Sign binaries and packages

  • Article

This topic provides guidance about signing binaries by using the sign.cmd tool, signing packages, and troubleshooting signing issues.

Using sign.cmd to sign binaries

To sign binaries, use the sign.cmd script located in %WPDKCONTENTROOT%\tools\bin\i386. Before you can sign binaries, you must first install the test OEM certificates by following the steps in Set up the signing environment.

This following table lists the sign.cmd options.

Type Example

Drivers (including boot-critical drivers), services EXEs and DLLs, and other OEM general-purpose signing

set SIGN_OEM=1

sign BootCriticalDriver.dll

HAL extensions provided by the SoC vendor.

set SIGN_OEM=1

sign –hal HalBinaryName.dll

OEM preloaded applications.

set SIGN_OEM=1

sign –app ContosoApp.xap

 

Warning  

The signing options must match the type of binary that is being signed.

Time stamping of signatures for OEM binaries

Time stamping of signatures for OEM binaries can be disabled by setting the following environment variable, before using sign.cmd.

set SIGN_WITH_TIMESTAMP=0

Time stamps are not required for the retail signing of OEM binaries by Microsoft using the ingestion client, or for local testing of packages and images.

Embedded signing a boot-critical driver

To embedded sign a boot-critical driver:

set SIGN_OEM=1
sign.cmd BootCriticalDriver.dll

This should generate output similar to the following.

signtool.exe sign /v /s my /i "Windows Phone Intermediate 2013" /n "Windows Phone OEM Test Cert 2013 (TEST ONLY)" /fd SHA256  /t http://timestamp.verisign.com/scripts/timestamp.dll  "BootCriticalDriver.dll"
The following certificate was selected:
    Issued to: Windows Phone OEM Test Cert 2013 (TEST ONLY)
    Issued by: Windows Phone Intermediate 2013 (TEST ONLY)
    Expires:   Mon Apr 09 14:17:24 2018
    SHA1 hash: 27CC4E1323C08A5BA2A62DC7F154C8AF017C488F

Done Adding Additional Store
Successfully signed: BootCriticalDriver.dll

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
signed:  "BootCriticalDriver.dll"
Sign.Cmd RC=0

Package signing

For package signing, set the environment variable SIGN_OEM to "1" and the SIGN_WITH_TIMESTAMP to "0" before using the package generation tools.

set SIGN_OEM=1
set SIGN_WITH_TIMESTAMP=0

Package signing occurs automatically during the package generation process. For more info on packaging, see Creating packages.

Confirming the EKU of a signed binary

To confirm the EKU of a signed binary:

  1. Open Windows Explorer and locate the binary file.

  2. Right-click the file and select Properties.

  3. On the Digital Signatures tab, select the listed item in the Signature list.

  4. Select the Details button, and then select View Certificate.

  5. On the Details tab, select the Enhanced Key Usage field.

  6. The following information should be displayed for a boot-critical driver. See Code signing for other EKUs that are used.

    Code Signing (1.3.6.1.5.5.7.3.3)
WP OEM (1.3.6.1.4.1.311.76.5.40)

Troubleshooting signing errors

You can use SignTool to see how a binary file was signed. For example, to check the code signing for BootCriticalDriver.dll, open a command prompt and type the following.

signtool verify BootCriticalDriver.dll

To list additional information and have signtool verify all signatures in a file with multiple signatures, type the following.

signtool verify /pa /ph /v /d BootCriticalDriver.dll

Output similar to the following should appear.

Verifying: BootCriticalDriver.dll
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 0829CF677B3831904AB1AFC9BF45C6B7E0F0368786378DE6D0FBEBAA8
8C0632F

Signing Certificate Chain:
    Issued to: Windows Phone OEM Root 2013 (TEST ONLY)
    Issued by: Windows Phone OEM Root 2013 (TEST ONLY)
    Expires:   Mon Apr 09 14:17:13 2018
    SHA1 hash: 53671A6DE6E8D9FA0D610EC563F10F2C8539EBEE
        Issued to: Windows Phone Intermediate 2013 (TEST ONLY)
        Issued by: Windows Phone OEM Root 2013 (TEST ONLY)
        Expires:   Mon Apr 09 14:17:22 2018
        SHA1 hash: B63C71861C0880E2D0F121A7120C98DC67F14548
            Issued to: Windows Phone OEM Test Cert 2013 (TEST ONLY)
            Issued by: Windows Phone Intermediate 2013 (TEST ONLY)
            Expires:   Mon Apr 09 14:17:24 2018
            SHA1 hash: 27CC4E1323C08A5BA2A62DC7F154C8AF017C488F

The signature is timestamped: Mon Aug 05 16:50:55 2013
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Thu Dec 31 16:59:59 2020
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Wed Dec 30 16:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Tue Dec 29 16:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

SignTool Warning: No page hashes are present.
Successfully verified: BootCriticalDriver.dll
Number of files successfully Verified: 1
Number of warnings: 1
Number of errors: 0

To display the command-line help for the SignTool verify option, type the following.

signtool verify /?

For more info on SignTool, see SignTool on MSDN.

 

 

Send comments about this topic to Microsoft