February 19, 2016

Code Signing Applications For Microsoft Windows

Windows

In order for your users to install and run your application without receiving an “unknown publisher” warning it must be signed with a Microsoft Authenticode (Code Signing) Certificate.

warning

Signing applications requires a free signing tool provided by Microsoft and a code-signing certificate from a third-party certificate provider.

Obtain Certificate

To get started you must have a code-signing certificate. This is similar to an SSL certificate, however it is used specifically for signing code. Though it is possible to generate your own self-signed certificates, they are only helpful for internal testing and so we won’t go into that here. We’ll assume you want to publish your apps and so a third-party cert provider is required.

For open source projects, Certum.pl offers an affordable code signing cert at €14 + fees (aprox $18 USD). See the Certum Open Source Signing page for more information. Other providers such as Verisign, Thawte and Comodo offer code-signing certs. Prices vary but average around a few hundred USD per year.

Once you have chosen your cert provider, complete their application process for a code signing certificate. The process varies slightly from one provider to the next but generally you will be required to provide proof of identification and method of payment.

Once the process is complete your certificate will be generated and you will receive a notification. You should download your cert using the “online install” method. Your browser will automatically download and install the certificate into your machine’s certificate storage.

Convert Certificate to PFX

Your certificate is now installed on your machine, however you need to export it as a PFX file in order to use it for signing. Windows provides the utility Certificate Manager to view and manage certificates.

cert-manager

Step By Step:

  • Run certmgr.msc to open Certificate Manager.
  • Locate the newly installed certificate. It is likely to be found under the menu: Certificates > Personal > Certificates.
  • Right-click the certificate and select All Tasks > Export...
  • Follow the export wizard to export a PFX file.
    • Select the option to include the private key
    • Specify a password to be used with your cert
    • All other defaults are fine

After running the wizard, you should have a cert file with the extension .pfx.

Apps and executables are signed using SignTool.exe which is part of the Windows SDK (it may also be included with Visual Studio). For convenience it’s recommended to add the Windows Kit folder to your enviroment path.

Add SignTool To Your Path

environment-settings
In Windows 10 the signing tool is located in C:\Program Files (x86)\Windows Kits\10\bin. In other versions of Windows the SKD may be located in C:\Program Files\Windows Kits\8.0\bin or a similarly named location.

Once you add the location of SignTool.exe to your system path, you will be able to run “signtool” from the command line without specifying the full path to the Windows SDK every time.

Sign Your Application

With SignTool in your path and your PFX cert file, you are ready to sign applications.

If your application does not have an installer, then you only need to sign the .exe file. For applications that have an installer, you must first sign the application .exe before it is packaged into an installer. After packaging you must sign the installer itself.

# 1. SIGN THE EXECUTABLE
signtool sign /f "mycert.pfx" /p mypassword "My App.exe"
 
# 2. PACKAGE THE APP INTO AN INSTALLER...
 
# 3. SIGN THE INSTALLER
signtool sign /f "mycert.pfx" /p mypassword "My App Setup.exe"

WARNING: Once you have signed an executable you cannot rename or alter the file in any way or the signature will be invalid. If you need to rename anything, do so first before signing.

Now that your application and installer have been signed, your customers and users can install and run it without being blocked or seeing security warnings regarding an unknown publisher.

Leave a Reply

Your email address will not be published. Required fields are marked *