How do I Code Sign a Visual Studio project

Question

I have a VB.Net Visual Studio 2015 project that creates an EXE file for people in-house. We've never needed to code sign before, but with our computers moving to Windows 10, we're getting alerts and warnings from Windows that the EXE isn't trusted. The idea was brought up to code sign to application when it's built.

Currently, we're using an InstallShield installer for the EXE and it's files. I have a local test cert and private key/public key pair. At this point, though, I don't know how to code sign. I've used the Signing tab within the project's properties and options, but that does not sign the actual EXE. At least, SignTool doesn't think it's signed. And we're not looking to use ClickOnce to do this publishing or deployment.

Do I need to be doing this through a command line? Or is there a Visual Studio place to code sign?

EDIT: I know I can just do a post script to add the code signing, but I would have expected that Visual Studio had a way to put this in.

Answer 1

I put the following in the 'Post-build event command line' in Visual Studio.

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\signtool.exe" sign /v /sha1 {thumbprint} $(TargetPath)

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\signtool.exe" timestamp /tr http://timestamp.comodoca.com/rfc3161 $(TargetPath)

The {thumbprint} is from your code-signing certificate, use IE to view the certificate, select the thumbprint and remove all the spaces. This is for a code-signing certificate from Comodo (I purchased from http://ksoftware.net/ - Better pricing and certificate are issued by Comodo)

Note: your location of Signtool.exe may be different depending on version of SDK installed and version of Windows.

Answer 2

I use this in my .csproj file to sign in release mode, will work on the server when we build as well as on my local builds

  <Target Name="PostBuild" AfterTargets="PostBuildEvent">
    <Exec Command="signtool.exe sign /a /t http://timestamp.sectigo.com /fd SHA384 &quot;$(TargetPath)&quot;"  Condition="$(ConfigurationName) == Release"/>
  </Target>

this uses the "best" codesign certificate installed on my PC/server via the /a switch, I add the quotes as my path would generate a "file not found" error due to the spaces in the folder names of the build in the $(TargetPath) macro

• Always use a certificate store using the /a switch as you do not want to "loose" your certificate
• I also added the Signtool to the Path variable as that just makes life easy.
• Note the condition, this will only sign when building in release mode
• Note that I do not need to specify a password, which makes life easy not dealing with that
• I sign with the same SHAI hash as my certificate so I specify it using the /fd switch

Answer 3

I work with VS 2017 an very wonder, that this issue still exists.
I have wasted over a full day to try bring it to work directly (only) with the VS IDE (without success).
I ended up to add the following code (directly in the VS IDE) in the post build event to the project:

if $(ConfigurationName) == Release (signtool.exe sign /a /t http://timestamp.sectigo.com /fd sha256 "$(TargetPath)")

Means, that the signing only takes place in release mode and the cert is taken from the cert store of the machine automatically (no need to place a password / thumbprint in the code).