Step 1 Get a Software Publisher Certificate (CAB)

Before you can sign files, you need to obtain a Software Publisher Certificate (SPC). To do this, you must make a request to a Certification Authority. During the application process, you must generate a key pair and provide the Certification Authority with identification information, such as your name, address, and public key. You must also make a legally binding pledge that you cannot and will not distribute software you know or should have known contains viruses or will otherwise maliciously harm the user's machine or code.

To apply for a certificate, see "Digital Certificates for Authenticode" at

http://msdn.microsoft.com/workshop/security/authcode/certs.asp

The Certification Authority generates a Software Publisher Certificate that conforms to the industry standard X.509 certificate format with Version 3 extensions. The certificate identifies you and contains your public key. The Certification Authority stores it for reference and a copy is returned to you via electronic mail. After accepting the certificate, you should include a copy of it in all published software signed with the private key.

Note: For testing purposes a test certificate is used for signing your CAB file. For more information, refer to Making a Test Software Publisher Certificate below.

Making a test Software Publisher Certificate

You can use the MAKECERT and CERT2SPC utilities provided in the CAB&SIGN directory on the Visual C++ 5.0 CD to make a test Software Publisher Certificate. Note that this test SPC is not valid for software publishing, but can be used to test code signing.

To make a private key file called MYKEY.PVK and a company certificate called CERT.CER, run the MAKECERT utility with the following command:

C:\CAB&SIGN\MAKECERT -u:MyKey -n:CN=MySoftwareCompany
  –k:MYKEY.PVK CERT.CER

MyKey is the name you give to your key and MySoftwareCompany is the name of your company. Note that the MAKECERT utility is case sensitive to command-line options, so you must use lowercase -u, -n, and -k. The value for the -n option must be an uppercase CN=.

To create a test Software Publisher Certificate (SPC) called CERT.SPC, run the CERT2SPC utility with the following command:

C:\CAB&SIGN\CERT2SPC C:\CAB&SIGN\ROOT.CER CERT.CER CERT.SPC

Note that the CERT.SPC file is created from the CERT.CER file you created with MAKECERT and from the ROOT.CER file provided in the CAB&SIGN directory.

Signing Cabinet Files

A .cab file can be digitally signed like an ActiveX control. A digital signature provides accountability for software developers: The signature associates a software vendor’s name with a given file. A signature is applied to a .cab file (or control) using Microsoft Authenticode Technology.

The CAB toolset assists software developers in applying digital signatures to CAB files by allowing a developer to allocate space in the CAB file for the signature (See Step 3 Signing the CAB File).