Title: Signing Windows Apps Subject: Howto sign stuff in Windows By: John Stile #=================================================== Steps: Generate code signging certificate reqeust Purchase certifictae (they sign the cert request) Import certificate Sign using certificate #=================================================== 1. From a windows computer with Internet Explorer, go to this url: http://www.thawte.com/code-signing/content-signing-certificates/microsoft-authenticode/index.html 2. For the Windows Code Signing Certificate, order: "Certificates for Organizations " 2 year for $549. Click "BUY" 3. Enter this information: Company: Home Simpson Creations, Inc. Department: Silly Products City: Spring Field State: Dysfunciton Country: United States 4. This will install a certificate on your windows computer. 5. You will need to export the certificate such that I can import it into all of our windows autobuild systems, to setup code signing. From this I received thawtecert.pfx, with a password 'mypassword' assigned to it. 4. Downloaded Intermediate Certificates https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1406 Saved the "Code Signing Intermediate CA" as intca.cer Saved the "Thawte Primary Intermediate Root CA" as primaryca.cer 5. Read the cert, just to verify it was saved properly certutil intca.ca certutil primaryca.cer 6. Import and verify a secondary cert certutil -addstore "CA" primaryca.cer CA Certificate "CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US" added to store. CertUtil: -addstore command completed successfully. re-open certmgr.msc Action -> Find Certificate -> Serial -> 3365500879ad73e230b9e01d0d7fac91 Intermediate Certificate Authorities IssueTo: thawte Primary Root CA Issued By: Thawte Premium Server CA Experation Date: 12/30/2020 Intended Purpose: Friendly Name: Store Found In: Intermediate Certificate Authorities 4. Import and verify a secondary cert certutil -addstore "CA" intca.cer CA Certificate "CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US" added to store. CertUtil: -addstore command completed successfully. re-open certmgr.msc Action -> Find Certificate -> Serial -> 47974d7873a5bcab0d2fb370192fce5e IssueTo: Thawte Code Signing CA - G2 Issued By: thawte Primary Experation Date: 2/7/2020 Intended Purpose: Clicent Authentication, Code Signing Friendly Name: Store Found In: Intermediate Certificate Authorities 5. Import our signed cert certutil -p mypassword -importPFX thawtecert.pfx Certificate "CN="Homer Simpson Creations, Incs", OU=Digital Products, O="Homer Simpson Creations, Incs", L=Spring Filed, S=Dysfunciton, C=US" added to store. CertUtil: -importPFX command completed successfully. # NOTE: I couldn't sign (step7) until I did this: certutil -user -addstore "CA" primaryca.cer certutil -user -addstore "CA" intca.cer certutil -user -p mypassword -importPFX thawtecert.pfx 6. Signing # Below I have a sort of bat script for finding exe files and signing them # First argument is path to search for exe # Second argument is the path to the pfx file. SetLocal EnableDelayedExpansion @echo off if "%1"=="" ( echo Sign all exe in default directory set SEARCH_DIR="c:\BuildDir" ) else ( echo Sign all exe in %1 set SEARCH_DIR=%1 ) if "%2"=="" ( set CERT_FILE="c:\thawtecert.pfx" echo Default Location of pfx: !CERT_FILE! ) else ( set CERT_FILE= %2 echo Location of pfx: !CERT_FILE! ) @set CERT_FILE= %2 @set DEBUG=0 @set SIGNWITH="pfx" @set SIGNTOOL="C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" @set CERT_PASS="mypassword" @set CERT_NAME="Homer Simpson Creations, Incs" @set TIME_URL="http://timestamp.digicert.com" @echo ^ && echo.DEBUG=%DEBUG% ^ && echo.BUILDDIR=%BUILDDIR% ^ && echo.SIGNWITH=%SIGNWITH% ^ && echo.SIGNTOOL=%SIGNTOOL% ^ && echo.CERT_FILE=%CERT_FILE% ^ && echo.CERT_PASS=%CERT_PASS% ^ && echo.CERT_NAME=%CERT_NAME% ^ && echo.TIME_URL=%TIME_URL% @rem Find all exe files, and sign for /r %BUILDDIR% %%i in (*.exe) do ( echo [^>^>] Signing %%~nxi with %SIGNWITH% if %SIGNWITH% == "pfx" ( %SIGNTOOL% sign /f %CERT_FILE% /p %CERT_PASS% /t %TIME_URL% /du mydomain.com /d %%~nxi %%~i IF %ERRORLEVEL% NEQ 0 ( echo [^^!^^!] Failed Signing %%~nxi ) ELSE ( echo [OK] Success Signing %%~nxi ) ) else if %SIGNWITH% == "import" ( %SIGNTOOL% sign /n %CERT_NAME% /t %TIME_URL% /du mydomain.com /d %%~nxi %%~i IF %ERRORLEVEL% NEQ 0 ( echo [^^!^^!] Failed Signing %%~nxi ) ELSE ( echo [OK] Success Signing %%~nxi ) ) else ( echo [^^!^^!] SIGNWITH method not recognized! ) echo ---------------------------------------------------------------------- )