Signing a Win32 Script File with Authenticode tools
M. Gallant 06/10/2002
Windows Script 5.6
introduces the capability to digitally sign
win32 script files (wsf, vbs, vbe, js, jse) as well as the previously supported file types
for Authenticode signatures (.exe, .dll, .ocx, .cab, .cat, .ctl types). Much more comprehensive
support for X509 Certificates, signatures and encryption is available with
the CAPICOM 2 Platform SDK redistributable.
The script-signing functionality introduced with wsh5.6 also provides this capability to
the Microsoft Authenticode tool signcode.exe
.
To manually verify the integrity of a signed file, the Authenticode tool chktrust.exe
can be used.
The example below shows a typical .vbs script, signed and time-stamped using this command:
signcode -cn "Security Development" -n "ShowMyShares Script"
-t "http://timestamp.verisign.com/scripts/timstamp.dll"
-i "http://www.nortelnetworks.com/help/certificates" ShowMyShares.vbs
When the signed script is manually verified using chktrust ShowMyShares.vbs,
the following security screens are shown:
However, if even one character (including any whitespace) in the original script is changed
in the file, the signed script verification fails with the following screens:
The vbs script: Note that "time stamping" ensures that the signature will
continue to be recognized as valid, even after the code-signing certificate expires
(typically 1 year from date of issuance). Note also that time-stamping increases the
size of the signature block, since the VeriSign time-stamp certificates are appended.
<![CDATA[
'****************************************************************
' File: ShowMyShares.vbs (WSH for VBscript)
' Author: (c) M. Gallant 10/04/2000
'
' Displays Windows Shared Network Resources
' Win95/98: Launches C:\windows\netwatch.exe if installed.
' WinNT/2000: Runs "net share" system command in DOS window.
'
'****************************************************************
Option Explicit
Dim WshShell, fso, WshEnvir, netwatch, netshare, environ
set WshShell = WScript.CreateObject("WScript.Shell")
set fso = WScript.CreateObject("Scripting.FileSystemObject")
set WshEnvir = WshShell.Environment("Process")
netwatch = "C:\Windows\netwatch.exe"
netshare = "%comspec% /K net share"
If WshEnvir("OS") = "Windows_NT" Then
WshShell.Run netshare
ElseIf fso.FileExists(netwatch) Then
WshShell.Run netwatch
Else
WScript.Echo "File " & netwatch & " not found."
WScript.Quit
End If
'------------------ End Script -----------------------------------
'' SIG '' Begin signature block
