Signing an executable with Authenticode

From MDC

This article describes how to digitally sign your executable file, including an Windows application installer, with a Microsoft Authenticode Digital ID.

[edit] Introduction

Microsoft has, of course, their own signing tools in the SDK, but another option is to use Mono. Mono's signing tools allows us to sign an executable even on a Mac or Linux box.

[edit] Get Mono

Download and install the latest version of the Framework. It's open source and free software!

[edit] Set path

On Mac OS X:

export PATH=${PATH}:/Library/Frameworks/Mono.framework/Commands

[edit] Install root and intermediate certificates

You have to install the root and intermediate certificates for your own certificate.

If your CA is VeriSign, you can find them here:

• VeriSign Primary PCA Root Certificates
• VeriSign Code Signing Intermediate CA Certificate

Save them to your local disc and install these two files to your Mono CA database as follows:

certmgr -add -c CA C3_PCA_G3v2.cer
certmgr -add -c CA CodeSigningCA.cer
certmgr -list -c CA

For GlobalSign:

• GlobalSign Root CA, GlobalSign Primary Object Publishing CA, and GlobalSign ObjectSign CA

[edit] Fix a problem

You will fail to sign with your public key (a SPC file) issued by Thawte or VeriSign (bug). The workaround is:

1. Open your SPC file in the Certificate Manager of Windows
2. Select your certificate for code signing
3. Right-click on the certificate and select All Tasks > Export
4. Certificate Export Wizard is shown
5. In the Export File Format page, select PKCS #7 and check "Include all certificates in the certificate path if possible" option. If it is unchecked, Windows Vista will fail to verify signing (bug)
6. Then export it
7. Use the exported P7B file for Mono, instead of the original SPC file

Prior to Mono 1.2.4, you'll also encounter another problem with password-protected PVK file.

[edit] Sign

signcode \
 -spc (path to your public key).p7b \
 -v (path to your private key).pvk \
 -a sha1 -$ commercial \
 -n My\ Application \
 -i http://www.example.com/ \
 -t http://timestamp.verisign.com/scripts/timstamp.dll \
 -tr 10 \
 MyApp.exe

[edit] Verify

chktrust -v MyApp.exe

Somehow this process fails in the author's environment. But if the time stamp looks good, your executable is successfully signed.

[edit] References

• Microsoft Authenticode Digital ID Instructions - the official guide by VeriSign
• MSDN: Signing and Checking Code with Authenticode

• Signing an extension