Signing an executable with Authenticode

  • Revision slug: Signing_an_executable_with_Authenticode
  • Revision title: Signing an executable with Authenticode
  • Revision id: 67925
  • Created:
  • Creator: Kohei
  • Is current revision? No
  • Comment

Revision Content

This article describes how to digitally sign your executable file, including an Windows application installer, with a Microsoft Authenticode Digital ID.

{{template.Note("This article is not intended to recommend a certificate from certain CA. The following instructions are provided as a courtesy.")}}

Introduction

Microsoft has, of course, their own signing tools in the SDK, but another option is to use Mono. Mono's signing tools allows us to sign an executable even on a Mac or Linux box.

Get Mono

Download and install the latest version of the Framework. It's open source and free software!

Set path

On Mac OS X:

export PATH=${PATH}:/Library/Frameworks/Mono.framework/Commands

Install root and intermediate certificates

You have to install the root and intermediate certificates for your own certificate.

If your CA is VeriSign, you can find them here:

Save them to your local disc and install these two files to your Mono CA database as follows:

certmgr -add -c CA C3_PCA_G3v2.cer
certmgr -add -c CA CodeSigningCA.cer
certmgr -list -c CA

For GlobalSign:

Fix a problem

You will fail to sign with your public key (a SPC file) issued by Thawte or VeriSign (bug). The workaround is:

  1. Open your SPC file in the Certificate Manager of Windows
  2. Select your certificate for code signing
  3. Right-click on the certificate and select All Tasks > Export
  4. Certificate Export Wizard is shown
  5. In the Export File Format page, select PKCS #7 and check "Include all certificates in the certificate path if possible" option. If it is unchecked, Windows Vista will fail to verify signing (bug)
  6. Then export it
  7. Use the exported P7B file for Mono, instead of the original SPC file

Prior to Mono 1.2.4, you'll also encounter another problem with password-protected PVK file.

Sign

signcode \
 -spc (path to your public key).p7b \
 -v (path to your private key).pvk \
 -a sha1 -$ commercial \
 -n My\ Application \
 -i http://www.example.com/ \
 -t http://timestamp.verisign.com/scripts/timstamp.dll \
 -tr 10 \
 MyApp.exe

Verify

chktrust -v MyApp.exe

Somehow this process fails in the author's environment. But if the time stamp looks good, your executable is successfully signed.

References

{{ wiki.languages( { "ja": "ja/Signing_an_executable_with_Authenticode" } ) }}

Revision Source

<p>This article describes how to digitally sign your executable file, including an Windows application installer, with a Microsoft Authenticode Digital ID.
</p><p>{{template.Note("This article is not intended to recommend a certificate from certain CA. The following instructions are provided as a courtesy.")}}
</p>
<h3 name="Introduction"> Introduction </h3>
<p>Microsoft has, of course, their own signing tools in the SDK, but another option is to use <a class="external" href="http://www.mono-project.com/">Mono</a>. Mono's signing tools allows us to sign an executable even on a Mac or Linux box.
</p>
<h3 name="Get_Mono"> Get Mono </h3>
<p><a class="external" href="http://www.mono-project.com/Downloads">Download</a> and install the latest version of the Framework. It's open source and free software!
</p>
<h3 name="Set_path"> Set path </h3>
<p>On Mac OS X:
</p>
<pre class="eval">export PATH=${PATH}:/Library/Frameworks/Mono.framework/Commands
</pre>
<h3 name="Install_root_and_intermediate_certificates"> Install root and intermediate certificates </h3>
<p>You have to install the root and intermediate certificates for your own certificate.
</p><p>If your CA is VeriSign, you can find them here:
</p>
<ul><li> <a class="external" href="http://www.verisign.com/support/roots.html">VeriSign Primary PCA Root Certificates</a>
</li><li> <a class="external" href="http://www.verisign.com/support/verisign-intermediate-ca/code-signing-intermediate/">VeriSign Code Signing Intermediate CA Certificate</a>
</li></ul>
<p>Save them to your local disc and install these two files to your Mono CA database as follows:
</p>
<pre class="eval">certmgr -add -c CA C3_PCA_G3v2.cer
certmgr -add -c CA CodeSigningCA.cer
certmgr -list -c CA
</pre>
<p>For GlobalSign:
</p>
<ul><li> <a class="external" href="http://www.globalsign.com/support/root-certificate/osroot.htm">GlobalSign Root CA, GlobalSign Primary Object Publishing CA, and GlobalSign ObjectSign CA</a>
</li></ul>
<h3 name="Fix_a_problem"> Fix a problem </h3>
<p>You will fail to sign with your public key (a SPC file) issued by Thawte or VeriSign (<a class="external" href="https://bugzilla.novell.com/show_bug.cgi?id=316337">bug</a>). The workaround is:
</p>
<ol><li> Open your SPC file in the Certificate Manager of Windows
</li><li> Select your certificate for code signing
</li><li> Right-click on the certificate and select All Tasks &gt; Export
</li><li> Certificate Export Wizard is shown
</li><li> In the Export File Format page, select PKCS #7 and check "Include all certificates in the certificate path if possible" option. If it is unchecked, Windows Vista will fail to verify signing (<a class="external" href="https://bugzilla.novell.com/show_bug.cgi?id=323620">bug</a>)
</li><li> Then export it
</li><li> Use the exported P7B file for Mono, instead of the original SPC file
</li></ol>
<p>Prior to Mono 1.2.4, you'll also encounter <a class="external" href="http://projects.zillabit.com/authenticode.html">another problem with password-protected PVK file</a>.
</p>
<h3 name="Sign"> Sign </h3>
<pre class="eval">signcode \
 -spc <i>(path to your public key).p7b</i> \
 -v <i>(path to your private key).pvk</i> \
 -a sha1 -$ commercial \
 -n <i>My\ Application</i> \
 -i <i><span class="plain">http://www.example.com/</span></i> \
 -t <span class="plain">http://timestamp.verisign.com/scripts/timstamp.dll</span> \
 -tr 10 \
 <i>MyApp.exe</i>
</pre>
<h3 name="Verify"> Verify </h3>
<pre class="eval">chktrust -v <i>MyApp.exe</i>
</pre>
<p>Somehow this process fails in the author's environment. But if the time stamp looks good, your executable is successfully signed.
</p>
<h3 name="References"> References </h3>
<ul><li> <a class="external" href="http://www.verisign.com/support/code-signing-support/code-signing/identity-authentication.html">Microsoft Authenticode Digital ID Instructions</a> - the official guide by VeriSign
</li><li> <a class="external" href="http://msdn2.microsoft.com/en-us/library/ms537364.aspx">Signing and Checking Code with Authenticode</a> - MSDN
</li></ul>
<ul><li> <a href="en/Signing_a_XPI">Signing a XPI</a>
</li></ul>
{{ wiki.languages( { "ja": "ja/Signing_an_executable_with_Authenticode" } ) }}
Revert to this revision