Format of a Signed File
-----------------------

A signed file is a standard Windows PE executable with signature data appended
to it. A PE file begins with a 16-bit MSDOS executable stub (which just prints
a message that you can't run the program and exits). Following this is the
real data, organised in a COFF-like format. The general COFF header which is
always present is followed by another header which contains information on
executables (it's referred to as an optional header, but it's always present
for executables). This header defines a number of data directories which
contain data sections within the executable. One of these directory entries is
an (undocumented) IMAGE_DIRECTORY_ENTRY_SECURITY, which is used to store the
signature: Hash the entire file, add a security directory entry large enough to
contain the signature, and write the signature at that position in the file.

The signing process is as follows:

1. Hash the file, skipping the file checksum (another undocumented attribute,
but there are standard Windows functions to calculate it) and the
IMAGE_DIRECTORY_ENTRY_SECURITY entry.
2. Generate the signature and append it to the file.
3. Write the signature position and size (padded out to a multiple of 16 bytes)
into the IMAGE_DIRECTORY_ENTRY_SECURITY. The signature position is the end
of the file, since it's simply appended to the existing data.
4. Update the file checksum.

The security information begins with a 32-bit length (which is ignored) and a
32-bit flags field which should be set to 0x00020200. Most of the flags are
unused, although changing the first 0x02 to a 1 gives an invalid signature, and
changing the second one to anything other than 0x02 results in the signature
check silently failing with no error message or other indication.

Immediately following this is a complex PKCS #7 signature record which contains
a detached signature for the rest of the file. The outer wrapper is PKCS #7
signedData, with the signed content being an spcIndirectDataContext (an MS-
defined data type) which contains an (obsolete) spcPelmageData record and an
MD5 hash of the file. The exact format is:

SEQUENCE {
SEQUENCE {
OBJECT IDENTIFIER spcPelmageData (1 3 6 1 4 1 311 2 1 15)
SEQUENCE {
BIT STRING (length 0)
[0] {
[2] {
[0] '.<.<.<.O.b.s.o.l.e.t.e.>.>.>'
}
}
}
}
SEQUENCE {
SEQUENCE {
OBJECT IDENTIFIER md5 (1 2 840 113549 2 5)
NULL
}
OCTET STRING
xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
}
}
}
}

where the x's are the MD5 hash of the file and the content-type for the whole
is spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4). You can use a toolkit such
as cryptlib to generate this type of data, as well as creating the special
AuthentiCode certs you need for the signing.

The signed content is followed by the standard PKCS #7 signedData fields, first
a certificate chain containing a complete chain of certs from a known CA to an
end-users AuthentiCode signing certificate and then information on the signer
(that is, data to identify the AuthentiCode certificate which signed the whole
thing), an identifier for the hash algorithm used (again, MD5), and some
authenticated attributes. These contain more MS-defined attributes, typically
spcSpOpusInfo and spcStatementType which are used to provide information on the
signer (eg whether they're using an individual or commercial signing
certificate). Also included is a messageDigest attribute which contains the
MD5 hash of the spcIndirectDataContext content of the signedData. Finally, the
authenticated attributes are hashed and signed, with the signature being
included at the end of the collection of signature information (this is the
standard PKCS #7 signature process). Again, this is standard stuff which you
can create using cryptlib.

To create the signature, you need to hash the entire file (skipping the
checksum and IMAGE_DIRECTORY_ENTRY_SECURITY as explained above) and write the
hash into the spcIndirectDataContext content record. Then hash this and write
the hash and other attributes into the authenticated attributes. Finally, hash
the authenticated attributes and append the signature to the end of the
signature record. This means that each collection of data is covered by its
own hash, which is then passed up the chain to the next level until it reaches
the signature. If you're using an existing crypto toolkit to do this, create a
PKCS #7 signedData item, set the content-type to spcIndirectDataContext, drop
in the spcIndirectDataContext content itself, and sign it, the rest will be
handled by the PKCS #7 signing code.