Search code examples
windowsemaildigital-signaturesigntool

How can I specify an E-Mail address when signing a binary file?

I'm using signtool to apply a digital signature to various .exe/.dll files. However, viewing the signed files in Windows Explorer shows that no E-Mail address is set, much like in this screenshot (I'm by no means affiliated with "Paramount Software UK Ltd." -- this screenshots is just the first result I found via Google):

Screenshot of Windows explorer showing signature details without e-mail address

However, I also saw other screenshots showing that it's somehow possible to define an E-Mail address (even if it's a bogus one, like in this case):

Screenshot of Windows explorer showing signature details including e-mail address

Is it possible to set this E-mail address via signtool, or is it actually a property of the certificate itself (i.e. it needs to be specified when purchasing a certificate)?

Solution

  • The email property it's extracted from emailAddress in a subject distinguished name field of your certificate.

    You can make a test using openssl to generate a selfsigned certificate (then you can generate a CSR with an emailAddress and send to the certificate authority to generate a valid end-entity certificate). To test it you can do the follow steps:

    Generate self-signed certificate using the follow openssl command 

    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

    Then you will be asked to enter the follow parameters (all for a subject of the certificate):

    enter image description here

    To avoid this prompt you can directly specify the subject in the previous command using -subj as follow:

    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -subj "/C=ES/ST=58/L=Barcelona/O=yourOrgName/OU=yourDept/CN=yourAppName/emailAddress=myEmail@test.com"

    Now you can generate a p12 (or pfx) from the generated key and cert using the follow command:

    openssl pkcs12 -export -out myTestWithMail.pfx -inkey key.pem -in cert.pem

    Now you have a p12 (myTestWithMail.pfx), that you can use to sign an exe or dll using the follow signtool command. For example I sign notepad++.exe (as in the examples you link in your question):

    signtool.exe sign /f C:\Users\Albert\myTestWithMail.pfx /p 1234 "C:\Program Files (x86)\Notepad++\notepad++.exe"

    Note that /f is for the path of your signing key, and /p is the password for your key.

    Now you can see the email in the file you sign:

    enter image description here

    So finally if you need a certificate from a certificate authority you have to generate the CSR specifying emailAddress for example using openssl command:

    openssl req -new -newkey rsa:2048 -nodes -out yourAppName.csr -keyout yourAppName.key -subj "/C=ES/ST=58/L=Barcelona/O=yourOrgName/OU=yourDept/CN=yourAppName/emailAddress=myEmail@test.com"

    Or alternatively without specifying -subj parameter and enter the correct values for subject distinguished name when are prompted:

    openssl req -new -newkey rsa:2048 -nodes -out yourAppName.csr -keyout yourAppName.key

    Hope this helps,