forum.vdsworld.com Forum Index forum.vdsworld.com
Visit VDSWORLD.com
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How to sign your exe's with a digital certificate

 
Post new topic   Reply to topic    forum.vdsworld.com Forum Index -> Miscellaneous
View previous topic :: View next topic  
Author Message
PGWARE
Web Host


Joined: 29 Dec 2001
Posts: 1537

PostPosted: Sat Mar 15, 2008 11:49 pm    Post subject: How to sign your exe's with a digital certificate Reply with quote

How to use SignTool.exe to sign your exe's with a digital certificate


1. Download the Windows Server 2003/2008 Platform SDK http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en. This file contains the code signing certificate files needed as well as other SDK's.


2. After downloading and installing you will find the SIGNTOOL.EXE and PVK2PFX.EXE files within the directory typically found at: C:\Program Files\Microsoft SDKs\Windows\v6.1\bin\ . Copy these two files somewhere else, you can uninstall the SDK if you wish then.


3. Purchase a Code Signing Digital Certificate. Verisign, Thawte and Comodo offer them. Typically range in price from $100 - $500 per year. Verisign is the most expensive, Thawte offers the same compatibilites as Verisigns and costs less; and finally Comodo offers the cheapest but their certificate is not valid on Windows 95/98/Me machines unless that computer has been updated with Windows Update with new root certificates. You choose - I recommend Thawte.


4. After you purchase a certificate, it will take approximately 2-3 business days before you receive your .SPC code signing certificate. However you may receive a .PVK private key file before. This private key file usually contains your password that you use when signing certifiates. SAVE BOTH OF THESE FILES, and store them in a safe area - also REMEMBER the password on the .PVK file. You do not have to set a password on the PVK file but it is strongly recommended; if you choose not to then on the commands mentioned below you should not use the password parameters.


5. In order to use signtool.exe you need to merge the two files. I will call them MYCERT.spc, and MYKEY.pvk (they may be called something else but the extensions should be the same); you received these two files above in step 4 from the certificate company.

To merge the files use the commandline window in Windows:


PVK2PFX.EXE -pvk MYKEY.pvk -spc MYCERT.spc -pfx MYPFX.pfx -pi PASSWORD


* MYKEY.pvk, MYCERT.spc are the private key and certificates you purchased - rename them above to what your files are named. MYPFX.pfx is the name of the file you wish to save the newly created file as - you will use this file in the future so once its finished BACK IT UP AND SAVE IT SAFELY. Finally the PASSWORD parameter should be the same password you used when you purchased the certificate and is set on your MYKEY.pvk file.


6. With your new MYPFX.pfx file you can now sign your exe's, dll's using this commandline:


SIGNTOOL.EXE sign /f MYPFX.pfx /p PASSWORD /d "Software Description" /du http://www.yoururl.com/ /t http://timestamp.verisign.com/scripts/timstamp.dll FILENAME.EXE


* Again MYPFX.pfx is the new pfx file that you created in step 5 above. PASSWORD is the same password as you set on your PVK file when you purchased the certificate. You can change the Software Description and the URL to anything you like. Finally FILENAME is the file and path to the exe you want to digitally sign. This also will sign your file with a timestamp - so even when the certificate expires the signed exe will still work with a valid signature.



More information on SIGNTOOL: http://msdn2.microsoft.com/en-us/library/8s9b9yaz.aspx
Back to top
View user's profile Send private message
jules
Professional Member
Professional Member


Joined: 14 Sep 2001
Posts: 1043
Location: Cumbria, UK

PostPosted: Tue Mar 25, 2008 2:26 pm    Post subject: Reply with quote

An even easier way to do this is to use Tech-Pro CodeSign, which as a matter of interest was written in VDS 6! It provides a GUI for code signing, you can sign executables using drag and drop, and there are even links to download the code signing tools if you don't already have them. If you don't feel like buying a code signing certificate right away you can even generate a self signed certificate to experiment with.

