The organization??™s code-signing key will prove that the
program is coming from the legitimate web site and not a random attacker. For example,
if eNapkin.com uses an ActiveX control to install software, but the software has not been
signed, the control should refuse the installation. Additionally, if the executable or cab
file comes from eNapkin.com, but is not signed by eNakin.com but rather ePaperTowel.
com, the control should also reject the installation.
The method used for signing binaries is pretty straightforward. Signing keys can be
purchased by VeriSign (and other vendors), and Microsoft??™s SignTool.exe program can
be used to sign the binaries. Complete the following steps to sign an executable that will
be downloaded and installed automatically by an ActiveX control. To sign a binary, the
Digital ID file (generally called MyCredentials.spc) and the private key file (MyPrivateKey
.pvk) will be needed, which is provided to you after you purchase a signing key from
VeriSign.
1. Download the software development kit (SDK) from www.microsoft.com/
downloads/details.aspx?FamilyId=0BAF2B35-C656-4969-ACE8-
E4C0C0716ADB&displaylang=en.
2. After install, choose Start | Run.
Pages:
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367