My goal is to sign an unsigned executable file on Windows using a certificate. From my general knowledge I know that I need a public and a private key pair for a digital signature. I have also installed the Windows SDK, which provides signtool.exe
and makecert.exe
.
I have already obtained a certificate online, comprising a CER, a PEM, and a CRT file.
My question now is how I have to use these tools and the certificate files in order to sign an executable. According to here, the CRT file is the private key. From what I've learned so far, the CER and the PEM file are basically the same but with different encodings. What are the they for? Are they the public key? And how do I sign my executable?
EDIT: I've tried installing the CRT file to a certificate store and then signing using that certificate:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /debug /fd SHA256 /a /n "<Issued_To>" /t http://timestamp.comodoca.com/authenticode <Filename>
Here <Issued_To>
was replaced with the data from the certificate and <Filename>
is the name of the file I wanted to sign. The output I get from signtool is the following:
The following certificates were considered:
...
Issued to: ...
Issued by: Certum Code Signing CA SHA2
Expires: Thu Oct 12 14:37:04 2017
SHA1 hash: BA081A67D3F2DDDC9268121DCBA04F43D6CD37FB
...
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
For what it's worth, I purchased Certum Cloud Signing for open source projects and here is how I got it working. (It took me 5 business days of mails, trying and error and using google translate on polish documents, so maybe I save a little time to someone)
You first provide your personal information, Once you receive the activation token, you only have 24 hours to activate it. (even if this info is not specified, dont let time pass as I did), so:
Use the "Secret for regaining access to the SimplySign service" in the link that looks like: https://cloudsign.webnotarius.pl/arc/app/resetseed?token=...
There you will get a new code that you should use on the SimplySign mobile app (Reset button, I believe).
I wasnt able to find SimplySign mobile app on google play. So I used a desktop browser to find the App (which said "This app is not compatible with your device", and/or country...) and downloaded the APK using a chrome extension, then installed manually on my phone.
Once you have the mobile app setup, it should be generating 6 digit tokens every minute or so.
Now install SimplySign Desktop on Windows. Log in using your email and the 6 digits token from your mobile. Once it says "Status: Connected" it has installed a virtual smartcard and your certificate. SimplySign must stay connected for the certificate to work.
signtool.exe sign /n "Open Source Developer, Your Name" /fd SHA256 YourApp.exe
If you don't use /fd SHA256
you will get:
SignTool Error: SignedCode::Sign returned error: 0x80090027
The parameter is incorrect.
SignTool Error: An error occurred while attempting to sign: YourApp.exe
If you don't login into SimplySign, you get:
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
Note: There is no need to install proCertum SmartSign
app.
This solved my question: http://www.anse.de/programming/code-signing-for-open-source-executable
I exported the certificate as a PK2 file using Firefox. Then I installed this certificate in the "Personal" certificate store on Windows. Afterwards I could use the aforementioned command to sign my executable:
signtool sign /fd SHA256 /a /n "<Issued_To>" /t http://timestamp.comodoca.com/authenticode <Filename>
Here <Issued_To>
matches the value in the certificate and <Filename>
is the name of the file to be signed. Afterwards the executable file is signed.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With