'' SIG '' MIILnQYJKoZIhvcNAQcCoIILjjCCC4oCAQExDjAMBggq
'' SIG '' hkiG9w0CBQUAMGYGCisGAQQBgjcCAQSgWDBWMDIGCisG
'' SIG '' AQQBgjcCAR4wJAIBAQQQTvApFpkntU2P5azhDxfrqwIB
'' SIG '' AAIBAAIBAAIBAAIBADAgMAwGCCqGSIb3DQIFBQAEEANb
'' SIG '' cnN5AbFOJXdWatnkOMigggcnMIIDOzCCAqSgAwIBAgIE
'' SIG '' NlUYijANBgkqhkiG9w0BAQUFADAvMRgwFgYDVQQKEw9u
'' SIG '' b3J0ZWwgZXh0ZXJuYWwxEzARBgNVBAsTCk5vcmxvY2tQ
'' SIG '' S0kwHhcNMDAxMTA5MTkxMjM5WhcNMDExMTA5MTk0MjM5
'' SIG '' WjBLMRgwFgYDVQQKEw9ub3J0ZWwgZXh0ZXJuYWwxEDAO
'' SIG '' BgNVBAsTB2RldmljZXMxHTAbBgNVBAMTFFNlY3VyaXR5
'' SIG '' IERldmVsb3BtZW50MIGfMA0GCSqGSIb3DQEBAQUAA4GN
'' SIG '' ADCBiQKBgQDDM3zAKyAl90JF5vIIyZyR5ko+IC+dkyW4
'' SIG '' mApVACp3ihg9hz+iGjH3o2mwp81QHl6u79z9V+nO7CGN
'' SIG '' zVPMTKDYKhLXATHkmJCFOvkOH+NmI8L8kwV30pnnKaVu
'' SIG '' iz5BRLmZbIiIcPKlObAJ8gQxImIloqkuVh2sBDr6eKmH
'' SIG '' M0NBlwIDAQABo4IBRjCCAUIwCwYDVR0PBAQDAgeAMCsG
'' SIG '' A1UdEAQkMCKADzIwMDAxMTA5MTk0MjM5WoEPMjAwMTA3
'' SIG '' MjMwNzQyMzlaMBEGCWCGSAGG+EIBAQQEAwIEEDA5BgNV
'' SIG '' HREEMjAwgRZtaWdAYW1lcmljYXNtOTcubnQuY29tgRZt
'' SIG '' aWdAbm9ydGVsbmV0d29ya3MuY29tMFIGA1UdHwRLMEkw
'' SIG '' R6BFoEOkQTA/MRgwFgYDVQQKEw9ub3J0ZWwgZXh0ZXJu
'' SIG '' YWwxEzARBgNVBAsTCk5vcmxvY2tQS0kxDjAMBgNVBAMT
'' SIG '' BUNSTDE3MB8GA1UdIwQYMBaAFOEqU97XDk9ZxcxEa6K5
'' SIG '' X90OzsC9MB0GA1UdDgQWBBRXdtH4L2lPoUsRE5U7jiwF
'' SIG '' g1khvjAJBgNVHRMEAjAAMBkGCSqGSIb2fQdBAAQMMAob
'' SIG '' BFY0LjADAgOoMA0GCSqGSIb3DQEBBQUAA4GBALmWjuNJ
'' SIG '' xx4CpG1R3OEWCl88fUygR9PjfDZEDvx+HjZOioXc6BCc
'' SIG '' otADJ1p1+TcLjcAewea7BYfu5b38Js8oBRhPubjL41EP
'' SIG '' AadMVVWMyZDGokdvMstiZ6z6D4RdthiEDae7xDMyzlj2
'' SIG '' KlrLa3amDQMe+Wcavkh7noIj+3pWYwlFMIID5DCCA02g
'' SIG '' AwIBAgIRAPykpZ8sD8C5A5gzG3tUVB0wDQYJKoZIhvcN
'' SIG '' AQEEBQAwgZ4xHzAdBgNVBAoTFlZlcmlTaWduIFRydXN0
'' SIG '' IE5ldHdvcmsxFzAVBgNVBAsTDlZlcmlTaWduLCBJbmMu
'' SIG '' MSwwKgYDVQQLEyNWZXJpU2lnbiBUaW1lIFN0YW1waW5n
'' SIG '' IFNlcnZpY2UgUm9vdDE0MDIGA1UECxMrTk8gTElBQklM
'' SIG '' SVRZIEFDQ0VQVEVELCAoYyk5NyBWZXJpU2lnbiwgSW5j
'' SIG '' LjAeFw05OTExMTYwMDAwMDBaFw0wNDAxMDYyMzU5NTla
'' SIG '' MIGyMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0G
'' SIG '' A1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQG
'' SIG '' A1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5
'' SIG '' L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5
'' SIG '' ODEuMCwGA1UEAxMlVmVyaVNpZ24gVGltZSBTdGFtcGlu
'' SIG '' ZyBTZXJ2aWNlIENBIFNXMTCCASIwDQYJKoZIhvcNAQEB
'' SIG '' BQADggEPADCCAQoCggEBANSY6GeSwW0Rs6r4p8/IKjLG
'' SIG '' 6vLMLKbSBZ8af6Dnvi9PX+DQG7hyGM+pRRNB7Bkvw0DL
