Digital Signature Basics

Why do you want to digitally sign an OpenType font?

  1. Secure identification. If the digital signature is valid, then the font really was made by the font foundry identified in the DSIG table.
  2. Guarantee of no tampering. If the digital signature is valid, then the font has not been changed in any way since it was signed.

In a digital world that is increasingly concerned with security and reliability, making these two statements about your font offers useful customer value.

Also, it seems probable that future versions of some operating systems will offer users the option of installing only digitally signed, and hence trusted, components. If your fonts are not digitally signed, then users who require this feature will not use your fonts.

Finally, a valid digital signature proves the end-user that the font file has not been damaged or corrupted. This is also a useful assertion to make. There is other data in the OpenType font that can offer the same proof, but only the the digital certificate can be easily checked by an end-user, through use of the Font Properties dialog.

What do digital signature not do?

  1. Digital signatures are not copy protection. They do not keep an end-user from editing your fonts or duplicating them, nor do they keep someone from using a font editor to steal the font data and re-issue it under their own name. However, if anything – including the copyright and trademark info in the font - is changed, then the font is valid only if digital signature is removed.
  2. Digital signatures do not guarantee that that the font is a good font. The Microsoft signcode tool does require that basic OpenType tables are present, and that the font is in the correct format, but cannot check that data in the file is good.

How do digital signatures work?

A digital signature is actually a linked chain of digital signatures, each depending on a 'digital certificate', which cannot be faked or duplicated by someone else.

A root authority , such as the Verisign company, makes a digital certificate which only they own. This certificate says basically "This certificate is owned and used only be Verisign".

You buy from them a digital certificate, which only you own. Yours is signed by reference with their certificate. Yours says "This certificate is owned and used by only Whosis Font Company, at such-and-such address, and Verisign checked that we really are who we say we are and live at this address, and the proof is that our certificate is signed using their certificate, with this unique ID".

You then use your certificate to make a DSIG table in your OpenType font file. This DSIG table will be valid only as long as the data in the rest of the font file does not change at all, and will work for only this exact font - you can't copy a DSIG table from one font to another.

A digital signature is only as good as the root authority, however. Any one can set up to be a root authority, and can even make digital certificates that claim to be Verisign. The way around this is that the software which checks digital signatures has the (short) list of known valid root authority digital certificates. It can also check ( over the Web) to see if any of them have been revoked by the owner, as might happen if one has been stolen.

Another issue is time. In order to reduce the risk of a digital certificate being stolen, Verisign makes them valid for only a period of time. The digital certificate that you can buy is valid for only one year. The reason that digital signatures can be valid for more than the duration of the certificate which made the signature, is that the signature can be time-stamped. Verisign offers a web-based service, whereby the signing tool calls up Verisign, and Verisign sends back a snippet of stuff which can be added to the digital signature, and offers proof that the digital signature was time-stamped at a specific date, and that it is Verisign which says so. This proves that the signature was made during the period when the certificate was valid.

NOTE! You must time-stamp your digital signature, or it becomes invalid when the original digital certificate expires.

Digital Signature Check List

  1. Buy your digital certificate from Verisign. You need a Windows system with a floppy drive and with access to the Internet.
  2. Get the signing tools from the MS Typography web site
  3. Write a command file to sign batches of fonts, unless you like typing a lot.
  4. Start signing and time-stamping fonts.

Detailed Procedures

1) Buy your digital certificate from Verisign.

Verisign is currently the only vendor selling digital certificates and time-stamping services that can be used with the MS signing tools.

You need a Windows system with a floppy drive and with access to the Internet, and a Visa or Mastercard good for $400.

Don't try to work with Verisign customer support. As of the writing of this document, they know nothing about signing fonts, and will give you a lot of advice that does not help. The people who can help you are busy with really big accounts. Just go directly to the web site and register.

First collect the following information.

Name and contact information (e-mail, address, telephone number) of your technical contact. This person will collect the digital certificate, and will get an e-mail from Verisign about a month before the digital certificate expires.

Name and contact information (e-mail, address, telephone number) of your billing contact. This person will get phone calls from Verisign to check all the contact info you give them, and will get e-mail about problems with the Visa card.

Name and contact information (e-mail, address, telephone number) of your organization contact. This person will get phone calls from Verisign to check all the contact info you give them, and must be an employee of your company.

DUNS number ( Dun and BradStreet number). This is part of the proof of who you are. If you don't have one, you must fax a copy of your articles of incorporation, business license, or other charter documents when you place your order.

Visa card number, expiration card, and account name. The account name should be the company name, or the name of one of the people above. You can also do this with a PO order or check, but that adds weeks to the purchase process.

