Code Signing Reading Time: 4 minutes

How to Sign manifest files using Mage?

“Mage.exe” is a command-line tool used in the Windows operating system for signing and verifying software manifests. Mage Signing is primarily used for signing manifests, which are XML files containing information regarding the deployment and update of a software application. By making use of “mage.exe” to sign the manifest, developers can ensure the authenticity and integrity of their applications, providing users with confidence that the software has not been compromised. The tool also enables the verification of signed manifests, allowing users to validate the source and integrity of the application before installation.

At Encryption Consulting, we have extensive expertise in compliance standards, including FIPS 140-2 Level 3 HSMs. We prioritize meeting industry regulations and standards for your package signing process. To enhance security, we utilize Proxy-Based access to the HSM, ensuring that your private key remains safeguarded from unauthorized access and potential breaches. We recognize that every organization has unique requirements, which is why we offer customized solutions tailored to your specific needs. By doing so, we provide a secure signing process that instills trust and confidence in our services.

Pre-Requisites

  • Install mage on your system.
  • Install .NET Framework 4 or above.
  • Obtain a Signing Certificate.

Mage.exe is a .NET Framework tool, so it will either get automatically installed while you install .NET Framework using Visual Studio or it is downloaded with Windows SDK, under Windows SDK signing tools for Desktop apps.

You can locate it in the file path C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8.1 Tools. Once you’ve downloaded mage.exe to your system, you will need to set the PATH environment variable to mage.exe.

Setting PATH environment variable to mage.exe

Mage commands and parameters

You can also see this by using mage -help or mage -help verbose in your CMD

-s, -Sign [Sign options]Uses a key pair or X509 certificate to sign a file. Signatures are inserted as XML elements inside of the files.

You must be connected to the Internet when signing a manifest that specifies a -TimestampUri value.
-ver, -Verify [manifest-filename]Verifies that the manifest is signed correctly. Cannot be combined with other commands.
-a, -AlgorithmSpecifies “sha256RSA” or “sha1RSA as the algorithm to generate dependency digests with.
-ch, -CertHashProvides Certificate Hash or Fingerprint
-ti, -TimestampUriSpecify time stamp url ex: http://timestamp.digicert.com

Using the command line and EV certificate

We will use Mage.exe to sign a file

Syntax

mage -sign <file_name> -CertHash <hash_or_cert_fingerprint>
mage -verify <file_name>

For example:

mage -sign CodeSignText.exe.manifest -CertHash f39dbe6bcfaa43ca39585aa40ab0a19bf29991cb

Here,

<file_name>specify the name of the file you want to sign or the path of the file, if it is not in the same directory
<hash_or_cert_fingerprint>specify the fingerprint or Hash of your certificate. This can be found in the detail section of your certificate.
Certificate Hash

A sample of the executed command:

Mage.exe to sign a file

Using the command line and self-signed certificate (from our web portal)

This method also involves leveraging the Mage (Command Line Interface) that provides functionality to create, publish, sign, and manage packages without changing the project files. But first, the user needs to generate a Self-Signed certificate from our web portal. After that, convert the download certificate from .pem to .crt format for better operations. When these steps are performed successfully, perform the following steps:

  • Download the Certificate Chain from our “Signing Tools” screen. And unzip it in your client machine.
  • After that, install the Root Certificate into your system.

Steps:

  1. Click on the INSTALL CERTIFICATE button.

    Certificate Information
  2. On the “Import Wizard” popup, select Current User and then hit NEXT

    Import Wizard
  3. On the “Certificate Store” popup, choose Trusted Root Certification Authorities for the Root CA certificate and click on NEXT.

    Certificate Store
  4. After verifying all the details, click on FINISH.

    Finish Certificate Import
  5. After installing Root CA, install the Issuing CA from the Certificate Chain folder (intermediate.crt). Follow the same procedure, except to install this certificate in Intermediate Certification Authorities.
  6. After successfully installing the Issuing CA, install the End Entity certificate (or the Self-Signed certificate from our portal) into your system. The process is the same, except this certificate will be installed in the Personal store.
  7. Run the repairstore command using the Thumbprint of this End Entity certificate. Like this:

    certutil -f -repairstore -csp “Encryption Consulting Key Storage Provider” -user “My” <thumbprint of the certificate>

When all of these steps have been completed successfully, try running the Mage command-line command using this certificate’s thumbprint.

Syntax

mage -sign <file_name> -CertHash <hash_or_cert_fingerprint>
mage -verify <file_name>

For example:

mage -sign CodeSignText.exe.manifest -CertHash f39dbe6bcfaa43ca39585aa40ab0a19bf29991cb

Here,

<file_name>specify the name of the file you want to sign or the path of the file, if it is not in the same directory
<hash_or_cert_fingerprint>specify the fingerprint or Hash of your certificate. This can be found in detail section of your certificate.

A sample of executed command

Sample of executed command

Conclusion

In today’s digital landscape, securing one’s digital application, files, manifests etc has been very crucial. Developers may verify the validity and integrity of their apps and provide consumers with peace of mind that the product hasn’t been altered by signing the manifest with “mage.exe”.

To verify the application’s integrity and source before installing it, users may also use the tool to verify signed manifests. Signing manifests is essential to preserving security and confidence in Windows platform software deployment procedures.

Encryption Consulting aims to provide you with the necessary tools and guidance to help create a more secure environment. We are well aware of how important file signing is for safeguarding against unforeseen circumstances. We are committed to your security, and we are here to provide you with the information and tools you need to secure the things that are most important to you. We have Code Signing solution to help you with signing your applications. You can reach out to us at [email protected] to request a demo of our CodeSign Secure.

Free Downloads

Datasheet of Code Signing Solution

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

Download

About the Author

Surabhi Dahal's profile picture

Surabhi is consultant at Encryption consulting, working with Code Signing and development. She leverages her adept knowledge of HSMs and PKIs to implement robust security measures within software applications. Her understanding of cryptographic protocols and key management practices enables her to architect secure code signing solutions tailored to meet the requirements of enterprise environments. Her interests include exploring the realm of cybersecurity through the lens of digital forensics. She enjoys learning about threat intelligence, understanding how adversaries operate, and comprehend strategies to defend against potential attacks.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo