How to remove Authenticode signatures from your executables and DLLs

November 6, 2012

Are you running .NET 2.0 and seeing slow program starts?  Do your services fail to start before the service start timeout is exceeded?

If your code is signed with Authenticode, there is a complicated little dance that Windows does before it’ll start your program.  Part of that process is downloading certificate revocation lists from sites named in the certificates used to sign your code (or certificates referenced by that certificate – there’s a certificate chain involved).

That’s fine, as long as you can reach the sites named.  Or if you can’t and your machine knows it can’t (for example, does your startup delay go away if you unplug the network cable?).  But if windows doesn’t realize that those sites are unreachable, it tries and times out.  Which takes awhile (and more than one attempt is probably made).

So, what can you do?  You can turn off certificate revocation list checking (which is tricky if your program is a server and runs under the LOCAL_SYSTEM account).

The easiest thing is to just strip the Authenticode certificates from your images.  Here’s how:

#include <windows.h>
#include <ImageHlp.h>

...

static void remove_cert(const char* filename)
{
  HANDLE h = CreateFile(filename, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ,  NULL, OPEN_EXISTING, 0, NULL);

  DWORD num_certs;
  ImageEnumerateCertificates(h, CERT_SECTION_TYPE_ANY, &num_certs, NULL, 0);
  if (num_certs == 1)
    ImageRemoveCertificate(h, 0);
  CloseHandle(h);
}