forum.vdsworld.com

PGWARE · **Web Host** Joined: 29 Dec 2001 Posts: 1564

How to use SignTool.exe to sign your exe's with a digital certificate

1. Download the Windows Server 2003/2008 Platform SDK http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en. This file contains the code signing certificate files needed as well as other SDK's.

2. After downloading and installing you will find the SIGNTOOL.EXE and PVK2PFX.EXE files within the directory typically found at: C:\Program Files\Microsoft SDKs\Windows\v6.1\bin\ . Copy these two files somewhere else, you can uninstall the SDK if you wish then.

3. Purchase a Code Signing Digital Certificate. Verisign, Thawte and Comodo offer them. Typically range in price from $100 - $500 per year. Verisign is the most expensive, Thawte offers the same compatibilites as Verisigns and costs less; and finally Comodo offers the cheapest but their certificate is not valid on Windows 95/98/Me machines unless that computer has been updated with Windows Update with new root certificates. You choose - I recommend Thawte.

4. After you purchase a certificate, it will take approximately 2-3 business days before you receive your .SPC code signing certificate. However you may receive a .PVK private key file before. This private key file usually contains your password that you use when signing certifiates. SAVE BOTH OF THESE FILES, and store them in a safe area - also REMEMBER the password on the .PVK file. You do not have to set a password on the PVK file but it is strongly recommended; if you choose not to then on the commands mentioned below you should not use the password parameters.

5. In order to use signtool.exe you need to merge the two files. I will call them MYCERT.spc, and MYKEY.pvk (they may be called something else but the extensions should be the same); you received these two files above in step 4 from the certificate company.

To merge the files use the commandline window in Windows:

PVK2PFX.EXE -pvk MYKEY.pvk -spc MYCERT.spc -pfx MYPFX.pfx -pi PASSWORD

* MYKEY.pvk, MYCERT.spc are the private key and certificates you purchased - rename them above to what your files are named. MYPFX.pfx is the name of the file you wish to save the newly created file as - you will use this file in the future so once its finished BACK IT UP AND SAVE IT SAFELY. Finally the PASSWORD parameter should be the same password you used when you purchased the certificate and is set on your MYKEY.pvk file.

6. With your new MYPFX.pfx file you can now sign your exe's, dll's using this commandline:

SIGNTOOL.EXE sign /f MYPFX.pfx /p PASSWORD /d "Software Description" /du http://www.yoururl.com/ /t http://timestamp.verisign.com/scripts/timstamp.dll FILENAME.EXE

* Again MYPFX.pfx is the new pfx file that you created in step 5 above. PASSWORD is the same password as you set on your PVK file when you purchased the certificate. You can change the Software Description and the URL to anything you like. Finally FILENAME is the file and path to the exe you want to digitally sign. This also will sign your file with a timestamp - so even when the certificate expires the signed exe will still work with a valid signature.

More information on SIGNTOOL: http://msdn2.microsoft.com/en-us/library/8s9b9yaz.aspx

jules · Posted: Tue Mar 25, 2008 2:26 pm Post subject:

An even easier way to do this is to use Tech-Pro CodeSign, which as a matter of interest was written in VDS 6! It provides a GUI for code signing, you can sign executables using drag and drop, and there are even links to download the code signing tools if you don't already have them. If you don't feel like buying a code signing certificate right away you can even generate a self signed certificate to experiment with.

At Tech-Pro.net there is an article about Authenticode code signing, and also some descriptions of the process of buying and installing a certificate from Comodo.

Regarding Prakash's warning about Comodo certificates, I really wouldn't have thought Windows 98 or earlier PCs that have never been updated are worth worrying about. I have been signing all my executables with a Comodo certificate for the last two years and have never encountered a problem. Most developers don't even support Windows 9x/Me nowadays so I really don't consider it to be an issue.

PGWARE · **Web Host** Joined: 29 Dec 2001 Posts: 1564

Hi Jules

Great tool and article; I didn't notice them before, much more detailed. I agree that Windows 9x/me are not really viable platforms but listed it for those that still want to develop for those older platforms.

WidgetCoder · Posted: Tue Apr 13, 2010 12:28 am Post subject: Code Signing Cert

I recently shopped around for low cost Code Signing and server SSL certificates and found a good deal and thought I should share.

StartSSL:
http://www.startssl.com/

They only charge $49(every 2 years) for individual or organizational identity verification and then supply: unlimited Class 2 server SSL, Code Signing, and S/MIME client certs. They also offer class 3 certs for $149 with the same stuff.

They have a code signing how-to on their forum:
http://forum.startcom.org/viewtopic.php?f=15&t=1654&sid=82b764771296b02c535cda9c08d4c4c5
I used the second (signtool.exe) example on a couple of exe's and it worked great...

PGWARE · **Web Host** Joined: 29 Dec 2001 Posts: 1564

Nice find, as long as their root certificates are installed on Windows 2003+ then it should be fine.

WidgetCoder · XP SP2 (August 06, 2004)

Yes sir, I had similar concerns until discovering that Microsoft's "Update Root Certificate Component" was installed an enabled by default in their 2004 service packs. Users could of course disable this component although I would assume that would be a very small portion of the users out there.

Copied from MS TechNet:

Windows Server 2003 SP1 (July 31, 2004)

cnodnarb · Posted: Tue Apr 06, 2021 5:56 pm Post subject:

Time keeps on ticking ticking ticking.... into the future.....