Challenge phrase. This is a password which is used by the technical contact person to get the full digital certificate.

You need to buy a Class 3 Standard (not Pro) commercial certificate. Go to www.verisign.com; look under Products & Services > Code Signing > Code Signing Digital IDs > Microsoft Authenticode Digital ID > purchasing page.

This link will get you to page which provides an overview of the process. To actually order the digital ID, page down to the section "The Six Steps to Signing Code", and follow the link under Step 2. Read the directions here to make sure you have the right browser, and then follow the link "Code Signing Digital ID for Microsoft Authenticode".

Put a floppy disk in your Windows system drive A:, connect to the web address above, and fill out all the requested info.

You will also be asked to choose a Cryptographic Cervice provider. You should choose: "Microsoft Base Cryptographic Provider".

When you submit the info, the Verisign web service will ask you for some information about delivering the first half of your digital certificate This will be in the form of a file with the extension ".pvk:" and is written to your floppy disk. You can pick whatever filename you want. You can also choose a password for use of your digital certificate. This can be different than the challenge phrase you chose on the first page. If you leave the password field blank, no password will be required to use the digital certificate. The drawback to using a password is that you can then sign fonts in batch mode only if you install your digital certificate in your Windows system. The drawback to NOT having a password is that then someone can steal your digital certificate file, and use it without having to know a password. You must decide which you feel is safer: a hidden floppy disk with a digital certificate in a file and without no password, or the digital certificate installed on a Windows system that is connected to the Internet.

When you complete this info, the Versign web service will write the pvk file to your floppy disk. You then need to keep this floppy until you can pick up the second half of the digital certificate, in the form of a file with the same name and the extension '.spc'.

When Verisign has processed your payment and verified your organizational information, your technical contact will get an e-mail saying that the other half (a file with the extension '.spc') can be picked up at a specific Web URL.

WARNING! The person who picks up the other half:

  1. Needs to be using the same Windows system, with no browser or system updates since the first half was picked up.
  2. Needs to have the SAME floppy, with the pvk file on it, in the floppy drive
  3. Needs to be logged into the system with the same user name

Once the second half has been picked up, you have the complete digital certificate on the floppy disk. Make a copy!

2) Install the signing tools from the MS Typography web site

On a Windows system, go to: http://www.microsoft.com/typography/developers/dsig and double-click on the title "OpenType Font Signing Tool"

Then follow the link "download and info page".

Download the tools by clicking on the server name that is closest to you.

Choose to save the file to disk, and to save it anywhere you want. This creates a file:

dsig.exe

Create the directory where you want to keep the signing tools - the installer will install the files loose in the directory you choose. Make sure the path is short - you will have to use the command window to run these tools, and you don't want to have to type long path names. You can put them anywhere you want, but if you put them in :

C:/Program Files/MSSignTools

you will need to do less editing of the command files below.

Double-click on this file. This starts the installer. When prompted to type the location, browse to the location you want the files.

T o run the command prompt window, from the Start menu, choose:

Programs->Accessories->Command Prompt. This gives you a DOS command window.

Follow the instructions on 'download and info page' through step 2, to get the system library installed.

You can run the signing tools manually as described – you just need to change the current directory in the command window to the location of the sign tools:

C:

To change to the C: drive. Then:

cd "Program Files/MSSignTools"

You need the quotes around the directory path, because of the space in the first directory name.

Then follow the rest of the instructions to sign a font.

You can also just double-click on the signcode tool, and a series of dialogs will guide you through signing the font. The first dialog asks you to choose the font to sign. The next dialog offers Typical vs Custom configuration.

To use the digital certificate on your floppy, you must choose the "custom" rather than the "Typical" configuration. In the dialog after choosing Custom configuration. choose to select the certificate from file. Browse to and open the *.spc file on your floppy. You return to the dialog for selecting a certificate, with the file name listed. Select this file name, and then continue. On the next dialog, don't change any settings - just browse to and select the *.pvk file on your floppy. If your certificate has a password, at this point you will be prompted to enter the password. Now continue to the end. Don't change any technical options: do add your companies web address. Choose to time-stamp - remember, this requires a web connection.

To use the "Typical configuration", you must install your digital certificate on your Windows system registry. To do this, see "3.1 Installing your digital certificate in your personal store". Below. When this is complete, you can use the "Typical" configuration setting for the signcode tool. When you get to the "Signature Certificate" dialog, choose "Select From Store", and select your certificate.

3) Write commands file to sign batches of fonts

If you need to sing a lot of fonts, then doing them one by one is annoying. You can create command files to allow batch signing and time-stamping. You can then drag-and-drop either a set of fonts, or a set of directories, on to the command file, and have them all batch processed. HOWEVER: you have to avoid entering a password to do so.

