This article describes how to digitally sign your executable file, including an Windows application installer, with a Microsoft Authenticode Digital ID.
Microsoft has, of course, their own signing tools in the SDK, but another option is to use Mono. Mono's signing tools allows us to sign an executable even on a Mac or Linux box.
Download and install the latest version of the Framework. It's open source and free software!
On Mac OS X:
Install root and intermediate certificates
You have to install the root and intermediate certificates for your own certificate.
If your CA is VeriSign, you can find them here:
Save them to your local disc and install these two files to your Mono CA database as follows:
certmgr -add -c CA C3_PCA_G3v2.cer certmgr -add -c CA CodeSigningCA.cer certmgr -list -c CA
Fix a problem
You will fail to sign with your public key (a SPC file) issued by Thawte or VeriSign (bug). The workaround is:
- Open your SPC file in the Certificate Manager of Windows
- Select your certificate for code signing
- Right-click on the certificate and select All Tasks > Export
- Certificate Export Wizard is shown
- In the Export File Format page, select PKCS #7 and check "Include all certificates in the certificate path if possible" option. If it is unchecked, Windows Vista will fail to verify signing (bug)
- Then export it
- Use the exported P7B file for Mono, instead of the original SPC file
Prior to Mono 1.2.4, you'll also encounter another problem with password-protected PVK file.
signcode \ -spc (path to your public key).p7b \ -v (path to your private key).pvk \ -a sha1 -$ commercial \ -n My\ Application \ -i http://www.example.com/ \ -t http://timestamp.verisign.com/scripts/timstamp.dll \ -tr 10 \ MyApp.exe
chktrust -v MyApp.exe
Somehow this process fails in the author's environment. But if the time stamp looks good, your executable is successfully signed.
- Microsoft Authenticode Digital ID Instructions - the official guide by VeriSign
- Signing and Checking Code with Authenticode - MSDN