I'm using signtool to apply a digital signature to various .exe
/.dll
files. However, viewing the signed files in Windows Explorer shows that no E-Mail address is set, much like in this screenshot (I'm by no means affiliated with "Paramount Software UK Ltd." -- this screenshots is just the first result I found via Google):
However, I also saw other screenshots showing that it's somehow possible to define an E-Mail address (even if it's a bogus one, like in this case):
Is it possible to set this E-mail address via signtool
, or is it actually a property of the certificate itself (i.e. it needs to be specified when purchasing a certificate)?
Signing means using a public-private encryption scheme, where you sign the binary with a public key, and the client uses the private key to verify that you really did sign the key.
Check the signature on an EXE or MSI fileRight-click the EXE or MSI file and select Properties. Click the Digital Signatures tab to check the signature.
Sign Tool is a command-line tool that digitally signs files, verifies signatures in files, and time-stamps files. This tool is automatically installed with Visual Studio. To run the tool, use Visual Studio Developer Command Prompt or Visual Studio Developer PowerShell.
The email property it's extracted from emailAddress
in a subject distinguished name
field of your certificate.
You can make a test using openssl to generate a selfsigned certificate (then you can generate a CSR
with an emailAddress
and send to the certificate authority to generate a valid end-entity certificate). To test it you can do the follow steps:
Generate self-signed certificate using the follow openssl
command
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
Then you will be asked to enter the follow parameters (all for a subject of the certificate):
To avoid this prompt you can directly specify the subject
in the previous command using -subj
as follow:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -subj "/C=ES/ST=58/L=Barcelona/O=yourOrgName/OU=yourDept/CN=yourAppName/[email protected]"
Now you can generate a p12
(or pfx
) from the generated key and cert using the follow command:
openssl pkcs12 -export -out myTestWithMail.pfx -inkey key.pem -in cert.pem
Now you have a p12
(myTestWithMail.pfx), that you can use to sign an exe
or dll
using the follow signtool
command. For example I sign notepad++.exe
(as in the examples you link in your question):
signtool.exe sign /f C:\Users\Albert\myTestWithMail.pfx /p 1234 "C:\Program Files (x86)\Notepad++\notepad++.exe"
Note that /f
is for the path of your signing key, and /p
is the password for your key.
Now you can see the email in the file you sign:
So finally if you need a certificate from a certificate authority you have to generate the CSR
specifying emailAddress
for example using openssl
command:
openssl req -new -newkey rsa:2048 -nodes -out yourAppName.csr -keyout yourAppName.key -subj "/C=ES/ST=58/L=Barcelona/O=yourOrgName/OU=yourDept/CN=yourAppName/[email protected]"
Or alternatively without specifying -subj
parameter and enter the correct values for subject distinguished name when are prompted:
openssl req -new -newkey rsa:2048 -nodes -out yourAppName.csr -keyout yourAppName.key
Hope this helps,
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With