'' SIG '' kuYRLY+WTWKXpa8cBi8zBdRApd0dGtWw9LgDbdWG+0/W
'' SIG '' XxBJ3rfkChZOZQxFIwrH/5+SKRE7gTeSRtC0m1gjYFLN
'' SIG '' 97MPss92CnCII2G5h83C3LLOcLEG42Ky9REK6EhyyYey
'' SIG '' NwnGUywFKZWbv4xIGDIFJgWvrCw0g1BOSkowj2KlngIV
'' SIG '' hR7qK0dxme5TGt4NRVHN9DKl7+ae/PHL+Nkyk5939jDy
'' SIG '' uYWSUtegSTnq57QVjsKPM+aJjZRgmVmiAlYRQvgl7OcR
'' SIG '' mP6Bj5iImxUCAwEAAaOBhzCBhDATBgNVHSUEDDAKBggr
'' SIG '' BgEFBQcDCDBPBgNVHSAESDBGMEQGC2CGSAGG+EUBBwEB
'' SIG '' MDUwMwYIKwYBBQUHAgEWJ2h0dHBzOi8vd3d3LnZlcmlz
'' SIG '' aWduLmNvbS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAG
'' SIG '' AQH/AgEAMAsGA1UdDwQEAwIGwDANBgkqhkiG9w0BAQQF
'' SIG '' AAOBgQB86p3zlJFDoyG62/OG83tYBHmIGPqyS2w/zAch
'' SIG '' XtfDNcuTiPRRQ+0tqSyhccfHtQMxJenJEfskFYpz4tlM
'' SIG '' w0f7dYIMHgA77eunlU9gZmOGSGTeKBtyrl9YjhHkwAKL
'' SIG '' aVW3GSg0qxivMlDUWzxF9CuMVEaJzMiopKWlGMxzTiYF
'' SIG '' dDGCA+AwggPcAgEBMDcwLzEYMBYGA1UEChMPbm9ydGVs
'' SIG '' IGV4dGVybmFsMRMwEQYDVQQLEwpOb3Jsb2NrUEtJAgQ2
'' SIG '' VRiKMAwGCCqGSIb3DQIFBQCggawwGQYJKoZIhvcNAQkD
'' SIG '' MQwGCisGAQQBgjcCAQQwHwYJKoZIhvcNAQkEMRIEEDh+
'' SIG '' xNr3rV8EeCfauS1FvwowbgYKKwYBBAGCNwIBDDFgMF6g
'' SIG '' KIAmAFMAaABvAHcATQB5AFMAaABhAHIAZQBzACAAUwBj
'' SIG '' AHIAaQBwAHShMoAwaHR0cDovL3d3dy5ub3J0ZWxuZXR3
'' SIG '' b3Jrcy5jb20vaGVscC9jZXJ0aWZpY2F0ZXMgMA0GCSqG
'' SIG '' SIb3DQEBAQUABIGADKK2t2UQUKw5vJ9PfqMz7PbrcVCI
'' SIG '' JAFouy8swSI4EEajlDVO++Fveqx2dVRjxbMX5nUosbwe
'' SIG '' YJhS39MNbRxyU0ffSXbOV8G24FMRSiwxxdlaXSn7db28
'' SIG '' pRtDBjgrNWIJrqHwfDpynS2Ap+DPn3WBssUPStHgaCJV
'' SIG '' /1Cc1n9QKqOhggJNMIICSQYJKoZIhvcNAQkGMYICOjCC
'' SIG '' AjYCAQEwgbQwgZ4xHzAdBgNVBAoTFlZlcmlTaWduIFRy
'' SIG '' dXN0IE5ldHdvcmsxFzAVBgNVBAsTDlZlcmlTaWduLCBJ
'' SIG '' bmMuMSwwKgYDVQQLEyNWZXJpU2lnbiBUaW1lIFN0YW1w
'' SIG '' aW5nIFNlcnZpY2UgUm9vdDE0MDIGA1UECxMrTk8gTElB
'' SIG '' QklMSVRZIEFDQ0VQVEVELCAoYyk5NyBWZXJpU2lnbiwg
'' SIG '' SW5jLgIRAPykpZ8sD8C5A5gzG3tUVB0wDAYIKoZIhvcN
'' SIG '' AgUFAKBZMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
'' SIG '' HAYJKoZIhvcNAQkFMQ8XDTAwMTEyMjE2MjE1MVowHwYJ
'' SIG '' KoZIhvcNAQkEMRIEEDtSnYz/sSqcrR27bX881Y0wDQYJ
'' SIG '' KoZIhvcNAQEBBQAEggEAt9x0/+TLqumLoSre4tp1vn4/
'' SIG '' jRO5VV5JSXyzQUCwMUu+Gr5yXx1RJVOkfknV/pTeJScd
'' SIG '' PKye8kDw6xOkRapxA0Ape9aT9IebX+bwSkDepAxQE8Z4
'' SIG '' 8wdcdb/485ZRsoBSI7OP9QxISXQ2dTcqXi6t/kl6K9rL
'' SIG '' 2wk5uW7eVSWFuHPZLxAjpkJfhU2mLM9YADOcFwEuML3j
'' SIG '' R0JgBW+ANxvM7U+FN6i1gX03rT15wyMvgOA9Jg6LeR8Z
'' SIG '' b7t6u9J0pOnOBFudXfVDftmgNKAq8wTRKDWmBKKC8DFN
'' SIG '' houuV7eBmUxHlvK4oGuQNaR1rhuxIOgg66iHRz/6ySQ5
'' SIG '' DJzmM5wRPQ==
'' SIG '' End signature block
]]>