Remote Desktop Protocol (.rdp) File Signing Library & Command Line Application

https://github.com/calw20/rdpsign

In Window Server 2008 Microsoft added the rdpsign.exe utility. This command enables you to digitally sign a Remote Desktop Protocol(.rdp) file. See https://technet.microsoft.com/en-us/library/cc753982.aspx for a detailed description.

To the best of my knowledge the specifications of the rdp signature creation are proprietary and have not been published until today (December 2021).

This python script is the result of reverse engineering the rdpsign.exe internals.

sudo curl https://raw.githubusercontent.com/calw20/rdpsign/master/rdpsign.py -o /usr/local/bin/rdpsign
sudo chmod a+rx /usr/local/bin/rdpsign

• python 3.7 or later
• openssl commandline utility

rdpsign --help

The refactor also exposes the signRDP function taking the rdp file to sign as a string, the path to the signing certfile, the path to the key file if needed and wether the lib should split the signature into 64 character chunks.

First we create a simple openssl.conf file:

[ req ]
prompt = no
distinguished_name = publisher
x509_extensions = extensions

[ publisher ]
commonName = DEADBEEF

[ extensions ]
extendedKeyUsage = serverAuth

Now create a selfsigned test certificate and private key:

openssl req -x509 -newkey rsa:2048 -nodes -out signer.crt -keyout signer.key -config openssl.conf

Sign your rdp file:

rdpsign test.rdp test-signed.rdp signer.crt -k signer.key

Copy test-signed.rdp and signer.crt to your windows machine and import the signer.crt test certificate into your trusted root store:

• double click signer.crt
• click the "Install Certificate" button
• in the Certificate Import Wizard choose the "Trusted Root Certification Authorities" store

If you double click test-signed.rdp now you should get a dialog asking if you trust the DEADBEEF publisher.