Next, run TrueCrypt. If TrueCrypt is already running, open its main window. Click ‘select device’.

TrueCrypt will prompt you for your administrator password. This is your regular login password. Note that if you don’t have administrative rights, you can’t mount an encrypted volume.

Next, select the encrypted disk from the list of drives. In this example, it’s a 60 gigabyte external harddrive, so I select the drive reported as 55.9 GB.

You are now returned to TrueCrypt’s main window. Click ‘Mount’ in the bottom, left corner.

TrueCrypt will now prompt for the volume password. This is the password used to encrypt the disk.

The volume is now mounted. You may close the TrueCrypt main window and continue to access the encrypted disk.

Many CAPICOM pages contain a confusing, bright-red header along the lines of:

[The SignedCode object is available for use in the operating systems listed in the Requirements section. Instead, use Platform Invocation Services (PInvoke) to call the Win32 API SignerSignEx, SignerTimeStampEx, and WinVerifyTrust functions to sign content with an Authenticode digital signature. For information about PInvoke, see Platform Invoke Tutorial. The .NET and CryptoAPI via P/Invoke: Part 1 and .NET and CryptoAPI via P/Invoke: Part 2 subsections of Extending .NET Cryptography with CAPICOM and P/Invoke may also be helpful.]

Note that this alarming paragraph seems to begin by simply telling you that this API is supported on the operating systems listed later. It does not state that the API will not be available on later OSes, but why place this here otherwise? The next sentence, beginning with, “Instead, …” seems to be contrasting with something, yet makes absolutely no sense in this context.

Finally, this paragraph instructs us to investigate SignerSignEx, and SignerTimeStampEx, which are supplied by the mssign32.dll, have no header file, and absolutely no example code. This is what I find most irksome, they document each and every function and structure, yet each page says, “there is no header file, so copy and paste the declaration given here.” Well, why not simply provide an mssign.h file on blogs.msdn, or similar? And why, oh why, is there not a single line of sample code?

Follow-up

I have provided a basic header file for mssign32.dll, here.

Download the gnupg plugin for vim from here and copy it into your user directory directory under .vim/plugin. From the Cygwin bash prompt:

mkdir ~/.vim/plugin
copy gnupg.vim ~/.vim/plugin

Run vim, then use the :scriptnames command and verify that gnupg.vim appears in the list of sourced scripts:

  1: /cygdrive/c/Users/username/.vim/plugin/gnupg.vim

Your Certificate Authority will supply one of the following:

1. a Personal Information Exchange (.pfx) file
2. a Software Publisher Certificate (.spc), and a Private Key (.pvk) file
3. a CER-encoded X.509 Certificate (.cer), and a Private Key (.pvk) file

For the second and third case, these file must be converted to a Personal Information Exchange (.pfx), using the Pvk2Pfx.exe tool.

Convert SPC or CER to Personal Information Exchange (.pfx)

Syntax for .spc conversion:

pvk2pfx -pvk filename.pvk -pi password -spc filename.spc -pfx output.pfx

The syntax is identical for .cer conversion:

pvk2pfx -pvk filename.pvk -pi password -spc filename.cer -pfx output.pfx

Sign the Executable

Signtool.exe can be used to sign executables (.exe) and Dynamic Link Libraries (.DLL).

Basic Signature

signtool.exe sign /v /f filename.pvk /p password executable

Signature With Timestamp

signtool.exe sign /v /f filename.pvk /p password /t timeurl executable

Where timeurl is the URL of your Certificate Authority’s timestamp server (e.g. http://timestamp.verisign.com/scripts/timestamp.dll for VeriSign)

Signature Verification

signtool verify /pa executable

/pa indicates that the “Default Authenticode” verification policy is used. Omitting the switch will cause the verification to fail, which does not necessarily mean that a given file isn’t Authenticode signed.

Resources

• Windows Driver Kit: Device Installation, Software Publisher Certificate (MSDN)
• PKCS12 is the successor to PFX.

1. No example code whatsoever is provided.
2. No header file is provided.

Well, at least I can do something about #2. Here is a minimal version of a header file for mssign32.dll. It includes direct function declarations, as well as function pointer typedefs.

The function pointers can be used with LoadLibrary/GetProcAddress to dynamically call the functions, as in:

SignerSignPtr pSignerSign =
    (SignerSignPtr)GetProcAddress(hModule, "SignerSign");

Key Generation

Generate a DSA key:

ssh-keygen -t dsa

This will generate an RFC 4716-formatted key file similar to the following:

-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQDijfpmyXBZpnq8EhEhSxeJz7fNxIlWYD6t7bviDZMARh8mLCr2
bug2J1K+Rl4qoLQJ7zRGlytwQ2krTCmvVahOjy9m/QW5936rCyVS19PRdJMEEMSN
vLQaMtpKbnHp0z8Xs/X1CkDmxThOlvRVjiObdd0U9eELLoo5VHauVHmufwIVAO7j
l4bxgVXeX09WJcyOXAUauNXHAoGAF20ESXgTvbbdxDECa2tfTi/j1/+emNV/+zuR
aq6xms/K0piZhMlkK3BD9PgHhXfqZuRT/Z9b8ja3nR34H2KL3UInCNV6kSq6h+MD
MLJnNQG4wADLYw3p5Tzz/hUwtfqpZ/9e7FpBdgfooS274GgPKTG8BFRiudIztPpK
4GueicoCgYEAy8hllDrFzQUqFG0kMe8r3dOFDjMQHf6ITttmAiScwEPg+a5D++Sq
bj42vkKSNgaYHc+Z8QPgerPehIkBde6wx0ukq0a8IXy8F86IasXz3wzotPeJsdKi
mynQKzhSm9Jzbk/SK/yh5NGhJzz1VmHsg+ir/qReguMHfqDGCI4kSFYCFDJKXQ4h
MteJHSlu62RrGwInRBOh
-----END DSA PRIVATE KEY-----

