1 Mono's Security Tools - TESTS
2 Last updated: June 13, 2006
6 Here's a short description on how to test any changes in the Authenticode tool
7 set. This set includes makecert, cert2spc, signcode and chktrust.
9 This is a _minimal_ sequence. Each input/output could be tested under Linux
10 and Windows to ensure maximum compatibility.
15 % cd /mcs/tools/security
17 % mono setreg.exe 1 TRUE
18 % cp signcode.exe test.exe
20 1. Create a test certificate for code-signing
22 % mono makecert.exe -n "CN=careful tester" -sv test.pvk test.cer
24 Mono MakeCert - version 1.1.15.0
25 X.509 Certificate Builder
26 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
30 2. Convert the test certificate to the SPC format
32 % mono cert2spc.exe test.cer test.spc
34 Mono Cert2Spc - version 1.1.15.0
35 Transform a set of X.509 certificates and CRLs into an Authenticode(TM) "Software Publisher Certificate"
36 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
40 3. Sign a PE binary (without a timestamp)
42 % mono signcode.exe -v test.pvk -spc test.spc test.exe
44 Mono SignCode - version 1.1.15.0
45 Sign assemblies and PE files using Authenticode(tm).
46 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
50 4. Verify the binary from step 3
52 % mono chktrust.exe test.exe
54 Mono CheckTrust - version 1.1.15.0
55 Verify if an PE executable has a valid Authenticode(tm) signature
56 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
58 WARNING! test.exe is not timestamped!
59 SUCCESS: test.exe signature is valid
60 and can be traced back to a trusted root!
62 *** note the warning about the missing timestamp ***
64 5. Verify the binary from step 3 using MS tools [1]
66 a. Using Windows Explorer, right click on the test.exe file and select
67 the "Properties" menu item;
68 b. From the "test.exe Properties" windows select the "Digital
70 c. You should see "careful tester" as the "Name of signer", select it
71 and click on the "Details" button;
72 d. Unless you have created your test certificate with MS tools you
73 should see an error (white X on a red circle) with a description
74 saying "The certificate in the signature cannot be verified.";
75 e. You should NOT see any countersignature;
77 6. Add a timestamp the binary from step 3
79 % mono signcode.exe -x -t http://timestamp.verisign.com/scripts/timstamp.dll test.exe
81 Mono SignCode - version 1.1.15.0
82 Sign assemblies and PE files using Authenticode(tm).
83 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
87 7. Verify the binary from step 6
89 % mono chktrust.exe test.exe
91 Mono CheckTrust - version 1.1.15.0
92 Verify if an PE executable has a valid Authenticode(tm) signature
93 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
95 SUCCESS: test.exe signature is valid
96 and can be traced back to a trusted root!
98 *** note that there is NO warning this time ***
100 8. Verify the binary from step 6 on Windows [1]
102 a. Follow step 5 from 'a' to 'd'
103 b. This time you should see a countersignature;
105 9. Sign a PE binary with a timestamp
107 % mono signcode.exe -v test.pvk -spc test.spc -t http://timestamp.verisign.com/scripts/timstamp.dll test.exe
109 Mono SignCode - version 1.1.15.0
110 Sign assemblies and PE files using Authenticode(tm).
111 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
115 10. Verify the binary from step 9
117 % mono chktrust.exe test.exe
119 Mono CheckTrust - version 1.1.15.0
120 Verify if an PE executable has a valid Authenticode(tm) signature
121 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
123 SUCCESS: test.exe signature is valid
124 and can be traced back to a trusted root!
126 11. Verify the binary from step 9 on Windows [1]
128 a. Follow step 5 from 'a' to 'd'
129 b. This time you should see a countersignature;
131 12. Add (another) timestamp the binary from step 9
133 % mono signcode.exe -x -t http://timestamp.verisign.com/scripts/timstamp.dll test.exe
135 Mono SignCode - version 1.1.15.0
136 Sign assemblies and PE files using Authenticode(tm).
137 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
141 13. Verify the binary from step 12
143 Mono CheckTrust - version 1.1.15.0
144 Verify if an PE executable has a valid Authenticode(tm) signature
145 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell. BSD licensed.
147 SUCCESS: test.exe signature is valid
148 and can be traced back to a trusted root!
150 14. Verify the binary from step 12 on Windows [1]
152 a. Follow step 5 from 'a' to 'd'
153 b. This time you should see TWO (2) countersignature, the same one as
154 step 11 and a new one;
159 % mono setreg.exe 1 FALSE
162 [1] this step must be done on Windows using MS Authenticode(r) tools.