| Line 23: | Line 23: | ||
Begin by useing makecert to create a standard X.509 certificate: | Begin by useing makecert to create a standard X.509 certificate: | ||
| − | + | makecert -r -pe -n "CN=My Name" -sv mycert.pvk mycert.cer | |
| − | makecert -r -pe -n "CN=My Name" -sv mycert.pvk mycert.cer | + | |
| − | + | ||
When prompted, enter a unique password for the certificate. You will need to retain this password for future use. | When prompted, enter a unique password for the certificate. You will need to retain this password for future use. | ||
Revision as of 15:32, 7 July 2011
Creating Digitally Signed Content
Providing reliable content to end users is an important part of app development, especially considering apps that have paid features or other elements that depend on trusted information. This article provides detailed instructions for creating secure, digitally signed content and testing its validity.
A Real World Example
Mary, app developer for Contrary, Inc., has been told to create an app that will run as a demo until the end user pays for a license. Once a license it obtained, and installed, the app should run without any restrictions. Mary decides the best way to know whether or not a license is valid is to digitally sign it, transfer it to the end user's machine, and use her app to verify that the signed content is valid. If it is, the app will run unrestricted. If the license is not valid, the app will continue to run as a demo.
Mary begins by creating her own digital certificate using various Microsoft digital certificate utilities. She then uses the Window-Eyes app WESign, along with her digital certificate, to create an install-able package of signed content that contains the end user's Window-Eyes serial number, tying the license to that specific copy of Window-Eyes. Mary then provides the content package to the end user, and the end user installs the package on the machine with the matching Window-Eyes serial number. The next time Mary's app runs, it will locate the signed content, and verify that the content's signature matches the signature that Mary originally used to sign the content. Once the content is verified, Mary's app will run fully licensed rather than as a demo, and the end user will be able enjoy the new features that they paid for.
Your Own Digital Certificate
Digital signatures are often used to offer assurance that content came from a known source, and that it has not been tampered with. A digital signature can be verified by a certificate authority or can be self-signed.
For the purposes of signing content specifically for app use, having a digital signature verified by a CA is unnecessary. After all, the communication path will be between the developer and the app, and will not involve any other party.
All of the tools necessary to create a self-signed certificate are available through the Microsoft Windows SDK. There are three specific, command line utilities that can be used to create a Personal Information Exchange (PFX) Certificate:
- makecert
- cert2spc
- pvk2pfx
Begin by useing makecert to create a standard X.509 certificate:
makecert -r -pe -n "CN=My Name" -sv mycert.pvk mycert.cer
When prompted, enter a unique password for the certificate. You will need to retain this password for future use.
