Creating a Signature

To create a digital signature from a file, run the file through a hash function, and then sign the resulting hash with a private key. An easy way to create a digital signature from a file is to use Signfile.exe, which is included in Microsoft Platform Builder. Signfile.exe is a tool for signing an executable file with a private key supplied by a cryptographic service provider (CSP).

Signfile.exe uses the Secure Hashing Algorithm (SHA) to compute the cryptographic hash. SHA generates a 20-byte hash from an arbitrarily sized byte string. Signfile.exe pads the hash as specified by Public-Key Cryptography Standards #1 (PKCS1) and encrypts it by using the RSA public key algorithm. The key modulus length can be from 512 through 1,024 bits. The resulting signature is the same size as the modulus. For example, the signature for a 1,024 bit key is 128 bytes. Signfile.exe then uses the ImageAddCertificate and ImageGetDigestStream Microsoft® Windows NT® functions to embed the signature in a portable executable (PE) file.

The following list shows the contents of the PE file memory:

  • MS-DOS header
  • Offset of PE header (offset 0x3c)
  • PE header
  • Section headers
  • Section
  • Debug information and certificates (if any)

The PE header begins with a 4-byte sequence, "PE\0\0", that identifies the MS-DOS® header. The MS-DOS header is followed by a standard Common Object File Format (COFF) header. This COFF header is followed by an optional header that is always present on Windows .exe and .dll files. The last field in a PE header is an optional data directory table. The following table shows the size of the PE header elements.

PE header element Size
"PE\0\0" 4 bytes
COFF header 20 bytes
Optional header; standard for Windows files 96 bytes
Optional header; data directory table Size varies

Each entry in the data directory table consists of an IMAGE_DATA_DIRECTORY structure. The fifth structure in the data directory table contains certificate table information. This is stored in an array of WIN_CERTIFICATE structures. A certificate is a digitally signed statement that contains information about an entity and that entity's public key. Certificates are not loaded into memory as part of the PE file.

The following code example shows the format of a WIN_CERTIFICATE structure that is needed to support the PKCS1 standard.

typedef struct {
     // Standard WIN_CERTIFICATE fields (8 bytes)
     DWORD dwLength;
     WORD wRevision;
     WORD wCertificateType;    // = WIN_CERT_TYPE_PKCS1_SIGN
     // WIN_CERT_TYPE_PKCS1_SIGN fields follow
     DWORD cbSignedData;
     // optional signed attributes
     BYTE bSignedData[MAX_WIN_CERT_SIGN_DATA_LEN];
     BYTE bSign[MAX_RSA_KEY_BITS/8]; // PKCS1 signature
} PKCS1_MODULE_SIGN ;

Signfile.exe appends the WIN_CERTIFICATE structure to the end of the file and updates the file header accordingly. For sample Signfile.exe code, see %_WINCEROOT%\Public\Common\Oak\Tools\Signfile.

Last updated on Wednesday, April 13, 2005

© 2005 Microsoft Corporation. All rights reserved.