Environment: VC++ 6.0
To use your control on web pages, it is very convenient to distribute it as a .cab (cabinet file). This is a compressed archive—the classic use is to put the .cab file on a web server, and refer to it from web pages that host the control. Internet Explorer is smart enough to download and install the control if it is not already installed on the client machine, and to selectively update any files that are newer in the .cab file. Microsoft provides CABARC.EXE for creating and editing .cab files.
A CAB file contains at least two files in the archive: an ActiveX component file (.EXE, .DLL, or .OCX file), and an .INF file.
This section describes creating CAB files for distributing ATL and MFC controls over the Internet.
To create a CAB file:
The INF file is a text file that specifies the files (such as DLLs or other OCXs) that need to be present or downloaded for your control to run. An INF file allows you to bundle all the needed files in one compressed CAB file. By default, files with the same version numbers as existing files on the user's hard disk will not be downloaded.
As an example, the following INF file will be used to create a CAB file for the ScriptableActiveX control.
; Sample INF file for SCRIPTABLEACTIVEX.DLL [version] ; version signature (same for both NT and Win95) do not remove signature="$CHICAGO$" AdvancedINF=2.0 [Add.Code] ScriptableActiveX.dll=ScriptableActiveX.dll ScriptableActiveX.inf=ScriptableActiveX.inf [ScriptableActiveX.dll] file-win32-x86=thiscab clsid={B8748B60-E34D-42AA-9309-8012CA4964AC} FileVersion=1,0,0,1 RegisterServer=yes [ScriptableActiveX.inf] file=thiscab ; end of INF file
The clsid is the CLSID of the control to be installed.
Once you have created an INF file, run the CABARC utility to create the CAB file. You should run CABARC in the directory that contains your source files. On the command line, put the source files in the order they appear in the INF and the INF file last. For example, to make a CAB file for the Polygon control from the INF above, use the following command:
CABARC -s 6144 n ScriptableActiveX.cab ScriptableActiveX.dll
ScriptableActiveX.inf
The -s option reserves space in the cabinet for code signing. The n command specifies that you want to create a CAB file.
Microsoft provides code signing tools as part of the "Microsoft .NET Framework software development kit (SDK) 1.1." To download the SDK, visit the following Microsoft Web site: .NET Framework SDK Version 1.1. After you install the SDK, you will be able to find the code signing files in the following location on your PC: "\Program Files\Microsoft.NET\SDK\v1.1\Bin". From the many files found in the above BIN directory, the following are of interest:
Recently, with the introduction of "Studio 2005," Microsoft has released a new set of tools. The new set of tools is provided as part of "Visual Studio 2005" and in the "Platform SDK." To download the "Platform SDK," visit the following Microsoft Web site: Platform SDK Full Download. After you install the SDK, you will be able to find the code signing files in the following location on your PC: "\Program Files\Microsoft Platform SDK\Bin". From the many files found in the above BIN directory, the following are of interest:
All the above-mentioned tools are actually small console programs that should be run from a command prompt. When run, each program expects command-line parameters in a special syntax. Now, see how to do it in this article.
Security is becoming increasingly important for software and media developers. "Code Signing" enables end users of your software to verify that the code you provide comes from the rightful source and that it has not been maliciously altered or accidentally corrupted.
Code signing technology has been available for many years, but many software vendors refrained from using it because of the complexity involved in the process. However, since the release of "Windows XP Service Pack 2," code signing cannot be ignored any longer.
With XP SP2, when downloading an UN-SIGNED program with Internet Explorer and choosing to open it (or even if saved to a file and later opened via Windows Explorer), the browser will display the "Security Warning" dialog. But, when downloading a SIGNED program the browser does not result in annoying error messages complaining that it is an unsigned or unsafe control.
You have two options to sign your code:
Option 1: Using a Test Certificate
Option 2: Using a Public Certificate
Before you start with the process, it is highly recommended that you create a "TEST certificate," and use it to sign your program as a test run.
A program signed by this certificate must not be distributed on the Internet.
Use the following steps to sign and validate the .cab file:
makecert -sv "mycert.pvk" -n "CN=My Company" mycert.cerThe file created in this step, Mycert.cer, is used to create an .spc file. Type the password in the dialog box.
cert2spc mycert.cer mycert.spcNote that this step involves creating a test private key. Alternatively, valid certificates can be created through Microsoft Certificate Server for Intranet use or purchased from external vendors for Internet use.
pvk2pfx -pvk mycert.pvk -pi Pass1 -spc mycert.spc
-pfx mycert.pfx -po Pass2 -f
PVK2PFX.EXE expects two passwords:
Once signed, you can distribute the ActiveX component to any user, but the user must install a certificate chain. If you want users to install an ActiveX component without the Root and Intermediate certificates, buy a Public code-signing certificate.
To be able to sign your code, you will need a certificate. Certificates are issued by special Internet organizations called CA (Certificate Authority). There are many such organizations; the most prominent ones are verisign.com and tawthe.com.
You can get a full list of CAs by going to: Microsoft Root Certificate Program Members.
However, acquiring a certificate is quite a tedious and time-consuming process, (The CA has to identify you or your organization before it can issue a certificate) and you should expect to pay a few hundred dollars for the certificate.
Now, use the key information to sign the .cab file:
signcode -v mycert.pvk -spc mycert.spc ScriptableActiveX.cab
-t [Timestamp server URL]
Or, the following commands may be used to sign your code using SIGNTOOL.EXE:
signtool sign /f mycert.pfx /p Pass2 /v
ScriptableActiveX.cab /t [Timestamp server URL]
Pass2: Enter here the second password you used when creating the PFX file.
Note: Specify the timestamp server URL at this step. The timestamp server URL provides a place to enter or edit the location of a timestamp server. A timestamp server validates the date and time that the cabinet file was signed. Certificate files can expire after a certain period of time. Contact your certificate file provider (certificate authority) for the location of their timestamp server.
The URL of a time stamping service provided for free by verisign.com is http://timestamp.verisign.com/scripts/timstamp.dll.
Follow this procedure to validate a .cab file:
setreg -q 1 TRUE
chktrust ScriptableActiveX.cab
Expected results:
ScriptableActiveX.cab: Succeeded
Run SIGNTOOL.EXE to verify the signing:
signtool verify /v /a ScriptableActiveX.cab
Expected results:
ScriptableActiveX.cab: Succeeded
You also can use the following method to verify your digital signature:
Explorer will present you with the properties dialog of the file. This properties dialog will include a new tab, "Digital Signatures." You now can read the details of the signature in this tab.