Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there any way to sign the windows executables generated by the Go compiler?

Tags:

go

authenticode

I am trying to find out if there is a possibility to sign executables produced by the Go compiler. I cannot see this in the build/compile options. Is this even possible?

like image 711
MFT Avatar asked Oct 15 '25 07:10

MFT

1 Answers

Signing an executable is not the responsibility of the compiler, but it is part of the build process. Change your build script to run signtool.exe after the Go compiler has generated your EXE or DLL file. Provide the path and password to the private key file (if using a .pfx file) and it will sign it for you. This is the same process that Visual Studio uses.

https://learn.microsoft.com/en-us/windows/desktop/seccrypto/signtool

Apparently Go's go build command is surprisingly spartan: you cannot add additional build steps nor custom commands to go build, nor is there any "hooks" feature for the go command either (other than go generate, but that's a pre-build step when we want a post-build step).

...which means you'll need a makefile.

  • You'll need make as well, which you'll need to install somehow as it isn't a Windows thing:
    • Via Chocolatey: choco install make
    • Or via installing WSL
    • Or you figure out how to get these binaries from 2006 to work.
  • Or you could use nmake, which comes with Visual Studio, but has its own dialect for makefiles, which I'm not familiar with.
  • Another alternative is to consider CMake.
    • CMake has support for go build, but CMake is more of a "make-make" so it's outside the scope of my answer.

Here's a quick-and-dirty makefile (for GNU make on Windows) for a single-file project main.go, which should (it's untested) automatically runs signtool after a build:

# golang makefile based on https://golangdocs.com/makefiles-golang
BINARY_NAME=mygoproject.exe
 
build:
    go build -o ${BINARY_NAME} main.go

    # This runs signtool with a cert in your profile store instead of a *.pfx file, to avoid needing to store a password in the makefile or environment variable: https://stackoverflow.com/questions/26998439/signtool-with-certificate-stored-in-local-computer
    signtool sign /sm /s My /n <certificateSubjectName> /t http://timestamp.digicert.com ${BINARY_NAME}
 
run:
    go build -o ${BINARY_NAME} main.go
    ./${BINARY_NAME}
 
clean:
    go clean
    rm ${BINARY_NAME}

Just run make build from your terminal and it should just work (I hope!)

like image 113
Dai Avatar answered Oct 17 '25 22:10

Dai
Sign in to Comment

Related questions

How HandlerFunc(f) convert a function to an interface type?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!