Scenario 3.3: Issue Code-Signing Certificate

Category: Issue Certificates
Complexity: * (Medium-High)
Prerequisites: CSR available, Code-Signing CA
Estimated Time: 10-15 minutes </WRAP> —- ===== Description ===== This scenario describes issuing a code-signing certificate for signing software. Code signing enables verification of the origin and integrity of executables, DLLs, scripts, and packages. Use cases: * Windows Authenticode (EXE, DLL, MSI) * PowerShell scripts * Java JAR files * NuGet packages * macOS code signing * Firmware signing —- ===== Code Example (C#) ===== <code csharp> using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; using var ctx = PqCryptoContext.Initialize(); var caCert = ctx.LoadCertificate(„codesign-ca.crt.pem“); var caKey = ctx.LoadPrivateKey(„codesign-ca.key.pem“, „CaPassword!“); var csr = ctx.LoadCertificateRequest(File.ReadAllText(„codesign.csr.pem“)); csr.VerifySignature(); Issue code-signing certificate var codesignCert = ctx.IssueCertificate( csr, issuerCert: caCert, issuerKey: caKey, serialNumber: ctx.GenerateSerialNumber(), validDays: 730, 2 years extensions: new ExtBuilder() .BasicConstraints(ca: false, critical: true) Key Usage: Only digitalSignature! .KeyUsage(KeyUsageFlags.DigitalSignature, critical: true) Extended Key Usage: Code Signing .ExtendedKeyUsage(ExtKeyUsage.CodeSigning) .SubjectKeyIdentifier(csr.PublicKey) .AuthorityKeyIdentifier(caCert) Timestamping URL for long-term validation .AuthorityInfoAccess( ocspUrl: „http://ocsp.example.com“, timestampUrl: „http://timestamp.example.com“ ) .Build() ); codesignCert.ToPemFile(„codesign.crt.pem“); </code> —- ===== Extended Key Usage Variants ===== ^ OID ^ Name ^ Usage ^ | 1.3.6.1.5.5.7.3.3 | codeSigning | Standard code signing | | 1.3.6.1.4.1.311.10.3.13 | lifetimeSigning | Windows Kernel-Mode | | 1.2.840.113549.1.9.16.1.4 | firmwareSigning | Firmware (optional) | —- ===== Industry-Specific Requirements ===== ^ Industry ^ Requirement ^ Specifics ^ | Automotive | UN R156 | Firmware updates, Secure Boot | | Healthcare | DiGAV | Medical device software | | Industry 4.0 | IEC 62443 | PLC firmware | | Standard | Microsoft Authenticode | Windows SmartScreen | —- ===== Windows Authenticode Signing ===== <code powershell> # With SignTool and PQ certificate signtool sign /fd SHA256 /f codesign.pfx /p „Password“ /tr http://timestamp.example.com /td SHA256 myapp.exe # Verify signature signtool verify /pa /v myapp.exe </code> —- ===== Timestamp Servers =====

Important: Code signing without timestamp is invalid after certificate expiration! Always use a timestamp server.

^ Server ^ URL ^ Protocol ^ | DigiCert | http://timestamp.digicert.com | RFC 3161 | | Sectigo | http://timestamp.sectigo.com | RFC 3161 | | GlobalSign | http://timestamp.globalsign.com | RFC 3161 | —- ===== Related Scenarios ===== ^ Relationship ^ Scenario ^ Description ^ | Next Step | 8.2 Sign Code | Use certificate | | Related | 8.3 Timestamp | Long-term validity | | Prerequisite | 1.3 CA Hierarchy | Code-Signing CA | —- « <- 3.2 Client Certificate | ^ Certificates Overview | 3.4 S/MIME Certificate -> »

scenario, certificate, codesigning, authenticode, firmware

—- Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional