How can I digitally sign an executable?

c# digital-signature
26,565

Solution 1

As mentioned in the other answers, you will first need to purchase a certificate suitable for code signing. This will cost a few hundred dollars, nowhere near a thousand. When I renewed my company's certificate with Globalsign recently, there was also an investigation to check that the company was legitimate - because I used a mobile number for the registration process, they wanted a letter from the company accountant to verify that we are a real business.

To sign the executable, I use an MSBuild task. Here's an excerpt with the relevant pieces:

<!--
Installer files that need to be signed.
-->
<ItemGroup>
  <InstallerSignedFiles Include="$(BuildRoot)path\to\myinstaller.msi"/>
  <InstallerSignedFiles Include="$(BuildRoot)path\to\setup.exe"/>
</ItemGroup>

<Target Name="ReleasePackaging">
  <!-- Sign the files we're going to release -->
  <SignTool
      CertificateStoreName="My"
      CertificateSubjectName="MyCompany"
      Description="My application description"
      TimestampServerUrl="http://timestamp.verisign.com/scripts/timstamp.dll"
      TargetFiles="@(InstallerSignedFiles)"
     />
</Target>

For this to work as above, you will need to install the certificate into your personal certificate store (see CertificateStoreName="My" in the above example). On the Globalsign web site, this installation was an automatic part of the certificate download process. Note: I found that it helps to use Internet Explorer when you download the certificate, as it is integrated with the Windows certificate store. Once it is in the certificate store on the download computer, you can export it as a pfx file, transfer it to your build machine, and import it there. If you do export it, I would advise that you protect the exported file with a password in case it falls into the wrong hands.

When you use the SignTool MSBuild task as above, it reads certificates from the personal store ("My") that is associated with the current Windows user account. This means that you can control who can sign code with your certificate, which is a Good Thing. You should only import the certificate into the personal store of developers that you trust.

It's a good idea to use the timestamp server when signing code, so that you don't need to re-sign the code when the certificate expires.

Solution 2

You'll need the code-signing command line utility from Microsoft.

And then:

signtool.exe sign /v /f "MyCertificate.pfx" -t "http://timestamp.verisign.com/scripts/timstamp.dll" "MyApp.exe"

or alternativly 

signcode.exe -a "sha1" -spc "MySoftwarePublishingCertificate.spc" -v "MyPrivateKeyFile.pvk" -t "http://timestamp.verisign.com/scripts/timstamp.dll" "MyApp.exe"

Solution 3

I am not marketing anyone here but try VeriSign. They offer Code signing which is what you are looking for.

Solution 4

You might want to read Signing and Checking Code with Authenticode.

Share:
26,565

Related videos on Youtube

Rudi
Author by

Rudi

Updated on May 11, 2020

Comments

  • Rudi
    Rudi almost 4 years

    I'm coding software that requires administrative access. When a UAC dialog pops up, it shows a different popup for digitally signed software than non-signed software. I believe digitally signing my software would enable users to trust my software easier. Does it cost thousands of dollars to digitally sign software, or is it free? Is there a simple way to do it? I've searched around Google and all I get is how to sign PHP, XML, and PDF files, which is not what I want. I need to sign my software executable.

    Just saw something about sigtool.exe? Is this the right direction? What about those complicated .pfx files and Authenticode or what not?

  • marius
    marius almost 14 years
    As VeriSign notes it in their instructions (knowledge.verisign.com/support/code-signing-support/…) the correct link to the TimeStamp server is timestamp.verisign.com/scripts/timstamp.dll "Note: "timstamp.dll" does not contain the letter "e""
  • Admin
    Admin over 13 years
    I only see a SignFile task. What is this "SignTool" task you speak of?
  • Rich Tebb
    Rich Tebb over 13 years
    @Will, it's a custom MSBuild task that I created to wrap signtool.exe. Basically it subclasses ToolTask which means there's barely any work involved. The source is too big to post in a comment but I could email it to you if you like, contact rich [at] prabang [dot] co [dot] uk

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

XML validation with XMLDSIG using XadES-BES algorithm
Email with digital signature and embedded image
Signing a PDF with iTextSharp
How to correctly sign an executable
Signing data with private key in c#
Error occurred while decoding OAEP padding
When should I use SHA-1 and when should I use SHA-2?
Digitally sign PDF files
m_safeCertContext is an invalid handle
In C#, sign an xml with a x.509 certificate and check the signature