As mentioned in the other answers, you will first need to purchase a certificate suitable for code signing. This will cost a few hundred dollars, nowhere near a thousand. When I renewed my company's certificate with Globalsign recently, there was also an investigation to check that the company was legitimate - because I used a mobile number for the registration process, they wanted a letter from the company accountant to verify that we are a real business.
To sign the executable, I use an MSBuild task. Here's an excerpt with the relevant pieces:
<!--
Installer files that need to be signed.
-->
<ItemGroup>
<InstallerSignedFiles Include="$(BuildRoot)path\to\myinstaller.msi"/>
<InstallerSignedFiles Include="$(BuildRoot)path\to\setup.exe"/>
</ItemGroup>
<Target Name="ReleasePackaging">
<!-- Sign the files we're going to release -->
<SignTool
CertificateStoreName="My"
CertificateSubjectName="MyCompany"
Description="My application description"
TimestampServerUrl="http://timestamp.verisign.com/scripts/timstamp.dll"
TargetFiles="@(InstallerSignedFiles)"
/>
</Target>
For this to work as above, you will need to install the certificate into your personal certificate store (see CertificateStoreName="My"
in the above example). On the Globalsign web site, this installation was an automatic part of the certificate download process. Note: I found that it helps to use Internet Explorer when you download the certificate, as it is integrated with the Windows certificate store. Once it is in the certificate store on the download computer, you can export it as a pfx file, transfer it to your build machine, and import it there. If you do export it, I would advise that you protect the exported file with a password in case it falls into the wrong hands.
When you use the SignTool MSBuild task as above, it reads certificates from the personal store ("My") that is associated with the current Windows user account. This means that you can control who can sign code with your certificate, which is a Good Thing. You should only import the certificate into the personal store of developers that you trust.
It's a good idea to use the timestamp server when signing code, so that you don't need to re-sign the code when the certificate expires.