Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I digitally sign an executable?

I'm coding software that requires administrative access. When a UAC dialog pops up, it shows a different popup for digitally signed software than non-signed software. I believe digitally signing my software would enable users to trust my software easier. Does it cost thousands of dollars to digitally sign software, or is it free? Is there a simple way to do it? I've searched around Google and all I get is how to sign PHP, XML, and PDF files, which is not what I want. I need to sign my software executable.

Just saw something about sigtool.exe? Is this the right direction? What about those complicated .pfx files and Authenticode or what not?

like image 512
Rudi Avatar asked Jun 27 '10 17:06

Rudi


People also ask

How can I tell if an exe is digitally signed?

Check the signature on an EXE or MSI fileRight-click the EXE or MSI file and select Properties. Click the Digital Signatures tab to check the signature.


2 Answers

As mentioned in the other answers, you will first need to purchase a certificate suitable for code signing. This will cost a few hundred dollars, nowhere near a thousand. When I renewed my company's certificate with Globalsign recently, there was also an investigation to check that the company was legitimate - because I used a mobile number for the registration process, they wanted a letter from the company accountant to verify that we are a real business.

To sign the executable, I use an MSBuild task. Here's an excerpt with the relevant pieces:

<!-- Installer files that need to be signed. --> <ItemGroup>   <InstallerSignedFiles Include="$(BuildRoot)path\to\myinstaller.msi"/>   <InstallerSignedFiles Include="$(BuildRoot)path\to\setup.exe"/> </ItemGroup>  <Target Name="ReleasePackaging">   <!-- Sign the files we're going to release -->   <SignTool       CertificateStoreName="My"       CertificateSubjectName="MyCompany"       Description="My application description"       TimestampServerUrl="http://timestamp.verisign.com/scripts/timstamp.dll"       TargetFiles="@(InstallerSignedFiles)"      /> </Target> 

For this to work as above, you will need to install the certificate into your personal certificate store (see CertificateStoreName="My" in the above example). On the Globalsign web site, this installation was an automatic part of the certificate download process. Note: I found that it helps to use Internet Explorer when you download the certificate, as it is integrated with the Windows certificate store. Once it is in the certificate store on the download computer, you can export it as a pfx file, transfer it to your build machine, and import it there. If you do export it, I would advise that you protect the exported file with a password in case it falls into the wrong hands.

When you use the SignTool MSBuild task as above, it reads certificates from the personal store ("My") that is associated with the current Windows user account. This means that you can control who can sign code with your certificate, which is a Good Thing. You should only import the certificate into the personal store of developers that you trust.

It's a good idea to use the timestamp server when signing code, so that you don't need to re-sign the code when the certificate expires.

like image 188
Rich Tebb Avatar answered Sep 27 '22 03:09

Rich Tebb


You'll need the code-signing command line utility from Microsoft.

And then:

signtool.exe sign /v /f "MyCertificate.pfx" -t "http://timestamp.verisign.com/scripts/timstamp.dll" "MyApp.exe" 

or alternativly

signcode.exe -a "sha1" -spc "MySoftwarePublishingCertificate.spc" -v "MyPrivateKeyFile.pvk" -t "http://timestamp.verisign.com/scripts/timstamp.dll" "MyApp.exe" 
like image 28
Ian Boyd Avatar answered Sep 27 '22 03:09

Ian Boyd