How to correctly sign an executable
Solution 1
Assembly signing != Authenticode signing.
To authenticode sign an assembly with signtool, you'll need a code signing certificate from a trusted issuing authority.
You can then issue the following post-build command to sign your executable:
"signtool.exe" sign /f "$(SolutionDir)myCertificate.pfx" /p certPassword /d "description" /du "http://myinfourl" /t "http://timeserver.from.cert.authority/" $(TargetPath)
Everything you need to know about Authenticode Code Signing
Solution 2
Basically you have 2 options, using a command that you manually execute or execute via a batch file
signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "D:\Source\Certificates\CodeSign.pfx" /as /p MyPassword "{path to exe}"
becomes a bit frustrating after a while Better add it on your project's option page in the Build Events.
In your post build you would enter
call "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "D:\Source\Certificates\CodeSign.pfx" /p MyPassword $(TargetPath)
the Macro $(TargetPath) will be filled with the path to your compiled exe or dll.
Now each time you compile you will get a signed file.
Would look something like this:
joe
Updated on June 21, 2022Comments
-
joe almost 2 years
I have made a little tool. It is a console application that when running on Win7 brings the UAC security prompt. I tried to sign this EXE file in Visual Studio 2010 using the following steps:
- Project properties
- Signing
- Create new key as shown below
The key file was successfully created, as you can see in the capture below.
Issues:
File is still being blocked by the UAC security prompt. When I checked the file whether signed or not using the signtool.exe, it tells me, no signature was found. Please correct me if I'm following the wrong steps.
-
joe almost 11 yearsworked fine, also, many parameters are optional in the command above. this is what i used : signtool sign /f MyCert.pfx /p MyPassword MyApp.exe
-
Walter Verhoeven over 6 yearsBy the way, you can download signtool.exe from Microsoft, there are quite a few google "Window Kits Download", I use windows 10 so I'd use developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
-
Kevin Moore over 4 yearsThanks this is what I was looking for! In my case, because my path was sooo long I had to wrap the macro in quotes i.e. - "$(TargetPath)"
-
Walter Verhoeven over 4 yearsYou're welcome. Please note that you can also sign exe and dll's using digicert.com/util this is a nice tool as it also allows you to trouble shoot issues with certificates
-
A X almost 3 yearsIs there no GUI way to do this?