microsoft Cryptography Tools

The publishing tools and the signing DLL are installed in the \Bin directory of your Microsoft SDK installation. They include the following files.

File nameRemarks
Cert2SPC.exe

Creates an Software Publisher Certificate (SPC) for testing purposes only.

CertMgr.exe

Manages certificates, CTLs, and certificate revocation lists (CRLs).

MakeCat.exe

Creates an unsigned catalog file that contains the hashes of a set of files along with associated attributes of each file.

MakeCert.exe

Creates an X.509 certificate for testing purposes only.

Pvk2pfx.exe

Converts a software publisher certificate file (.spc) or a private key file (.pvk) to Personal Information Exchange (PFX) file format.

SetReg.exe

Sets registry keys that control certificate verification.

SignTool.exe

Signs and time stamps a file. Additionally, checks the signature of a file.