How to correctly sign an executable

c# visual-studio-2010 uac digital-signature

11,625

Solution 1

Assembly signing != Authenticode signing.

To authenticode sign an assembly with signtool, you'll need a code signing certificate from a trusted issuing authority.

You can then issue the following post-build command to sign your executable:

"signtool.exe" sign /f "$(SolutionDir)myCertificate.pfx" /p certPassword /d "description" /du "http://myinfourl" /t "http://timeserver.from.cert.authority/" $(TargetPath)

Everything you need to know about Authenticode Code Signing

Solution 2

Basically you have 2 options, using a command that you manually execute or execute via a batch file

signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "D:\Source\Certificates\CodeSign.pfx" /as /p MyPassword "{path to exe}"

becomes a bit frustrating after a while Better add it on your project's option page in the Build Events.

In your post build you would enter

call "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "D:\Source\Certificates\CodeSign.pfx" /p MyPassword  $(TargetPath)

the Macro $(TargetPath) will be filled with the path to your compiled exe or dll.

Now each time you compile you will get a signed file.

Would look something like this:

11,625

Author by

joe

Updated on June 21, 2022

Comments

joe almost 2 years
I have made a little tool. It is a console application that when running on Win7 brings the UAC security prompt. I tried to sign this EXE file in Visual Studio 2010 using the following steps:
1. Project properties
2. Signing
3. Create new key as shown below
The key file was successfully created, as you can see in the capture below.

Issues:

File is still being blocked by the UAC security prompt. When I checked the file whether signed or not using the signtool.exe, it tells me, no signature was found. Please correct me if I'm following the wrong steps.
joe almost 11 years

worked fine, also, many parameters are optional in the command above. this is what i used : signtool sign /f MyCert.pfx /p MyPassword MyApp.exe
Walter Verhoeven over 6 years

By the way, you can download signtool.exe from Microsoft, there are quite a few google "Window Kits Download", I use windows 10 so I'd use developer.microsoft.com/en-us/windows/downloads/windows-10-s‌dk
Kevin Moore over 4 years

Thanks this is what I was looking for! In my case, because my path was sooo long I had to wrap the macro in quotes i.e. - "$(TargetPath)"
Walter Verhoeven over 4 years

You're welcome. Please note that you can also sign exe and dll's using digicert.com/util this is a nice tool as it also allows you to trouble shoot issues with certificates
A X almost 3 years

Is there no GUI way to do this?