Results 1 to 21 of 21

Thread: How to add a digital signature (code sign) to a VB6 DLL?

  1. #1

    Thread Starter
    Member
    Join Date
    Jan 2009
    Posts
    46

    How to add a digital signature (code sign) to a VB6 DLL?

    I have written a VB6 DLL as a companion to an Excel VBA program (the VBA loads as an Excel .xla file, it presents forms, and calls the DLL).

    I have been simply compiling the VB6 dll and placing it in the same program folder as my Excel VBA (.xla file) and after registering it they play together well it seems. I have been using INNO setup to create the installation setup file.

    But now it's time to go public with this commercial application and I realize now it would be best to purchase a certificate for code signing.

    Can anybody point me toward complete information on how to code sign;
    1) the VB6 DLL file
    2) the Excel VBA file (.xla),
    3) the INNO SETUP setup file

    Has anybody done something like this who can help me out?

    Can I code sign each one independently and then they will all play well together? Remember, I do not presently deploy my DLL as a package, I simply include it in the setup file and let INNO register it on the machine being installed on.

    I'm pretty sure I need to make changes to my registry to timestamp my signature so that it continues to work beyond 1 year. And I do see "Digital Signature" under VBA Tools so perhaps the VBA signing isn't very hard once I install a purchased certificate.

    But I don't see any menu option (or Help) in my installation of Visual Studio 6 Professional Edition (only the VB6 module is installed) that leads me to "Digital Signature" for a DLL and have found nothing about it on the web yet.

    I'd greatly appreciate it if somebody could help me out a bit with this. I'm getting nervous that my now "finished" (at long last) project will fall apart due to this code signing process.

    At Verisign I found the following:
    https://knowledge.verisign.com/suppo...R190&actp=LIST

    Windows XP/WIndows 2000/Windows 2003
    To sign, use the SIGNTOOL.EXE utility. The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. For information about why signing files is important, see Introduction to Code Signing. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.

    SignTool is available as part of the Windows SDK, which you can download from http://go.microsoft.com/fwlink/?linkid=84091
    You will also need your Digital ID file (generally called MyCredentials.spc) and your private key (MyPrivateKey.pvk).


    Not sure, but from what I've been able to find so far, it looks like the SIGNTOOL.EXE might be integrated with VISUAL STUDIO .NET and that I won't be able to use it from a DOS prompt (I gather that the "command-line" mentioned at VeriSign is a VisualStudio command-line).

    Any help would be much appreciated.
    Thanks in advance. --Brian
    Last edited by rummaging; Sep 18th, 2010 at 08:45 AM. Reason: rephrased question for more clarity about VB6 code signing in particular and incorporated info I've found since first posting.

  2. #2
    Super Moderator si_the_geek's Avatar
    Join Date
    Jul 2002
    Location
    Bristol, UK
    Posts
    41,929

    Re: Code signing an Excle VBA that calls a VB6 DLL?

    Thread moved from the 'Application Deployment' forum to the 'VB6 and Earlier' forum as requested (note that this question is valid in either forum, and to get a thread moved it is best to click the "report" icon on the left of the post, or PM a moderator)

  3. #3
    Frenzied Member some1uk03's Avatar
    Join Date
    Jun 2006
    Location
    London, UK
    Posts
    1,663

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    Digital Signing did not exist when VB6 was released looooong time ago, which is why you won't find anything in the menu.

    You can use VeriSign or through the Microsoft website to sign your .EXE
    Have a look here:
    http://www.microsoft.com/whdc/driver...n/default.mspx
    http://msdn.microsoft.com/en-us/libr...61(VS.85).aspx
    http://www.verisign.co.uk/code-signing/
    _____________________________________________________________________

    ----If this post has helped you. Please take time to Rate it.
    ----If you've solved your problem, then please mark it as RESOLVED from Thread Tools.



  4. #4

    Thread Starter
    Member
    Join Date
    Jan 2009
    Posts
    46

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    Thanks some1uk03,

    I didn't think Digital Signing wasn't used back then. I'm using VB6 because I could take a large amount of existing code from an Excel VBA .xla file and move it to a VB6 with essentially no changes and, from my understanding, it is more secure from reverse engineering (crackers) than .NET.

    As mentioned, my VB6 project is a DLL, not an .exe. I hope that doesn't make a difference and that I'll be able to use Authenticode IF that's the way I have to go.

