Programming‎ > ‎

Code-signing

How can I sign my binaries with a digital certificate?

The codesigning using the digital certificate is to ensure that a binary is not modified by someone else and verify the company whichsigned the binary.   If the binary is modified or the certicate path cannot be verified, you won't see the digital certificate.

Here is the step to get the authenticode.

  1. You need to get a codesigning certificate (Microsoft Authenticode) from the trusted vendors. Go to either http://www.thawte.com/code-signing/index.html (the cost is $299/year, $549/2yrs) or https://www.verisign.com/code-signing/index.html(the cost is $499/year, $895/2 yrs).   I dealt with thawte in thepast.   The sequence below is for Thawte.
  2. You will get a private keywith password you specify (mykey.pvk).  This is very important.   You will use this password tosignyour binaries.
  3. You will download theauthenticode (mycert.spc) from the vendor's website.   Make sure you record username andchallenge password when you download.
  4. You generate .pfxfile frommycert.spc and mykey.pvk using the password you specified, usingpvk2pfx.exe
    (in C:\Program Files\Microsoft SDKs\Windows\v7.0\bin\pvk2pfx.exe or older version of Windows Platform SDK like v6.0a).
    pvk2pfx.exe-pvk mykey.pvk -spc mycert.spc -pfx mycert.pfx -pi (password)
    where (password) is the one you specified for your mykey.pvk.

Next step is to actually use mycert.pfxto sign. There are two ways to do this. One way is to use the commandline mode for existing binaries. Anotherway is to do it in your project. Here is the commandline way, using signtool.exe (C:\ProgramFiles\Microsoft SDKs\Windows\v7.0\bin\signtool.exe) in the following way:


signtool.exe sign /f mycert.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll (binaryfile)

Another way is to do it inside your project. If your project is in C#, then first open the solution.   Right-click on the project andthen click on properties. you get the following:

Check "Sign the ClickOnce manifests.   Use "Select fromFile..." to pick *.pfx file.   You supply password.    After supplying the password,  you will get the following (after you put in the verisign timestamp dll)

Home

Updated 3/13/2010