Skip to main content
Skip table of contents

MS Authenticode CMS Signer

ENTERPRISE

The signer has the fully qualified class name: org.signserver.module.msauthcode.signer.MSAuthCodeCMSSigner.

Overview

The MS Authenticode CMS signer is special-purpose version of the extended CMS signer, producing Authenticode-compatible CMS signatures suitable for embedding into portable executables (.exe, .dll), MSI installer packages, and Cabinet archives (.cab). This is intended for use with client-side hashing, where a client does the hashing of the original file and requests this hash to be signed by SignServer, giving a resulting signature which is then inserted into the resulting output file by the client.

This signer has all the properties of the Extended CMS Signer, and also the same Authenticode-specific properties as the MS Authenticode Signer. Note however that setting CONTENTOID or allowing overriding content OID (by setting ALLOW_CONTENTOID_OVERRIDE to true) is not supported (as the content OID will be set to be compatible with Authenticode specification). Note also that setting DER_RE_ENCODE is not supported (as the sign method is overwritten to implement an authenticode-style signing). The resulting data structure will always be DER encoded.

The signdocument command can be used with client-side hashing and construction to sign a portable executable or MSI installer by hashing on the client-side, signing the hash server-side using this signer, and finally assembling the final signed binary or installer on the client-side. For more information, see Client-Side Hashing.

The MS Authenticode CMS signer only supports RFC#3161 timestamps (and not the legacy Authenticode timestamp format).

Available Properties

PropertyDescription
PROGRAM_NAMEProgram name to embed in the signature. Optional, default: none.
ALLOW_PROGRAM_NAME_OVERRIDE If the requestor should be able to override the program name by supplying it as a request metadata property. Optional, default: false.
PROGRAM_URL Program URL to embed in the signature. Optional, default: none.
ALLOW_PROGRAM_URL_OVERRIDEIf the requestor should be able to override the program URL by supplying it as a request metadata property. Optional, default: false.

Request Properties

This worker can accept the following request metadata properties, given that they are configured to be allowed:

FieldDescription
FILE_TYPEThe file type for which the signature should be used in. Currently supported values are PE (for portable executables, such as Windows .exe and .dll files), MSI (for Windows installers), PS1 (for PowerShell scripts), or CAB (for Cabinet archives). This affects the layout of the content in the CMS structure. If not specified, PE is assumed.
PROGRAM_NAME Program name text to use instead of the configured one (if any). Specifying an empty value removes the configured program name. Without ALLOW_PROGRAM_NAME_OVERRIDE configured in the worker request, including this request property will not be allowed.
PROGRAM_URL Program URL to use instead of the configured one (if any). Specifying an empty value removes the configured program URL. Without ALLOW_PROGRAM_URL_OVERRIDE configured in the worker request, including this request property will not be allowed.

Algorithm Support

For information on supported algorithms, see MS Authenticode Signer Algorithm Support.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.