An accompanying, OpenSSH-formatted public key file should also be generated under the same file name with a .pub suffix. It should appear similar to the following:

ssh-dss AAAAB3NzaC1kc3MAAACBAOKN+mbJcFmmerwSESFLF4nPt83EiVZgPq3t
u+INkwBGHyYsKvZu6DYnUr5GXiqgtAnvNEaXK3BDaStMKa9VqE6PL2b9Bbn3fqsL
JVLX09F0kwQQxI28tBoy2kpucenTPxez9fUKQObFOE6W9FWOI5t13RT14QsuijlU
dq5Uea5/AAAAFQDu45eG8YFV3l9PViXMjlwFGrjVxwAAAIAXbQRJeBO9tt3EMQJr
a19OL+PX/56Y1X/7O5FqrrGaz8rSmJmEyWQrcEP0+AeFd+pm5FP9n1vyNredHfgf
YovdQicI1XqRKrqH4wMwsmc1AbjAAMtjDenlPPP+FTC1+qln/17sWkF2B+ihLbvg
aA8pMbwEVGK50jO0+krga56JygAAAIEAy8hllDrFzQUqFG0kMe8r3dOFDjMQHf6I
TttmAiScwEPg+a5D++Sqbj42vkKSNgaYHc+Z8QPgerPehIkBde6wx0ukq0a8IXy8
F86IasXz3wzotPeJsdKimynQKzhSm9Jzbk/SK/yh5NGhJzz1VmHsg+ir/qReguMH
fqDGCI4kSFY= user@hostname

Export Public Key in RFC 4716 Format

Given a private key, export its public key:

ssh-keygen -e -f private_key

This will generate a RFC 4716 output similar to the following:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted from OpenSSH by user@hostname"
AAAAB3NzaC1kc3MAAACBAOKN+mbJcFmmerwSESFLF4nPt83EiVZgPq3tu+INkwBGHyYsKv
Zu6DYnUr5GXiqgtAnvNEaXK3BDaStMKa9VqE6PL2b9Bbn3fqsLJVLX09F0kwQQxI28tBoy
2kpucenTPxez9fUKQObFOE6W9FWOI5t13RT14QsuijlUdq5Uea5/AAAAFQDu45eG8YFV3l
9PViXMjlwFGrjVxwAAAIAXbQRJeBO9tt3EMQJra19OL+PX/56Y1X/7O5FqrrGaz8rSmJmE
yWQrcEP0+AeFd+pm5FP9n1vyNredHfgfYovdQicI1XqRKrqH4wMwsmc1AbjAAMtjDenlPP
P+FTC1+qln/17sWkF2B+ihLbvgaA8pMbwEVGK50jO0+krga56JygAAAIEAy8hllDrFzQUq
FG0kMe8r3dOFDjMQHf6ITttmAiScwEPg+a5D++Sqbj42vkKSNgaYHc+Z8QPgerPehIkBde
6wx0ukq0a8IXy8F86IasXz3wzotPeJsdKimynQKzhSm9Jzbk/SK/yh5NGhJzz1VmHsg+ir
/qReguMHfqDGCI4kSFY=
---- END SSH2 PUBLIC KEY ----

Convert Public RFC 4716 to Public OpenSSH Format

Convert the exported public key from RFC 4716 format to OpenSSH format (for use in an authorized_keys file, for example):

ssh-keygen -i -f public_key

This will generate OpenSSH-formatted output similar to the following:

ssh-dss AAAAB3NzaC1kc3MAAACBAOKN+mbJcFmmerwSESFLF4nPt83EiVZgPq3t
u+INkwBGHyYsKvZu6DYnUr5GXiqgtAnvNEaXK3BDaStMKa9VqE6PL2b9Bbn3fqsL
JVLX09F0kwQQxI28tBoy2kpucenTPxez9fUKQObFOE6W9FWOI5t13RT14QsuijlU
dq5Uea5/AAAAFQDu45eG8YFV3l9PViXMjlwFGrjVxwAAAIAXbQRJeBO9tt3EMQJr
a19OL+PX/56Y1X/7O5FqrrGaz8rSmJmEyWQrcEP0+AeFd+pm5FP9n1vyNredHfgf
YovdQicI1XqRKrqH4wMwsmc1AbjAAMtjDenlPPP+FTC1+qln/17sWkF2B+ihLbvg
aA8pMbwEVGK50jO0+krga56JygAAAIEAy8hllDrFzQUqFG0kMe8r3dOFDjMQHf6I
TttmAiScwEPg+a5D++Sqbj42vkKSNgaYHc+Z8QPgerPehIkBde6wx0ukq0a8IXy8
F86IasXz3wzotPeJsdKimynQKzhSm9Jzbk/SK/yh5NGhJzz1VmHsg+ir/qReguMH
fqDGCI4kSFY=