    I found all of the highlighted information below in a whitepaper by following your links.

    I'm not sure what applies to my DLL for distribution along with an authenticated VBA .xla file and an authenticated INNO SETUP file. I have no VB6 package to deploy.

    Can somebody confirm that I need to use Authenticode in the manner described in the whitepaper considering that I want include my DLL in a digitally signed INNO SETUP file together with my digitally signed Excel .xla?

    http://www.microsoft.com/whdc/driver...henticode.mspx
    Signing a Driver Package with an Authenticode Digital Signature
    To sign a driver package with an Authenticode digital signature:
    • Obtain a digital certificate from a certificate authority.
    • Obtain the necessary CryptoAPI tools from Microsoft.
    • Create a catalog file for the driver package.
    • Sign and verify the catalog file.

    For general information about cryptographic security in Windows, see the topics on cryptography in the Platform SDK.


    ...and also

    Creating a Catalog File
    To create a catalog file for a driver package:
    • Specify the name of the catalog file in the INF file of the driver package by using a CatalogFile.Xxx entry in the Version section of the INF file.
    • Use the ChkINF tool or the INFCatReady tool to verify the INF file of the driver package. ChkInf is supplied with the DDK, and INFCatReady can be downloaded from the Windows Hardware Quality Lab at http://www.microsoft.com/hwdq/hwtest.
    • Copy all driver package files to a single directory.
    • Create an unsigned catalog file (.cat) for the driver package by using the MakeCat tool. The catalog file contains hashes and attributes of the driver package files. The MakeCat tool creates the catalog file based on the information in a catalog definition file that contains a list of the files to be cataloged and their attributes. For example, the following command creates a catalog file that is based on the information in the catalog definition file filename.cdf. (The filename.cdf file must be in the same directory as the files to be signed.)
    MakeCat -v -r <path to files to be signed>\<filename.cdf>
    For information about using MakeCat and creating catalog definition files, see http://msdn.microsoft.com/library/de...ty/makecat.asp and http://msdn.microsoft.com/library/de...ng_makecat.asp.
    • Include the catalog file in the driver package.
    Signing and Verifying the Catalog File
    To sign and verify a catalog file, do the following:
    • Sign the catalog file by using the SignTool tool. The following command runs the interactive signing wizard that SignTool supports:
    SignTool signwizard <CatFile>
    • Verify the catalog by using SignTool. A typical example of the command used to verify a signed catalog file is:
    SignTool /c <CatFile>


    I'm a little concerned about obtaining the proper versions of the programs to be compatible with a VB6 DLL and compatible with VB6 installed on my machine. Any additional pointers would be much appreciated.

    Thanks

  5. #5
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    VS.Net is not required. Installing a recent Windows SDK will provide SignTool.exe as well as MakeCat.exe. Newer versions of the SDK offer newer versions of the tools.

    This looks like strictly a deployment issue, I see no VB6 issue here.

    You might try browsing through support documents from the certificate vendors, they have a vested interest in guiding people through the process.

    http://www.entrust.net/ssl-resources...ning_Guide.pdf

    This looks like a good quick overview too:

    http://www.tech-pro.net/code-signing...evelopers.html
    Last edited by dilettante; Sep 18th, 2010 at 03:08 PM.

  6. #6

    Thread Starter
    Member
    Join Date
    Jan 2009
    Posts
    46

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    Thanks, dilettante. I'm very glad to hear there could be hope for this to work out. It does seems that there should be some way to bring older software (e.g. VB6 dlls or any other older dlls, etc.) up to date with code signing.

    The website http://www.tech-pro.net/ does not seem to exist (at least not right now for me). However, there is a cached version of the link you provided and I've copied that for further reading. Thank you. Are you able to reach tech-pro's website directly? And thanks for the other link.

    Do you (or anybody else) know whether all is supposed to work properly if I were to code sign my DLL, and code sign my Excel .xla, and then code sign the compiled distributable setup.exe that will be holding those two? By "work" I mean, from the user's perspective, it should work like other signed software and the Excel .xla will load along with its DLL if the user accepts my certificate (should only have to accept it once for the load of .xla with it's .dll -- correct?).