3.1 Installing your digital certificate in your personal store.

If you specified a password for use of your digital certificate when you bought it, then you must install the associated private key in your Windows system local stores. This way, you only enter the password once, when you install it. To do this, you must first obtain the tool PVKIMPRT.EXE. To get this:

Go to: http://office.microsoft.com/downloads/2000/pvkimprt.aspx and follow the directions. Note that you can get to the Certificate Manager more easily than described - a copy is in included in the signing tools, so you can just double-click on that copy.

Signing vs time-stamping:

The command files below time-stamp as a separate operation from signing. This is partly because it can be useful to ensure that all your fonts get signed correctly before time-stamping. Also, time-stamping is not reliable - the web service is not always available, for all the usual Internet problems. Finally, you may prefer to be able to take your floppy with the digital certificate out of the Windows system while it is connected to the Internet, and then you must be able to sign first, and then time-stamp later.

To use these command files, you must edit them to provide the correct: path to the SPC file

  • path to the SPC file
  • path to the PVK file ( if using the pvk file on the floppy)
  • the SHA1 value ( if using the pvk installed in your system)
  • your company's web address
  • the correct path to your signtools directory.

3.2 Command file to sign a list of fonts dragged onto the command file, using floppy PVK file

This command file will write a log file in the same directory as the cmd file. Log file name is sign_fonts.log.

You must replace:

"A:\fontcert003.spc" with the path to your *.spc file

"A:\fontcert003.pvk" with the path to your *.pvk file.

"www.adobe.com" with the URL for you company.

NOTE: This cmd file works only if your digital certificate has no password. Otherwise, you are prompted for the password for every single font.

Note: it is important that the file extension be '.cmd'.

rem START OF FILE "sign_fonts.cmd"

@echo off

rem Change directory to where the signcode.exe file is. We need the quotes because of the space in the path name.

cd "C:\Program Files\MSSignTools"

rem echo date to the log file, overwriting any existing file by the same name.

date /T > sign_fonts.log

rem echo time to the log file, appending to it.. time /T >> sign_fonts.log

rem DO loop control on list of files dropped on the command file

  • :DO_NEXT_NAME
  • if %1#==# goto DONE
  • rem Echo font name to console
  • echo Signing font: %1%
  • rem Echo command line to console
  • echo signcode -spc A:\fontcert003.spc -v
  • A:\fontcert003.pvk -j mssipotf.dll -i "www.adobe.com" %1
  • rem Run signcode tool, and send the result report to the log file
  • rem We need the quotes around %1%, because the path to the font might contain spaces.
  • signcode -spc A:\fontcert003.spc -v A:\fontcert003.pvk -j mssipotf.dll -i "www.adobe.com" %1 >>
  • rem discard the last font name.
  • Shift
  • goto DO_NEXT_NAME
  • :DONE
  • rem All done with file list. Write time to log file
  • time /T >> sign_fonts.log
  • rem Echo the log file to the command window.
  • type sign_fonts.log
  • rem Keep the command window from closing , so user has a chance to see the stuff echoed above.
  • pause
  • rem END OF FILE

3.3 Command file to sign a list of fonts dragged onto the command file, using PVK in registry

You must replace the long hexadecimal number following the '-sha1' option with the thumbprint value for your digital certificate. To get this:

- First, use the PVKIMPRT.exe tool to import your digital certificate as described above.

- Then, double-click on the certmgr.exe tool that you got with the rest of the sign tools. This brings up the Certificate Manager wizard. Select your digital certificate. This will be under the "Personal" tab, unless you chose to put it in another store. Then click on the "View" button. Then select the "Details" tab. Then scroll to the bottom of the Details window. Then select the "Thumbprint"item. The value will appear in the bottom window. Copy and paste this value into the command file. Edit out all the spaces - the number must be one long value.

Note: it is important that the file extension be '.cmd'.

Use same command file as above, but replace the signcode command with:

rem Echo command line to console, so we can see what's heppening.echo signcode -sha1 E649ED6B7599E0610DDA93ED64EB8A4534BDFD4B -j mssipotf.dll -i "www.adobe.com" %1rem Run signcode tool, and direct result report to the log filesigncode -sha1 E649ED6B7599E0610DDA93ED64EB8A4534BDFD4B -j mssipotf.dll -i "www.adobe.com" %1 >> sign_fonts.log

3.4 Command file to time-stamp a list of fonts dragged onto the command file.

Note: it is important that the file extension be'.cmd'.

