This article describes how to digitally sign your executable file, including an Windows application installer, with a Microsoft Authenticode Digital ID.
Microsoft has, of course, their own signing tools in the SDK, but another option is to use Mono. Mono's signing tools allows us to sign an executable even on a Mac or Linux box.
Download and install the latest version of the Framework. It's open source and free software!
Install root and intermediate certificates
certmgr -add -c CA C3_PCA_G3v2.cer certmgr -add -c CA CodeSigningCA.cer certmgr -list -c CA
Fix a problem
You will fail to sign with your public key (a SPC file) issued by Thawte or VeriSign. The workaround is:
- Open your SPC file in the Certificate Manager of Windows
- Select your certificate for code signing
- Right-click on the certificate and select All Tasks > Export
- Certificate Export Wizard is shown
- In the Export File Format page, select PKCS #7 and check "Include all certificates in the certificate path if possible" option. If it is unchecked, Windows Vista will fail to verify signing (bug)
- Then export it
- Use the exported P7B file for Mono, instead of the original SPC file
Prior to Mono 1.2.4, you'll also encounter another problem with password-protected PVK file.
signcode \ -spc (path to your public key).p7b \ -v (path to your private key).pvk \ -a sha1 -$ commercial \ -n My\ Application \ -i http://www.example.com/ \ -t http://timestamp.verisign.com/scripts/timstamp.dll \ -tr 10 \ MyApp.exe
chktrust -v Firefox.exe
Somehow this process fails in the author's environment. But if the time stamp looks good, your executable is successfully signed.
- Microsoft Authenticode Digital ID Instructions - the official guide by VeriSign
- Signing and Checking Code with Authenticode - MSDN