    Do you (or anybody else) know whether the files getting digitally signed are modified in any way? I'm wondering whether my DLL will get modified by code signing such that it will need some special procedure to get it to run normally when called by my Excel VBA? Or does code signing simply create some kind of image of the file that will also include certificate information? Or maybe my files will put into an encrypted wrapper by the code signing process and whatever handles code signing on Windows PCs will decrypt the files so that they will be the same as I created. If that's how it works, then there must be stand-alone software (e.g., signtool.exe) that will create whatever is necessary to link a certificate to specific files regardless of what was used to create those files. Can someone confirm whether that is in fact how code signing works? Or will something be inserted into my software that might make it not work?

    My compiled INNO setup.exe also holds a pdf manual and other text files. Do you (or anybody else) know if there is some special procedure for INNO to be code signed? I don't see anything in INNO's help about digitally signing a setup.exe file? Or is the procedure the same as for the DLL (signtool.exe, etc.)? Admittedly, I haven't searched very much yet about INNO code signing, but perhaps someone can share their first hand experience as related my project as described?
    Last edited by rummaging; Sep 18th, 2010 at 06:03 PM. Reason: a

  7. #7
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    Quote Originally Posted by rummaging View Post
    The website http://www.tech-pro.net/ does not seem to exist (at least not right now for me). However, there is a cached version of the link you provided and I've copied that for further reading. Thank you. Are you able to reach tech-pro's website directly?
    I just clicked it in the post above and it came up fine here.

    As for the other points...

    I doubt the VB6-authored DLL will need to be signed at all. Once installed and registered it should be treated by Excel/VBA as any other component library on the system I should think.

    I believe the signature block is added to a PE file (EXE, DLL) as a resource. This should be transparent to your code. No idea about a signed XLA file.

    As for signing the Inno setup.exe, it should be like signing any other EXE or DLL. Just use SignTool unless (1.) it exceeds 300 MB, and (2.) you need this to work prior to XP SP3. Then you need to use MakeCat.

  8. #8
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    I'm also pretty sure Authenticode signing dates back to IE 3.02 or so. It was discussed when VB5 CCE came out (late 1996 I think). It just never got the chance to be integrated into VB IDEs, the last of which was released in 1998.

    Shake your fist in the direction of Anders Hejlsberg.

  9. #9

    Thread Starter
    Member
    Join Date
    Jan 2009
    Posts
    46

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    dilettante,

    Sorry, my mistake. http://www.tech-pro.net/ is an entry in my hosts-file which prevents my browsers from going to certain websites (but due to a config change, I didn't see the normal message saying access was being blocked).

    I guess it would be simpler for me to not have to code sign the DLL. I will have to sign the Excel file of course (this part should be easiest since code signing is supported right within Excel's VBA interface). But it seems I have to sign the setup.exe or it might not be trusted.

    I have to wonder, though, if the code signing process checks all files called by the Excel file to be sure they are also code signed (the DLL). Otherwise, it seems that someone could attach a malicious DLL to a code signed Excel .xla file. If it code signing the DLL would be a pain, and if I don't need to, then great, I won't.

    I would like to support pre-XP SP3. I hope the process doesn't get too hairy because of that.

    Have you ever used signtool.exe? If so, were there any gotchas or stuff that wasn't straight forward that you could point out?

  10. #10
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    I'm not sure how an installed DLL is "attached to" an XLA file. Signing the DLL should be simple enough though.

    I haven't used Microsoft's tools for a long time myself, back when we needed DLLs and OCXs signed for use in IE pages. It was pretty basic stuff though and I don't remember any snags. The only issue was making sure we used a CA users were likely to have in their browser's list as trusted.

  11. #11

    Thread Starter
    Member
    Join Date
    Jan 2009
    Posts
    46

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    dilettante, "attached" => the DLL is one of the files referenced in the Excel VBA .xla file. Your help is much appreciated.

  12. #12

    Thread Starter
    Member
    Join Date
    Jan 2009
    Posts
    46

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    If anyone reading this thread has code signed a VB6 DLL it would be great to hear from you about how that went for you.

    Even better would be to hear from someone who has code signed a VBA file that referenced a VB6 DLL (or other DLL) -- especially if you delivered your project in a setup.exe file and code signed that as well.

  13. #13
    Frenzied Member some1uk03's Avatar
    Join Date
    Jun 2006
    Location
    London, UK
    Posts
    1,663

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    As far as I know you also need a company to be able to Digitally Sign, or I may be wrong.
    Also you don't need to sign the Inno Setup file, just your .DLL it seems.

