How do I sign exes and dlls with my code signing certificate

Question

(I purchased a code signing cert from Thawte and have been going out of my mind with frustration at the whole process.

What I have from them are:

• .spc / .p7b file
• .pvk file

(NOTE I do not have a pfx file from them. God knows why, but I have been fighting with their tech support for a week)

In any case I find "help" links on their site and at MS for signcode.exe which is useless for me because I can't find that exe on my machine, however I do have signtool.exe.

Unfortunately i am mystified at the command line parameters listed on this MS help site.

Specifically, what parameters do I use and what values? I tried what I thought was obvious but it does not work at all.

I can get the signing wizard to work, however I need this to work non-interactively in a hudson CI batch file.

It really doesn't seem like it should be this difficult, but so far it is all black magic.

thanks for any help

Answer 1

First, you can generate your own pfx file using the pvk2pfx tool described at http://msdn.microsoft.com/en-us/library/ff549703(VS.85).aspx

Something like

pvk2pfx -pvk cert.pvk -spc cert.spc -pfx cert.pfx -pi password

ought to do the trick.

Secondly, signtool is the tool you're after. http://msdn.microsoft.com/en-us/library/aa387764(VS.85).aspx

signtool sign /?

Gets you the help, but the basic command you're probably after is

signtool sign /f cert.pfx /p password target.exe

Which will sign target.exe. It gets more complex if you want to put the certificate into the certificate store on the machine (this is the CSP bit). This is really useful though for doing signing on a lot of dev machines, or on build lab machines where you want to avoid putting the certificate in source control.