IntControl 93

Syntax:

IntControl(93, p1, p2, p3, 0)

 

Performs certificate operations.

p1

Meaning

0

Sign a file

               p2 specifies a tab-delimited string with the following five parameters:

  • file to sign

  • certificate friendly name

  • description of file being signed (can be "" if not needed)

  • location (URL) of information about file (can be "" if not needed)

  • URL of timestamp server (can be "" if not needed)

 

1

Get the thumbprint of a certificate in a file

               p2 specifies a .CER or .SPC file

 

2

Set the friendly name of a certificate

               p2 specifies the thumbprint of a certificate

               p3 specifies the friendly name to set

 

3

Sign a file and use a RFC-3161-compliant Timestamp Server (Windows 8 or newer.)

               p2 specifies a tab-delimited string with the following six parameters:

  • file to sign

  • certificate friendly name

  • description of file being signed (can be "" if not needed)

  • location (URL) of information about file (can be "" if not needed)

  • URL of RFC-3161-compliant timestamp server (can be "" if not needed)

  • timestamp server's hash algorithm: SHA1, SH-256, SHA385, or SHA512 (defaults to SHA256 if "" and ignored if no timestamp server is provided)

Note that when Microsoft implements "Phase Three" of their SHA-1 phase out, newer versions of Windows may treat signed files timestamped using a legacy SHA-1 hash timestamp server as untrusted after the signing certificate's expiration date has passed.  Microsoft currently states that, "Long-term, Microsoft intends to distrust SHA-1 throughout Windows in all contexts. Microsoft is closely monitoring the latest research on the feasibility of SHA-1 attacks and will use this to determine complete deprecation timelines."

Also note that only SHA-1, Authenticode timestamped files are recognized as trusted on Windows Vista/2008. Fully updated versions of Windows 7/2008R2 and all newer versions of Windows trust SHA-256, RFC-3161-compliant timestamped files.

Many certificates issuers require the use of  FIPS 140-2 level 2 compliant private key storage on an HSM local device or cloud based service. Therefore, in order to use a certificate and compliant private key may require the installation of issuer or hardware manufacture provided Microsoft CNG (Cryptographic: Next Generation) library-based client-side supporting software. Make sure you follow all installation instruction for the certificate and software carefully.

 

 

        

Example:
spcfile = "C:\mycert.spc"
friendlyname = AskLine( "Friendly Name?", "Enter Friendly Name of Certificate", "MyApp" )
filetosign = "C:\temp\a.exe"
; Get thumbprint from spc file
thumb = IntControl(93, 1, spcfile, 0, 0)
; Set friendly name based on user input
IntControl(93, 2, thumb, friendlyname, 0)
; Sign file based on certificate data like friendly name
certdata = filetosign : @TAB : friendlyname : @TAB : desc : @TAB : url : @TAB : "http://timestamp.verisign.com/scripts/timstamp.dll"
IntControl(93, 0, certdata, 0, 0)
Message("Notice!", "The file has been signed successfully.")