    Also why do you need to sign your .dll in the first place if an .XLA file is to use it?
    _____________________________________________________________________

    ----If this post has helped you. Please take time to Rate it.
    ----If you've solved your problem, then please mark it as RESOLVED from Thread Tools.



  14. #14

    Thread Starter
    Member
    Join Date
    Jan 2009
    Posts
    46

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    some1uk03,

    You asked:
    Also why do you need to sign your .dll in the first place if an .XLA file is to use it?
    I don't know that I do need to sign the .dll. I have made an assumption that it was necessary in order for the code signing to complete successfully for the .xla since the .dll is referenced in the .xla. I assumed that there wouldn't be enough actual security for the user if someone could take my .xla file and pair it up with a malicious .dll that they wrote and then redistributed it together with my digital signature intact for the .xla. But maybe it's true that I don't need to code sign the .dll -- I don't know.

    My product will be sold mostly to companies and I want them to be able to trust that everything came from me. So, I would need to code sign the .xla so Excel will be kind to it when loading. And I need to code sign the setup.exe so that the whole distribution package can be trusted (by default, the .dll within the signed setup.exe can therefore also be trusted by the user). That should be enough. So I need something to sign the setup.exe --and once I have that, I can use it to sign the .dll (presumably) if I needed to.

    I'm still hoping to hear from someone who has had first hand experience with code signing an executable, or dll, or VBA (without needing to use Visual Studio .NET). Can anybody point me to additional good forums where I can also ask this question?

    Would it be okay to post a link at "Office Development" and "Application Deployment" of this forum to point people over to this thread?
    Last edited by rummaging; Sep 19th, 2010 at 09:46 AM. Reason: questioning whether to cross post to Office Development & Application Deployment

  15. #15
    Frenzied Member some1uk03's Avatar
    Join Date
    Jun 2006
    Location
    London, UK
    Posts
    1,663

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    You don't need to sign your deployment package. (InnoSetup)
    _____________________________________________________________________

    ----If this post has helped you. Please take time to Rate it.
    ----If you've solved your problem, then please mark it as RESOLVED from Thread Tools.



  16. #16
    Super Moderator si_the_geek's Avatar
    Join Date
    Jul 2002
    Location
    Bristol, UK
    Posts
    41,929

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    If it doesn't cost anything to sign extra items, I would recommend signing them just to be on the safe side.

    I know that Windows tells me about the certificate state of an installer when I run it (if it was downloaded, not sure about other situations), so I would definitely recommend signing that.

  17. #17
    Frenzied Member some1uk03's Avatar
    Join Date
    Jun 2006
    Location
    London, UK
    Posts
    1,663

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    If it doesn't cost anything to sign extra items, I would recommend signing them just to be on the safe side.
    It does. They didn't do it so you purchase a certificate and then sign any of your .EXE/.Dlls.
    But it's a cost per item structure, so yes you need to pay for each item to get it signed.
    _____________________________________________________________________

    ----If this post has helped you. Please take time to Rate it.
    ----If you've solved your problem, then please mark it as RESOLVED from Thread Tools.



  18. #18

    Thread Starter
    Member
    Join Date
    Jan 2009
    Posts
    46

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    dilettante,

    You said:
    Just use SignTool unless (1.) it exceeds 300 MB, and (2.) you need this to work prior to XP SP3. Then you need to use MakeCat.
    I found what appears to be a pretty good link for explaining what tools I have to use (how to get them, how to install, etc.).

    http://www.wiscocomputing.com/articles/code-signing.htm

    However, even though this link refers to XP SP2 support, I do not see mention of MakeCat.exe. It's so hard to find definitive documents about specifically what is needed for digitally signing.

    Could you take a quick glance at the link above and tell me how (where) MakeCat comes into the picture? If you could provide additional information about MakeCat it would be much appreciated. For instance, do you know why I would need to use a Catalog file if I'm signing with an XP SP2?

    Could it be that I don't need a Catalog File because I'm only signing a .dll and a .exe (it's the install.exe that contains the .dll)?

