Skip to main content
Skip table of contents

MS Authenticode Signer

ENTERPRISE

The signer has the fully qualified class name: org.signserver.module.msauthcode.signer.MSAuthCodeSigner.

Overview

The MS Authenticode signer signs portable executable files such as Windows executables and shared libraries (.exe, .dll and .ocx etc) according to the Windows Authenticode Portable Executable Signature Format, and also Windows installer packages (.msi), PowerShell scripts (.ps1, .psm1 and .psd1), Windows Catalog Files (.cat), and Cabinet archives (.cab). The signature can optionally include a timestamp response from a TSA using the RFC#3161, or legacy Authenticode format. For more information, see Time Stamp Signer.

MSI files larger than 2 GB are currently not supported.

Available Properties

Property

Default

Description

ALLOW_ENCODING_OVERRIDE

False

(Optional) Specifies if the requestor can override the encoding by supplying it as a request metadata property.

ALLOW_PROGRAM_NAME_OVERRIDE 

False

(Optional) Specifies if the requestor can override the program name by supplying it as a request metadata property.

ALLOW_PROGRAM_URL_OVERRIDE

False

(Optional) Specifies if the requestor can override the program URL by supplying it as a request metadata property.

DIGESTALGORITHM 

SHA256

(Optional) Algorithm for the digest of the binary.

DO_LOGRESPONSE_DIGEST 

True

(Optional) If a digest of the response should be computed and logged.

DO_LOGREQUEST_DIGEST 

True

(Optional) If a digest of the request should be computed and logged.

ENCODING

utf-8

(Optional) Sets the character encoding when signing PowerShell scripts (.ps1).

LOGRESPONSE_DIGESTALGORITHM 

SHA256

Algorithm used to create the message digest (hash) of the response document to put in the log.

LOGREQUEST_DIGESTALGORITHM 

SHA256

Algorithm used to create the message digest (hash) of the request document to put in the log.

KEEPSIGNATURES

True

(Optional) True if existing signature should be kept.

Property only available when signing PE and PS1 file types.

PROGRAM_NAME

None

(Optional) Specifies the program name to embed in the signature.

PROGRAM_URL 

None

(Optional) Specifies the program URL to embed in the signature.

SIGNATUREALGORITHM 

Depends on the signing key

(Optional) Signature algorithm. The default depends on the signing key:

  • SHA256withRSA

  • SHA256withDSA

  • SHA256withECDSA

TIMESTAMP_FORMAT 

RFC3161

Specifies the timestamp format to use. Allowed values:

  • RFC3161 (Default)

  • AUTHENTICODE

If the value AUTHENTICODE is set, a legacy Authenticode timestamp signer is assumed, rather than a standard RFC3161-compliant one.

TSA_PASSWORD 

None

Login password used if the TSA uses HTTP Basic Auth. Required if TSA_USERNAME is specified.

TSA_URL 

None

(Optional) Specifies the URL of external (Authenticode or RFC#3161) time-stamp authority.

TSA_URL cannot be combined with TSA_WORKER.

TSA_USERNAME 

None

(Optional) Specifies the login username used if the TSA uses HTTP Basic Auth.

TSA_WORKER 

None

(Optional) Worker ID or name of internal (Authenticode or RFC#3161) time-stamp signer in the same SignServer.

TSA_WORKER cannot be combined with TSA_URL.

Request Properties

This worker can accept the following request metadata properties, given that they are configured to be allowed:

Property

Description

ENCODING

Overrides the encoding when signing PowerShell scripts (.ps1). Without ALLOW_ENCODING_OVERRIDE configured in the worker request, including this request property will not be allowed.

FILE_TYPE

Option to specify that the supplied file is using a specific file type. Normally, this is optional and the PE, MSI, and CAT file types are detected based on the content of the files and PS1 files are detected based on the file extension of the provided file name (if one). In order to support PowerShell scripts even if the file name is not provided or the extension is not one of .ps1, .psm1 or .psd1, the FILE_TYPE request property can be explicitly set in the request.
Supported values:

  • PE

  • MSI

  • PS1

  • CAT

PROGRAM_NAME 

Program name text to use instead of the configured one (if any). Specifying an empty value removes the configured program name. Without ALLOW_PROGRAM_NAME_OVERRIDE configured in the worker request, including this request property will not be allowed.

PROGRAM_URL 

Program URL to use instead of the configured one (if any). Specifying an empty value removes the configured program URL. Without ALLOW_PROGRAM_URL_OVERRIDE configured in the worker request, including this request property will not be allowed.

Worker Log Fields

Field

Description

FILE_TYPE

The type of file that was detected or requested to be signed.

REQUEST_DIGEST 

A message digest (hash) for the request document in hex encoding.

REQUEST_DIGEST_ALGORITHM

The name of the message digest (hash) algorithm used for the request digest in the log.

RESPONSE_DIGEST

A message digest (hash) for the response document in hex encoding.

RESPONSE_DIGEST_ALGORITHM

The name of the message digest (hash) algorithm used for the response digest in the log.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close