The following items are required for code signing on Windows:
- Code signing certificate: Digital certificate to identify you, the publisher
- SignTool.exe: Performs the actual code signing.
The Sign Tool is included with Visual Studio 2005. It is not part of Visual Studio 2008 and 2010, but it can be found in all newer Platform SDKs. It is usually located in one of the following directories:
- C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2\Bin
- C:\Program Files\Microsoft SDKs\Windows\v6.0\bin
- C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin
- C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin
- C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin
- C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin
Obtaining a Certificate
Code signing certificates can be obtained in one of three ways:
- From a commercial certificate authority, such as GoDaddy, Thawte, VeriSign or StartCom
- From a certificate service running within your organization or home office
- From a manually created self-signed certificate using Makecert.exe.
Self-signed certificates can be created instantly by anyone and should therefore only be used for development and testing. Since there is no trusted organization backing up the identity you’re claiming, most end-users who don’t know you will likely not trust your software.
If your product is to be used only within an organization, such as a company, a locally trusted Certificate Service running on your company’s network can be used to generate a certificate. For commercial products distributed over the internet, however, it is recommended to generate the certificate through a trusted root certficiate authority, because these are already trusted in all modern operating systems, and your end users will likely not be willing to execute your software without them.
Commercial code signing certificates come in different flavors and packages, and it is worthwhile to shop around before possibly shelling out hundreds of dollars. At the time of this writing, a simple code signing certificate that covers most applications, such as ActiveX controls, DLLs, CAB files and installers can be purchased for $180 per year. Specialized applications, such as signed device drivers for 64-bit versions of Microsoft Windows usually require more expensive packages.
For projects that are not associated with a company or public organization you may also consider purchasing StartCom’s affordable Class 2 Identity Validation for less than $50, which can be used to create personal code signing certificates.
Please note that the duration of a certificate’s validity only affects how long it can be used to sign new products. Old software will continue to function beyond this time period – if signed with a timestamp.
Certificates for code signing generally consist of a pair of two files:
- A Software Publisher Certificate File (.spc) containing the public part of the certificate
- A Private Key File (.pvk) containing the private key used to create the certificate
As the name suggests, the private key file should be known only to the software publisher and never be disclosed to anyone, because it can be used to generate certificates in the publisher’s name.
Finally, the file needed for the signing of binaries under Windows is a PKCS #12 Personal Information Exchange File (comes with different file extensions, such as .pfx or .p12) that stores an encrypted version of the certificate. This file can be generated from the two files above using Microsoft’s Digital Certificate Files Importer or it can be exported from the web browser (see next paragraphs).
Exporting PFX from a Web Browser
With most commercial certificate authorities it is possible to perform the entire certificate creation process in a web browser. It generally starts with the user initiating a certificate request by purchasing a certificate. The web browser then creates, submits and locally stores a Certificate Enrollment Request. These requests are being verified by the certificate authority within a few days. Upon approval, the certificate authority will provide a link where a .spc file can be downloaded and/or installed in the web browser. If installed, the web browser can then export a PKCS #12 file.
- Click Tools → Options
- In the Advanced section select the Encryption tab and click View Certificates
- Select the certificate to be exported and click Backup
- Chose PKCS12 as the file type to save
- Create a strong password to protect the private key inside the saved file and click OK.
Firefox should confirm that the export was completed successfully.
- Click Tools → Options
- On the Content tab click Certificates
- Select the certificate to be exported and click Export…
- In the Certificate Export Wizard check Yes, export the private key, and click Next
- Select the Personal Information Exchange format, check Include all certificates in the certification path if possible, check Delete the private key if the export is successful, and check Export all extended properties, then click Next
- Create a strong password to protect the private key inside the saved file and click Next
- Enter a file name for the target file, click Next, and then Finish.
Internet Explorer should confirm that the export was completed successfully.
Exporting PFX from SPC/PVK Pair
If you created a certificate manually, through a certificate service or otherwise ended up with a SPC/PVK file pair, you will need to use Microsoft’s Pwkimprt.exe tool to manually create a .pfx file for signing with the following command line:
pvkimprt -pfx YourCertificate.spc YourPrivateKey.pvk
The importer may ask for a password if one has been used to protect the private key file (which is highly recommended). The file format to be exported must be Personal Information Exchange – PKCS #12 (.PFX), and the Include all certificates in the certification path if possible and Enable strong protection options should be checked.
Please note that the pvkimprt.exe in the download is just a self-extracting ZIP file that contains the actual pvkimprt.exe, which needs to be extracted first.
Signing The Binaries
Once the PKCS #12 file (.pfx, .p12 or similar) is available, everything is ready to sign the software. The code signing is performed with Microsoft’s Sign Tool and consists of a single command line:
signtool sign /f YourCertificate.pfx /p YourCertificatePassword
/t TimeStampUrl /d "ProductName" /du ProductUrl FileToSign
The parameters in the command line above are as follows:
- YourCertificate: The PFX file generated with Pvkimprt.exe in the previous step
- YourCertificatePassword: The password used to protect the private key in the PFX file
- TimeStampUrl: The URL to a server that provides a timestamp.
Please note that timestamps are optional, but they ensure that the signed product will not expire after the code signing certificate expires. If timestamps are not used, the product must be signed again with a new certificate after the old one expired. Otherwise the software will continue to function until the timestamp certificate expires, which is usually at least a few years in the future.
Commonly used timestamp servers are provided by root certificate authorities, for example:
Other servers, including your own, may be used instead.
- ProductName: User defined name of the product to be signed, i.e. "My Cool Product"
- ProductUrl: User defined web URL for the product to be signed, i.e. http://www.mycoolproduct.com
- FileToSign: The product to be signed, i.e. MyCoolActiveX.dll, MyCoolProgram.exe or MyCoolInstaller.msi
Verifying a Signature
Once a file is signed, the signature can be verified by selecting the Digital Signatures tab, which should now be present in the file’s properties.
It is also possible to invoke a signature check using the Sign Tool with the following command line:
signtool verify /pa FileToSign
- Acquire a Code Signing Certificate (MSDN)
- Signed vs. Self-signed Certificates (About.com)
- Converting an Exported PFX to PVK and SPC Files Using Windows (GoDaddy)
- Sign Java Code (GoDaddy)
- Sign Macintosh OS X Code (Apple)
- Authenticode Signing for Game Developers (MSDN)
- Microsoft’s Cryptography Tools (MSDN)