    I found the following in a MS Authenticode.doc at the following link. But I'm not sure why this isn't mentioned in the other link (above) in this post:
    http://www.microsoft.com/whdc/driver...henticode.mspx

    Obtaining Code-Signing Tools
    You should use the MakeCat and SignTool CryptoAPI tools that are provided in the Platform SDK. MakeCat is used to create a catalog file, and SignTool is used to sign and verify a catalog file. (You can also use the legacy tools SignCode and ChkTrust to sign and verify a catalog file.)
    Creating a Catalog File
    To create a catalog file for a driver package:
    • Specify the name of the catalog file in the INF file of the driver package by using a CatalogFile.Xxx entry in the Version section of the INF file.
    • Use the ChkINF tool or the INFCatReady tool to verify the INF file of the driver package. ChkInf is supplied with the DDK, and INFCatReady can be downloaded from the Windows Hardware Quality Lab at http://www.microsoft.com/hwdq/hwtest.
    • Copy all driver package files to a single directory.
    • Create an unsigned catalog file (.cat) for the driver package by using the MakeCat tool. The catalog file contains hashes and attributes of the driver package files. The MakeCat tool creates the catalog file based on the information in a catalog definition file that contains a list of the files to be cataloged and their attributes. For example, the following command creates a catalog file that is based on the information in the catalog definition file filename.cdf. (The filename.cdf file must be in the same directory as the files to be signed.)
    MakeCat -v -r <path to files to be signed>\<filename.cdf>
    For information about using MakeCat and creating catalog definition files, see http://msdn.microsoft.com/library/de...ty/makecat.asp and http://msdn.microsoft.com/library/de...ng_makecat.asp.
    • Include the catalog file in the driver package.
    Signing and Verifying the Catalog File
    To sign and verify a catalog file, do the following:
    • Sign the catalog file by using the SignTool tool. The following command runs the interactive signing wizard that SignTool supports:
    SignTool signwizard <CatFile>
    • Verify the catalog by using SignTool. A typical example of the command used to verify a signed catalog file is:
    SignTool /c <CatFile>
    Last edited by rummaging; Sep 21st, 2010 at 07:20 PM. Reason: added line about maybe not needing MakeCat if only signing two files.

  19. #19

    Thread Starter
    Member
    Join Date
    Jan 2009
    Posts
    46

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    dilettante,

    You said:
    As for signing the Inno setup.exe, it should be like signing any other EXE or DLL. Just use SignTool unless (1.) it exceeds 300 MB, and (2.) you need this to work prior to XP SP3. Then you need to use MakeCat.
    Perhaps somehow you got that from the following provided by MS:
    http://msdn.microsoft.com/en-us/libr...64(VS.85).aspx
    Note When signing an executable file that is larger than approximately 300 megabytes for use on a computer running Windows XP with SP2 and later, you should use catalog signing with the MakeCat tool rather than use the SignTool tool. Depending on the available system resources of the computer on which the file is verified, some applications may not be able to verify the binary signature of a large file. For more information, see KB article 922225.
    The way I read that is:
    1) I don't need to use MakeCat UNLESS the file to be signed is larger than 300MB and that signed file will be used on an XP SP2 (or SP3) machine.

  20. #20
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    That's why I said (1.) and (2.) above.

    From what I read only XP before SP3 requires MakeCat for a large signed EXE. However it may have been old info prior to XP SP3, i.e. what I read may have been quoting an older version of the MSDN article.

    I think you're right: XP and earlier versions of Windows may have trouble with a large signed EXE unless it was built using MakeCat.

  21. #21

    Thread Starter
    Member
    Join Date
    Jan 2009
    Posts
    46

    Re: How to add a digital signature (code sign) to a VB6 DLL?

    dilettante,

    I've been darting around reading snippets trying to hit something that immediately caught my attention pertaining to signing with an XP SP2 machine. I see that in haste I misinterpreted your post.

    I'm in the process of getting a 1yr certificate from Comodo for $75 through Tucows. I'll see if I can make the time to report back here about how it all goes.

    So far, for XP SP2, Comodo support recommended I use the signtool.exe included in the Platform SDK downloaded as file "PSDK-x86.exe" (for my 32bit system) found at:
    http://www.microsoft.com/downloads/e...displaylang=en.

    And I'm hoping that this link proves to have been useful about what's needed and how to install the tools.
    http://www.wiscocomputing.com/articles/code-signing.htm

    Thanks for everybody's input about this.
    Last edited by rummaging; Sep 23rd, 2010 at 10:54 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width