Menu
Using a non-Microsoft compiler, I have written small application for Windows that I'd like to give away for free or sell for some trivial amount ($5 say). The program doesn't use the registry but I'd like to provide it as an installer executable (e.g. MyAppInstall.exe) created using freely available tools (e.g InnoSetup).
From Signing a Windows EXE file and other sources my understanding is as follows:
If I do not sign the installer, Windows will pop-up a warning dialogue box warning the user that the publisher is unknown and suggesting they should not run the software. This is undesirable.
If I sign the installer with a self certified key, The popup dialogue will at least provide a publisher name instead of "unknown". It will say the publisher could not be verified or the publisher is untrusted. This is probably marginally better than being described as an unknown publisher.
If I pay ~$100 every year to a CA, I can get a code-signing cert that will allow me to give away useful free software that can be easily installed - without scary and off-putting dialogues appearing.
I can use the Windows edition of OpenSSL to create a self-certified key for code signing. This way I don't have to download an install a 590 MB SDK file from MS just to obtain Microsoft's makecert.exe
Catch 22: The only code signing tool I have heard of is signtool.exe which can only be obtained by downloading and installing at least 590 MB of other stuff (the SDK).
Q: Is there an alternative to Microsoft's signtool.exe
586
Code signing is a process by which the software developer signs the applications and executables before releasing them. It is done by placing a digital signature onto the executable, program, software update or file. The certificate ensures that the software has not been tempered and the user can safely download it.
Code signing is a method of putting a digital signature on a program, file, software update or executable, so that its authenticity and integrity can be verified upon installation and execution. Like a wax seal, it guarantees to the recipient who the author is, and that it hasn't been opened and tampered with.
Executable signing certificates, commonly referred to as code signing certificates, are digital files you can use to digitally sign executable files (.exe files). The code signing certificate uses a cryptographic hash that validates the executable file's integrity and authenticity.
There is kSign, and their blog also has an article about how to integrate with Inno Setup.
It is not a complete replacement for signtool (i.e. it won't sign .cat and .sys files involved in signing driver packages) but it will will digitally sign EXE,DLL,COM,CAB and OCX files.
63
An alternative to signtool is Mono's signcode. Mozilla Developer Network has a very useful article on converting your certificate to SPC/PVK format and signing your EXE with Authenticode:
openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
signcode \
-spc authenticode.spc \
-v authenticode.pvk \
-a sha1 -$ commercial \
-n My\ Application \
-i http://www.example.com/ \
-t http://timestamp.verisign.com/scripts/timstamp.dll \
-tr 10 \
MyApp.exe
Unlike signtool, which accepts the passphrase as a command-line argument, it seems like signcode must be given the passphrase on standard input. I was able to use signcode [arguments] < passphrase.txt.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
