AutoCAD-based programs use digital signatures to verify whether a custom program file can be safely loaded. Binary (ObjectARX and Managed .NET) files with the ARX, CRX, DBX, or DLL file extensions can be digitally signed. Additionally, MSI files created to deploy custom programs can and should also be digitally signed.
Note: The Sign Tool (SignTool.exe) by Microsoft is required to attach a digital signature to a binary file. You must download and install the latest version of the Windows SDK from Microsoft's website (https://developer.microsoft.com/en-us/windows/desktop/) to use the Sign Tool. In addition to the Sign Tool, you will also need to obtain a digital certificate. A digital certificate is typically obtained from a vendor such as Symantec ™
and DigiCert ®
, but it is possible to create your own digital certificate for distributing your applications inside your company.
The following is an example of signing a binary file using the SignTool.exe tool:
"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign /f MyCert.pfx /p MyPassword /t http://timestamp.verisign.com/scripts/timstamp.dll "c:\Autodesk\AdskUtil.arx"
- "C:\Program Files\Microsoft SDKs\Windows\<version>\Bin\MakeCert.exe" - Specifies the location of the SignTool.exe tool.
- sign - Indicates that a binary file will be signed.
- /f MyCert.pfx - Specifies the location of the PFX file that will be used to sign the file. In this example, the file is named MyCert.pfx.
- /p MyPassword - Specifies the password that is assigned to the PFX file. In this example, the password is MyPassword.
- /t http://timestamp.verisign.com/scripts/timstamp.dll - Specifies the URL of the timestamp server. The file on the server must have been previously digitally signed. In this example, the server and file for the timestamp is http://timestamp.verisign.com/scripts/timstamp.dll.
- "c:\Autodesk\AdskUtil.arx" - Specifies the file to be signed. In this example, the file that will be signed is AdskUtil.arx located in the c:\Autodesk folder.
To sign a binary file, do the following:
- Click the Windows Start button
Windows System Command Prompt.
- In the Windows Command Prompt window, type cd %userprofile%\Documents and press Enter to set the Documents folder as the current working folder. If you want to use a different working folder, specify that location instead.
- Type the location of the
SignTool.exe and the arguments that should be executed.
The signing of the file should be successful as long as the file isn't marked read-only or in a read-only location.
- Do one of the following based on the type of file that was signed:
- Load the newly signed file into an AutoCAD-based program and verify that the digital signature is recognized.
- Verify the newly signed MSI file was digitally signed in Windows File Explorer and then test the file to make sure it runs as expected.
Note: The digital certificate must be in the Trusted Root certificate store for an AutoCAD-based program to verify the signature.