Signing an executable with Authenticode

  • Revision slug: Signing_an_executable_with_Authenticode
  • Revision title: Signing an executable with Authenticode
  • Revision id: 67921
  • Created:
  • Creator: Kohei
  • Is current revision? No
  • Comment Added bug

Revision Content

This article describes how to digitally sign your executable file, including an Windows application installer, with a Microsoft Authenticode Digital ID.

Introduction

Microsoft has, of course, their own signing tools in the SDK, but another option is to use Mono. Mono's signing tools allows us to sign an executable even on a Mac or Linux box.

Get Mono

Download and install the latest version of the Framework. It's open source and free software!

Set path

export PATH=${PATH}:/Library/Frameworks/Mono.framework/Commands

Install root and intermediate certificates

certmgr -add -c CA C3_PCA_G3v2.cer
certmgr -add -c CA CodeSigningCA.cer
certmgr -list -c CA

Fix a problem

You will fail to sign with your public key (a SPC file) issued by Thawte or VeriSign (bug). The workaround is:

  1. Open your SPC file in the Certificate Manager of Windows
  2. Select your certificate for code signing
  3. Right-click on the certificate and select All Tasks > Export
  4. Certificate Export Wizard is shown
  5. In the Export File Format page, select PKCS #7 and check "Include all certificates in the certificate path if possible" option. If it is unchecked, Windows Vista will fail to verify signing (bug)
  6. Then export it
  7. Use the exported P7B file for Mono, instead of the original SPC file

Prior to Mono 1.2.4, you'll also encounter another problem with password-protected PVK file.

Sign

signcode \
 -spc (path to your public key).p7b \
 -v (path to your private key).pvk \
 -a sha1 -$ commercial \
 -n My\ Application \
 -i http://www.example.com/ \
 -t http://timestamp.verisign.com/scripts/timstamp.dll \
 -tr 10 \
 MyApp.exe

Verify

chktrust -v Firefox.exe

Somehow this process fails in the author's environment. But if the time stamp looks good, your executable is successfully signed.

References

{{ wiki.languages( { "ja": "ja/Signing_an_executable_with_Authenticode" } ) }}

Revision Source

<p>This article describes how to digitally sign your executable file, including an Windows application installer, with a Microsoft Authenticode Digital ID.
</p>
<h3 name="Introduction"> Introduction </h3>
<p>Microsoft has, of course, their own signing tools in the SDK, but another option is to use <a class="external" href="http://www.mono-project.com/">Mono</a>. Mono's signing tools allows us to sign an executable even on a Mac or Linux box.
</p>
<h3 name="Get_Mono"> Get Mono </h3>
<p><a class="external" href="http://www.mono-project.com/Downloads">Download</a> and install the latest version of the Framework. It's open source and free software!
</p>
<h3 name="Set_path"> Set path </h3>
<pre class="eval">export PATH=${PATH}:/Library/Frameworks/Mono.framework/Commands
</pre>
<h3 name="Install_root_and_intermediate_certificates"> Install root and intermediate certificates </h3>
<ul><li> <a class="external" href="http://www.verisign.com/support/roots.html">VeriSign Primary PCA Root Certificates</a>
</li><li> <a class="external" href="http://www.verisign.com/support/verisign-intermediate-ca/code-signing-intermediate/">VeriSign Code Signing Intermediate CA Certificate</a>
</li></ul>
<pre class="eval">certmgr -add -c CA C3_PCA_G3v2.cer
certmgr -add -c CA CodeSigningCA.cer
certmgr -list -c CA
</pre>
<h3 name="Fix_a_problem"> Fix a problem </h3>
<p>You will fail to sign with your public key (a SPC file) issued by Thawte or VeriSign (<a class="external" href="https://bugzilla.novell.com/show_bug.cgi?id=316337">bug</a>). The workaround is:
</p>
<ol><li> Open your SPC file in the Certificate Manager of Windows
</li><li> Select your certificate for code signing
</li><li> Right-click on the certificate and select All Tasks &gt; Export
</li><li> Certificate Export Wizard is shown
</li><li> In the Export File Format page, select PKCS #7 and check "Include all certificates in the certificate path if possible" option. If it is unchecked, Windows Vista will fail to verify signing (<a class="external" href="https://bugzilla.novell.com/show_bug.cgi?id=323620">bug</a>)
</li><li> Then export it
</li><li> Use the exported P7B file for Mono, instead of the original SPC file
</li></ol>
<p>Prior to Mono 1.2.4, you'll also encounter <a class="external" href="http://projects.zillabit.com/authenticode.html">another problem with password-protected PVK file</a>.
</p>
<h3 name="Sign"> Sign </h3>
<pre class="eval">signcode \
 -spc <i>(path to your public key).p7b</i> \
 -v <i>(path to your private key).pvk</i> \
 -a sha1 -$ commercial \
 -n <i>My\ Application</i> \
 -i <i><span class="plain">http://www.example.com/</span></i> \
 -t <span class="plain">http://timestamp.verisign.com/scripts/timstamp.dll</span> \
 -tr 10 \
 <i>MyApp.exe</i>
</pre>
<h3 name="Verify"> Verify </h3>
<pre class="eval">chktrust -v Firefox.exe
</pre>
<p>Somehow this process fails in the author's environment. But if the time stamp looks good, your executable is successfully signed.
</p>
<h3 name="References"> References </h3>
<ul><li> <a class="external" href="http://www.verisign.com/support/code-signing-support/code-signing/identity-authentication.html">Microsoft Authenticode Digital ID Instructions</a> - the official guide by VeriSign
</li><li> <a class="external" href="http://msdn2.microsoft.com/en-us/library/ms537364.aspx">Signing and Checking Code with Authenticode</a> - MSDN
</li></ul>
<ul><li> <a href="en/Signing_a_XPI">Signing a XPI</a>
</li></ul>
{{ wiki.languages( { "ja": "ja/Signing_an_executable_with_Authenticode" } ) }}
Revert to this revision