Prerequisites
Before you can sign an FDI Package, you need the following:
1. Valid Code Signing Certificate
2. Intermediate certificates
3. Address of RFC 3191 trusted time stamp server
4. Up-to-date Root Certificates (Microsoft Store)
5. FDI Package Signing tool (Version 2.0.1.0 or above)
Items 1 through 3 are provided by the Certification Authority.
Item 4 is obtained from Microsoft, see our support article: Install Root Certificates.
Item 5 is provide in the FDI Package IDE installation.
Refer to FDI Package Signature Processing for detailed requirements.
Getting a code signing certificate
Before you can sign an FDI Package with a code signing certificate, you must obtain a code signing certificate from a certification authority that is trusted by Microsoft Windows under Microsoft's Trusted Root Certificate Program.
Some examples of Certification Authorities:
Look for a code signing certificates supporting "Microsoft Authenticode."
Authenticode is a Microsoft code-signing technology that identifies the publisher of Authenticode-signed software. Authenticode also verifies that the software has not been tampered with since it was signed and published. Authenticode uses cryptographic techniques to verify publisher identity and code integrity. Read more...
Both Code Signing and EV Code Signing certificates are valid for use with FDI. Code signing certificates are provided with validity periods (e.g. 1 year, 2 year , 3 year). This validity period defines how long the certificate can be used for signing. Each code signing certificate has a Common Name attribute that will be shown to the end user that imports the FDI Package.
For example, the common name for FieldComm Group's EV code signing certificate is "FieldComm Group, Inc."
Example EV code signing certificate with private key indication
When you obtain the code signing certificate, the private key will be installed on your computer, or for EV code signing, installed on specialized devices such as a USB hardware token. It is important that you have access to the private key (or USB hardware token) on the same machine as the tool used to sign the FDI Package. There is typically a password assigned to the private key/hardware token that is required before you can use the certificate to sign an FDI Package. Hardware tokens typically require a software driver/application to support them (e.g. SafeNet). Your certification authority may provide this software.
Refer to the documentation provided by the certification authority for additional help on installing the code signing certificate.
Your code signing certificate's signature algorithm should be using a SHA256 algorithm for best encryption. The SHA256 algorithm is highly recommended over SHA1. The signature hash algorithm can be SHA1. Refer to https://csrc.nist.gov/projects/hash-functions/nist-policy-on-hash-functions
Intermediate Certificates
In addition to the code signing certificate, you will also need any intermediate certificates that are provided by the certification authority. Typically, code signing certificates are not issued by the "root" certificate authority but by an intermediate.
Certification path shows root, intermediate and code signing certificates.
Therefore, for the consuming FDI host to establish the trust from your code signing certificate to the root store, you need to provide intermediate certificate(s) between your certificate and the trusted root certificate. Your certificate authority will provide any intermediate certificate(s).
The tool allows you to include these certificates. These certificates need to be provided in base64 format. There may be more than one intermediate certificate. If you open the certificate with a text editor and see "-----BEGIN CERTIFICATE-----" line, then your certificate more than likely is in the correct format. If you have multiple intermediate certificates, simply create one PEM file with all certificates listed. Order does not matter. Do not include the root nor your certificate, only intermediates.
Example of a PEM file with 2 intermediate certificates
| -----BEGIN CERTIFICATE----- MAkGA1UEBhMCREUxEDAOBgNVBAoMB1Np ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- FpaWlpaWlkzMTowOAYDVQQLDDFDb -----END CERTIFICATE----- |
HINT: Use can also use the Certificate Export Wizard to export the intermediate from your machine to a file. (Select "Copy to File..." on the details tab of the selected certificate)
HINT: If you change the extension of the intermediate certificates file to .CER (e.g. intermeidate.cer), windows provides native means to view the certificate. This is a good way to confirm the proper certificate. The FDI signing tool requires a file with .PEM extension.
NOTE: FDI Package Signing Tool [Release 2.0.0.6 or above, or FDI-IDE 1.5.0 or above] automatically includes Intermediate Certificates that reside on your PC. Read more...
Trusted Time Stamp Server
Code signing certificates have a validity period. The trusted time stamp server is used to prove that the package was signed within the validity period. The certification authority will provide a link to a RFC3191 time stamp server.
Signing an FDI Package
With all prerequisites met, you can now sign the FDI Package.
NOTE: FDI Packages are first signed by the Registration Authority (FieldComm Group). This is Signature 1. The owner of the FDI Package applies their digital signature after the registration process is complete (Signature 2 and returns the signed FDI Package to FieldComm Group for publication in the Repository.
Launch the signing application using the Start Menu or open from the installation folder: C:\Program Files (x86)\FDI\Signing Tool\
1. Provide location to the FDI Package to sign
2. Select the certificate used to sign. You may have multiple certificates that can be used to sign. Make sure you select the correct one.
3. Enter the URL for the trusted time stamp. The are typically http and NOT https URLs.
4. Finally, provide a link to the file containing intermediate certificate(s). [Release 2.0.0.6 or above, or FDI-IDE 1.5.0 or above automatically includes Intermediate Certificates that reside on your PC so this step is not needed.]
5. If you are behind a proxy, update those settings as appropriate.
The signing tool needs to connect to the trusted time stamp server to obtain the counter signature. This can take several seconds.
Additional Notes
If you do not have a code signing certificate yet, you can still create a self signed certificate for testing purposes only. You will be able to sign FDI Packages, however this package should not be released because the consuming FDI host will not trust it.
For information on creating a self-signed certificate for testing: https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate
Also see:
Help with Signing Certificates and the FDI Package Signing Tool
Vol 2024 #6: To Sign or Not Sign … Is Not Even the Question