  • rem Starem Start of file 'tstamp_fonts.cmd'
  • @echo off
  • rem Change directory to where the signcode.exe file is. We need the quotes because of the space in the path name.
  • cd "C:\Program Files\MSSignTools"
  • rem echo date to the log file, overwriting any existing file by the same name.
  • date /T > tstamp_fonts.log
  • rem echo time to the log file, appending to it..
  • time /T >> tstamp_fonts.log
  • rem DO loop control on list of files dropped on the command file
  • :DO_NEXT_NAME
  • if %1#==# goto DONE
  • rem Echo font name to console
  • echo "Time-stamping font: "%1
  • rem Echo command line to console
  • echo signcode -x -tw 5 tr 4 -t "http://timestamp.verisign.com/scripts/timstamp.dll" %1 >> tstamp_fonts.log
  • rem Run signcode tool, and send the result report to the log file
  • signcode -x -tr 5 -tw 4 -t "http://timestamp.verisign.com/scripts/timstamp.dll" %1 >> tstamp_fonts.log
  • rem discard the last font name.
  • shift
  • goto DO_NEXT_NAME
  • :DONE
  • rem All done with file list. Write time to log file
  • Time /T >> tstamp_fonts.log
  • rem Keep the command window from closing , so user has a chance to see the stuff echoed above.
  • type tstamp_fonts.log
  • rem Keep the command window from closing , so user has a chance to see the stuff echoed above.
  • Pause
  • rem End of file

3.6 Command file to sign a list of directories of fonts dragged onto the command file, using PVK in registry

You must replace the long hexadecimal number following the '-sha1' option with the thumbprint value for your digital certificate. See sction 3.3 on how to get this

Note: it is important that the file extension be ";.cmd".

Use the same command file as in section 3.5, but replace the lines:

A:\fontcert003.pvk -j mssipotf.dll -i "www.adobe.com" %%o >> signdir.log

for %%o in (*.otff*) do echo %%o >> signdir.log & signcode -spc A:\fontcert003.spc -v A:\fontcert003.pvk -j mssipotf.dll -i "www.adobe.com" %%o >> signdir.log

with:

  • for %%o in (*.ttf*) do echo %%o >> signdir.log & signcode -sha1 E649ED6B7599E0610DDA93ED64EB8A4534BDFD4B -j mssipotf.dll -i "www.adobe.com" %%o >> signdir.log
  • for %%o in (*.otf*) do echo %%o >> signdir.log & signcode -sha1 E649ED6B7599E0610DDA93ED64EB8A4534BDFD4B -j mssipotf.dll -i "www.adobe.com" %%o >> signdir.log

3.7 Command file to time-stamp a list of directories of fonts, when the selected directories are dragged onto the command file.

The following'tstamp_fontdir.cmd' file will write a log file in the font dir. Log file name is tstamp_fonts.log.

Note: it is important that the file extension be 'cmd'.

  • rem Start of file tstamp_fontdirs.cmd
  • @echo off
  • rem Add the path to the signcode tool to the system PATH variable, so that the system will find the signcode command
  • set SIGN_FONT_TOOLS=C:\Program Files\MSSignTools
  • path "%SIGN_FONT_TOOLS%"%PATH%
  • :DO_NEXT_NAME
  • if %1#==# goto DONE
  • rem report directory to command prompt window
  • echo "Time-stamping fonts in dir: %1%"
  • rem change current directory to the target directory.
  • pushd "%1%"
  • rem echo directory name to log file, overwriting any existing file by the same name.
  • rem write log file in the target directory.
  • echo "Signing fonts in dir: %1%" > tstamp_fonts.log
  • rem echo date to the log file
  • date /T >> tstamp_fonts.log
  • time /T >> tstamp_fonts.log
  • rem for each file ending in otf, echo the filename to the log file, then run the signcode command
  • rem and send the result to the log file.
  • @echo on
  • for %%o in (*.ttf*) do echo %%o >> tstamp_fonts.log & signcode -x -t "http://timestamp.verisign.com/scripts/timstamp.dll" %%o >> tstamp_fonts.log
  • for %%o in (*.otf*) do echo %%o >> tstamp_fonts.log & signcode -x -t "http://timestamp.verisign.com/scripts/timstamp.dll" %%o >> tstamp_fonts.log
  • @echo off
  • rem All done with this directory. echo date to the log file
  • date /T >> tstamp_fonts.log
  • time /T >> tstamp_fonts.log
  • echo See tstamp_fonts.log in %1% for results
  • echo ""
  • echo ""
  • rem return to original directory
  • popd
  • rem discard the last directory processed.
  • shift
  • goto DO_NEXT_NAME
  • :DONE
  • rem All done.
  • rem Keep the command window from closing, so user has a chance to see the stuff echoed above.
  • Pause
  • Rem End of file