Signing Code using Microsoft’s signtool

Background

Now that we have our code signing certificate in place let us see whether we can use it.

Lineage

  1. Preparing Code Signing Certificate using Microsoft’s makecert
    Link

Command Line

Rather than use Visual Studio, Eclipse, and other modern IDEs will just go directly to the command line and utilize Microsoft’s signtool

Sample Code

Batch File

setlocal

set "_appFolder=C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\"

set "_app=signtool.exe"

set "_store=My"

set "_appTarget=stub.exe"

set "_urlTimeServer=http://timestamp.digicert.com"

goto useCertName

:useCertName

set "_subject=Daniel Adeniji ( codesign self )"

"%_appFolder%\%_app%" sign /s %_store% /tr "%_urlTimeServer%" /n "%_subject%"  %_appTarget%

goto complete

:useCertHash

set "_certhash=6543843ADABB05C1223AA031C1984DDFEEB5F021"

"%_appFolder%\%_app%" sign /s %_store%  /tr "%_urlTimeServer%" /sha1 "%_certhash%" %_appTarget%

goto complete

:complete

endlocal

Output

Review

Let us go review the signed file

Windows Explorer

Please launch Windows Explorer, select the file, right click on your selection, and review it’s property.

File Property

Images

Windows Explorer – File Property – Digital Signatures

Here we notice we have a new tab, Digital Signatures

Windows Explorer – File Property – Digital Signature Details
Signer Information
  1. Signer Name :- Daniel
  2. Email :- No Name
    • Need to fix that and ensure that we have a name in a later iteration preparing SSL certificates
  3. Signing Time

View Certificate
View Certificate – Tab – General
  1. Purpose
    • Ensures software came from software publisher
    • Protects software from alteration after publication
View Certificate – Tab – Details
  1. Enhanced Key Usage
    • Code Signing (1.3.6.1.5.5.7.3.3)

View Certificate – Tab – Certification Path
  1. Path
    • Daniel (codesign self)
      • Daniel ( codesign root )

 

References

  1. Microsoft
    • Docs / .NET / .NET Framework / Windows Communication Foundation / WCF Feature Details
      • How to: Retrieve the Thumbprint of a Certificate
        Link
    • Microsoft | TechNet
      • Scott’s IT Blog
        • Working with Certificates in PowerShell
          Link
  2. Tech-Pro.net
    • Code Signing for Developers – An Authenticode How-To
      Link
  3. digicert
    • Authenticode Code Signing with Microsoft SignTool
      Link
    • Vincent Lynch
      • Best Practices for Timestamping
        Link

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s