SignerSignEx2 function

The SignerSignEx2 function signs and time stamps the specified file, allowing multiple nested signatures.

Note

This function has no associated header file or import library. To call this function, you must create a user-defined header file and use the LoadLibrary and GetProcAddress functions to dynamically link to Mssign32.dll.

 

Syntax

HRESULT WINAPI SignerSignEx2(
  _In_       DWORD                  dwFlags,
  _In_       SIGNER_SUBJECT_INFO    *pSubjectInfo,
  _In_       SIGNER_CERT            *pSignerCert,
  _In_       SIGNER_SIGNATURE_INFO  *pSignatureInfo,
  _In_opt_   SIGNER_PROVIDER_INFO   *pProviderInfo,
  _In_opt_   DWORD                  dwTimestampFlags,
  _In_opt_   PCSTR                  pszTimestampAlgorithmOid,
  _In_opt_   PCWSTR                 pwszHttpTimeStamp,
  _In_opt_   PCRYPT_ATTRIBUTES      psRequest,
  _In_opt_   PVOID                  pSipData,
  _Out_      SIGNER_CONTEXT         **ppSignerContext,
  _In_opt_   PCERT_STRONG_SIGN_PARA pCryptoPolicy,
  _Reserved_ PVOID                  pReserved
);

Parameters

dwFlags [in]

Modifies the behavior of this function.

If the file to be signed is a portable executable (PE) file, this can be zero or a combination of one or more of the following values.

Value Meaning
SPC_EXC_PE_PAGE_HASHES_FLAG
0x10
Exclude page hashes when creating SIP indirect data for the PE file. This flag takes precedence over the SPC_INC_PE_PAGE_HASHES_FLAG flag.
If neither the SPC_EXC_PE_PAGE_HASHES_FLAG or the SPC_INC_PE_PAGE_HASHES_FLAG flag is specified, the value set with the WintrustSetDefaultIncludePEPageHashes function is used for this setting. The default for this setting is to exclude page hashes when creating SIP indirect data for PE files.
This value is defined in the Mssip.h header file.
Windows Server 2003 and Windows XP: This value is not supported.
SPC_INC_PE_IMPORT_ADDR_TABLE_FLAG
0x20
This value is not supported.
SPC_INC_PE_DEBUG_INFO_FLAG
0x40
This value is not supported.
SPC_INC_PE_RESOURCES_FLAG
0x80
This value is not supported.
SPC_INC_PE_PAGE_HASHES_FLAG
0x100
Include page hashes when creating SIP indirect data for the PE file.
Windows Server 2003 and Windows XP: This value is not supported.
This value is defined in the Mssip.h header file.
SIG_APPEND
0x1000
The signature will be nested. If you set this flag before any signature has been added, the generated signature will be added as the outer signature. If you do not set this flag, the generated signature replaces the outer signature, deleting all inner signatures.

 

pSubjectInfo [in]

Pointer to a SIGNER_SUBJECT_INFO structure that specifies the subject to sign.

pSignerCert [in]

Pointer to a SIGNER_CERT structure that specifies the certificate to use to create the digital signature.

pSignatureInfo [in]

A pointer to a SIGNER_SIGNATURE_INFO structure that contains information about the digital signature.

pProviderInfo [in, optional]

Pointer to a SIGNER_PROVIDER_INFO structure that specifies the cryptographic service provider (CSP) and private key information used to create the digital signature.

If the value of this parameter is NULL, the pSignerCert parameter must specify a certificate that is associated with a CSP.

dwTimestampFlags [in, optional]

Flags that will be passed to SignerTimeStampEx3 if the pwszHttpTimeStamp parameter is not NULL. This can be one of the following values.

Value Meaning
SIGNER_TIMESTAMP_AUTHENTICODE
Default value. Specifies an Authenticode timestamp.
SIGNER_TIMESTAMP_RFC3161
Specifies an RFC 3161 timestamp.

 

This parameter is ignored if the pwszHttpTimeStamp parameter is NULL.

pszTimestampAlgorithmOid [in, optional]

Object identifier of the algorithm to be used for creating an RFC 3161 timestamp. This parameter is ignored for Authenticode time stamps.

pwszHttpTimeStamp [in, optional]

URL of the time stamp server.

psRequest [in, optional]

Pointer to an array of CRYPT_ATTRIBUTE structures that are added to a sign request. This parameter is ignored if the pwszHttpTimeStamp parameter does not contain a valid value or is NULL.

pSipData [in, optional]

A 32-bit value that is passed as additional data to SIP functions. The format and content of this is defined by the SIP provider.

ppSignerContext [out]

The address of a pointer to the SIGNER_CONTEXT structure that contains the signed BLOB. When you have finished using the SIGNER_CONTEXT structure, free the SIGNER_CONTEXT structure by calling the SignerFreeSignerContext function.

pCryptoPolicy [in, optional]

If present, a pointer to a CERT_STRONG_SIGN_PARA structure that contains the parameters used to check for strong signatures. If either a certificate or its chain does not pass, the file is not altered in any way. If a URL is passed in to specify a Time Stamping Authority (TSA), this policy is also applied to the time stamp.

pReserved

Reserved. This value must be NULL.

Return value

If the function succeeds, the function returns S_OK.

If the function fails, it returns an HRESULT value that indicates the error. Possible error codes returned by this function include, but are not limited to, the following. For a list of common error codes, see Common HRESULT Values.

Return code Description
E_INVALIDARG
If you set the dwTimestampFlags parameter to SIGNER_TIMESTAMP_AUTHENTICODE, you cannot set the dwFlags parameter to SIG_APPEND.

 

Requirements

Requirement Value
Minimum supported client
Windows 8 [desktop apps only]
Minimum supported server
Windows Server 2012 [desktop apps only]
DLL
Mssign32.dll

See also

SignerSign

SignerSignEx

SignerFreeSignerContext