Skip to main content
Skip table of contents

MS Signer

ENTERPRISE

The Microsoft Signer, MS Signer, signs Windows files in Microsoft Authenticode format. It supports all existing file types handled by the MS Authenticode Signer and APPX Signer, and adds support for additional file formats.

Fully qualified class name: org.signserver.module.msauthcode.mssigner.MSSigner.

Overview

The MS Signer signs Windows-related files using Microsoft Authenticode format. It supports signing of a wide range of file types, such as portable executable files (.exe, .dll), Windows installers (.msi), and so on. For the full list of supported file types, see Supported File Types.

Known Limitations: MS Signer is under active development. Some file formats and configurations may not behave as expected in the current release.

Signatures can optionally include a timestamp from a Timestamp Authority (TSA) using the RFC#3161, or legacy Microsoft Authenticode format. For more information, see Timestamp Signer.

To download a sample configuration file for this Worker, see Sample Worker Configurations.

For information on the interfaces this Worker can be called through, see Supported Interfaces by Worker.

For a guide on signing code with the MS Signer, see Code Signing with Authenticode Signatures.

Supported File Types

The MS Signer supports signing the following file types:

Category

File Type

Extension(s)

Portable Executable (PE)

Windows Executable

.exe

Dynamic Link Library

.dll

File types under testing

  • Extensible Firmware Interface .efi

Installation & Packaging

Windows Package

.appx, .msix, .appxbundle, .msixbundle

Microsoft Installer

.msi

Cabinet file

.cab

Catalog file

.cat

Scripts

PowerShell scripts

.ps1, .psd1, .psm1, .ps1xml

File types under testing

  • Visual Basic .vbs, .vbe

  • JScript .js, .jse

  • Windows .wsf

Package Managers

File types under testing

  • NuGet Package .nupkg

  • Microsoft Dynamics 365 Extension .navx

Available Worker Properties

MS Signer supports both Common Signer Properties and Worker-specific properties:

Property

Default

Description

ALLOW_PROGRAM_NAME_OVERRIDE

False

(Optional) Specifies if the requester can override the program name by supplying it as a request metadata property.

ALLOW_PROGRAM_URL_OVERRIDE

False

(Optional) Specifies if the requester can override the program URL by supplying it as a request metadata property.

DIGESTALGORITHM 

SHA256

(Optional) Algorithm for the digest of the binary.

DO_LOGRESPONSE_DIGEST

True

(Optional) If the digest of the response should be computed and logged.

DO_LOGREQUEST_DIGEST 

True

(Optional) If the digest of the request should be computed and logged.

ENCODING

utf-8

(Optional) Sets the character encoding when signing PowerShell scripts (.ps1, .psd, .psm1, .ps1xml), Visual Basic scripts (.vbs, .vbe), Javascripts (.js, jse), and Windows scripts (.wsf).

LOGRESPONSE_DIGESTALGORITHM

SHA256

Algorithm used to create the message digest (hash) of the response document to put in the log.

LOGREQUEST_DIGESTALGORITHM

SHA256

Algorithm used to create the message digest (hash) of the request document to put in the log.

KEEPSIGNATURES

True

(Optional) True if existing signature should be kept.

PROGRAM_NAME

None

(Optional) Specifies the program name to embed in the signature.

PROGRAM_URL 

None

(Optional) Specifies the program URL to embed in the signature.

SIGNATUREALGORITHM 

Depends on the signing key

(Optional) Signature algorithm. The default depends on the signing key:

  • SHA256withRSA

  • SHA256withDSA

  • SHA256withECDSA

TIMESTAMP_FORMAT 

RFC3161

Specifies the timestamp format to use. Allowed values:

  • RFC3161 (Default)

  • AUTHENTICODE

If the value AUTHENTICODE is set, a legacy Authenticode timestamp signer is assumed, rather than a standard RFC3161-compliant one.

TSA_PASSWORD 

None

Login password used if the TSA uses HTTP Basic Auth.

Required if TSA_USERNAME is specified.

TSA_URL 

None

(Optional) Specifies the URL of external (Authenticode or RFC#3161) time-stamp authority.

TSA_URL cannot be combined with TSA_WORKER.

TSA_USERNAME 

None

(Optional) Specifies the login username used if the TSA uses HTTP Basic Auth.

TSA_WORKER 

None

(Optional) Worker ID or name of internal (Authenticode or RFC#3161) time-stamp signer in the same SignServer.

TSA_WORKER cannot be combined with TSA_URL.

Request Metadata Properties

The MS Signer Worker can accept the following request metadata properties:

Property

Description

FILE_TYPE

Option to specify that the supplied file is of a specific file type.

The FILE_TYPE property is required for the following file types:

  • .appx, .msix, .appxbundle, .msixbundle

  • .ps1, .psd1, .psm1, .ps1xml

  • .vbs, .vbe, .js, .jse, .wsf

  • .nupkg

All extensions for the supported file types are supported.

SignClient Example
BASH 
./signclient signdocument 
    -workername MSSigner 
    -infile HelloPowerShell.ps1 
    -outfile HelloPowerShell-Signed.ps1 
    --metadata FILE_TYPE=ps1
Client Web Example
image-20260506-094804.png

PROGRAM_NAME 

Program name text to use instead of the configured one (if any). Specifying an empty value removes the configured program name. Without ALLOW_PROGRAM_NAME_OVERRIDE configured in the worker, including this request property will not be allowed.

PROGRAM_URL 

Program URL to use instead of the configured one (if any). Specifying an empty value removes the configured program URL. Without ALLOW_PROGRAM_URL_OVERRIDE configured in the worker, including this request property will not be allowed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close