At Tech-Pro.net there is an article about Authenticode code signing, and also some descriptions of the process of buying and installing a certificate from Comodo.

Regarding Prakash's warning about Comodo certificates, I really wouldn't have thought Windows 98 or earlier PCs that have never been updated are worth worrying about. I have been signing all my executables with a Comodo certificate for the last two years and have never encountered a problem. Most developers don't even support Windows 9x/Me nowadays so I really don't consider it to be an issue.

_________________
The Tech Pro
www.tech-pro.net
Back to top
View user's profile Send private message Visit poster's website
PGWARE
Web Host


Joined: 29 Dec 2001
Posts: 1537

PostPosted: Tue Mar 25, 2008 5:19 pm    Post subject: Reply with quote

Hi Jules Smile Great tool and article; I didn't notice them before, much more detailed. I agree that Windows 9x/me are not really viable platforms but listed it for those that still want to develop for those older platforms.
Back to top
View user's profile Send private message
WidgetCoder
Contributor
Contributor


Joined: 28 May 2002
Posts: 126
Location: CO, USA

PostPosted: Tue Apr 13, 2010 12:28 am    Post subject: Code Signing Cert Reply with quote

I recently shopped around for low cost Code Signing and server SSL certificates and found a good deal and thought I should share.

StartSSL:
http://www.startssl.com/

They only charge $49(every 2 years) for individual or organizational identity verification and then supply: unlimited Class 2 server SSL, Code Signing, and S/MIME client certs. They also offer class 3 certs for $149 with the same stuff.

They have a code signing how-to on their forum:
http://forum.startcom.org/viewtopic.php?f=15&t=1654&sid=82b764771296b02c535cda9c08d4c4c5
I used the second (signtool.exe) example on a couple of exe's and it worked great...
Back to top
View user's profile Send private message Send e-mail
PGWARE
Web Host


Joined: 29 Dec 2001
Posts: 1537

PostPosted: Tue Apr 13, 2010 1:55 am    Post subject: Reply with quote

Nice find, as long as their root certificates are installed on Windows 2003+ then it should be fine.
Back to top
View user's profile Send private message
WidgetCoder
Contributor
Contributor


Joined: 28 May 2002
Posts: 126
Location: CO, USA

PostPosted: Tue Apr 13, 2010 6:56 am    Post subject: Reply with quote

Yes sir, I had similar concerns until discovering that Microsoft's "Update Root Certificate Component" was installed an enabled by default in their 2004 service packs. Users could of course disable this component although I would assume that would be a very small portion of the users out there.

Copied from MS TechNet:

Windows Server 2003 SP1 (July 31, 2004)
Quote:
The Update Root Certificates component in the Windows Server 2003 family is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site when this check is needed by an application. Specifically, if the application is presented with a certificate issued by a certification authority that is not directly trusted, the Update Root Certificates component (if present) will contact the Microsoft Windows Update Web site to see if Microsoft has added the certification authority to its list of trusted authorities. If the certification authority has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the trusted certificate store on the computer. Note that the Update Root Certificates component is optional, that is, it can be removed or excluded from installation on a computer running a product in the Windows Server 2003 family.


XP SP2 (August 06, 2004)
Quote:
The Update Root Certificates component in Windows XP with SP2 is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site when this check is needed by a userís application. Specifically, if the application is presented with a certificate issued by a certification authority that is not directly trusted, the Update Root Certificates component (if present) will contact the Microsoft Windows Update Web site to see if Microsoft has added the certification authority to its list of trusted authorities. If the certification authority has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the trusted certificate store on the userís computer. Note that the Update Root Certificates component is optional with Windows XP with SP2óthat is, it can be removed or excluded from installation on a computer running Windows XP with SP2.


I believe this feature is built-in on the newer windows versions. BTW: I have had no cert issues on my 2003 server, XP or Vista machines.
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    forum.vdsworld.com Forum Index -> Miscellaneous All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum




Twitter@vdsworld       RSS

Powered by phpBB © 2001, 2005 phpBB Group