Wednesday, March 18, 2009

Authenticode and Vista

This week at work our Authenticode signing certificate expired. The renewal process involves the Certificate Authority issuing us brand new keys. We had done this before, so I figured that it would not be a big deal. However, over the past year we have upgraded our entire development environment to Windows Vista.

Before I discuss the Vista situation, let me elaborate a little on what exactly Authenticode signing is. Basically, it is digitally signing software so that when an end user downloads and does an install, the software will appear to come from a reliable source. The Authenticode certificate is purchased from a 3rd party Certifcate Authority that has been blessed by Microsoft. Verisign is one such authority.

The digital signing technology uses public/private key pairs. Basically the software company signs the code with a special private key, and in doing so will embed the public key into the software. Only the public key is needed to perform verification. When the user installs the software the verification takes place and if everything checks out, a dialog will show that windows trusts the software.

The Certificate Authority delivers the keys to the software company as two separate files, a .pvk (Private Key) file, and an .spc (Public Key) file. To actually sign the software Microsoft provides a tool aptly named signtool.exe. However, this tool works best with .pfx files (Which contain both the public and private keys). Microsoft provides a difficult to find tool called pvk2pfx.exe that will merge the .pvk and .spc files into the required .pfx file.

Anyway, back to the Vista issue. These Certificate Authorities don't allow private keys to be downloaded normally. They instead rely on certificate enrollment functionality that is built into Windows and Internet Explorer. The process can't be done in Firefox. And Vista has changed the way that the Certificate Enrollment works. In Windows XP, it was very simple, the user could just select a file location where the .pvk file would be generated. In Vista, they instead install it into a special Certificate Store for pending Certificates. The .pvk data therefore is buried in the windows registry instead of sitting on the file system. Furthermore, the key is placed in the Certificate Store in such a way that exporting the private key is disabled, which essentially traps the key in the Certificate Store on that particular computer.

After some research, I contacted technical support at the Certificate Authority, and they immediately understood our issue (It must come up all the time). The only recommendation that they could provide was to redo the whole over again process in Windows XP. Thankfully we still have XP environments to be able to do this. It seems like Microsoft implemented this new behavior as a security "feature" without considering the implications for developers. I wonder if this will behave the same way in Windows 7?

1 comment:

jazar said...

We got burned by the same issue. I spent a couple of hours trying to find the pvk file. I also tried to export it, but it is not exportable. Now I see; Vista and IE7 don't make it available. I hope they don't expect us to spend over $500 for each machine that will sign code!