views:

166

answers:

4

I'm coding software that requires administrative access. When a UAC dialog pops up, it shows a different popup for digitally signed software than non-signed software. I believe digitally signing my software would enable users to trust my software easier. Does it cost thousands of dollars to digitally sign software, or is it free? Is there a simple way to do it? I've searched around Google and all I get is how to sign PHP, XML, and PDF files, which is not what I want. I need to sign my software executable.

Just saw something about sigtool.exe? Is this the right direction? What about those complicated .pfx files and Authenticode or what not?

+2  A: 

I am not marketing anyone here but try VeriSign. They offer Code signing which is what you are looking for.

J Angwenyi
A: 

You might want to read Signing and Checking Code with Authenticode.

zneak
+5  A: 

As mentioned in the other answers, you will first need to purchase a certificate suitable for code signing. This will cost a few hundred dollars, nowhere near a thousand. When I renewed my company's certificate with Globalsign recently, there was also an investigation to check that the company was legitimate - because I used a mobile number for the registration process, they wanted a letter from the company accountant to verify that we are a real business.

To sign the executable, I use an MSBuild task. Here's an excerpt with the relevant pieces:

<!--
Installer files that need to be signed.
-->
<ItemGroup>
  <InstallerSignedFiles Include="$(BuildRoot)path\to\myinstaller.msi"/>
  <InstallerSignedFiles Include="$(BuildRoot)path\to\setup.exe"/>
</ItemGroup>

<Target Name="ReleasePackaging">
  <!-- Sign the files we're going to release -->
  <SignTool
      CertificateStoreName="My"
      CertificateSubjectName="MyCompany"
      Description="My application description"
      TimestampServerUrl="http://timestamp.verisign.com/scripts/timstamp.dll"
      TargetFiles="@(InstallerSignedFiles)"
     />
</Target>

For this to work as above, you will need to install the certificate into your personal certificate store (see CertificateStoreName="My" in the above example). On the Globalsign web site, this installation was an automatic part of the certificate download process. Note: I found that it helps to use Internet Explorer when you download the certificate, as it is integrated with the Windows certificate store. Once it is in the certificate store on the download computer, you can export it as a pfx file, transfer it to your build machine, and import it there. If you do export it, I would advise that you protect the exported file with a password in case it falls into the wrong hands.

When you use the SignTool MSBuild task as above, it reads certificates from the personal store ("My") that is associated with the current Windows user account. This means that you can control who can sign code with your certificate, which is a Good Thing. You should only import the certificate into the personal store of developers that you trust.

It's a good idea to use the timestamp server when signing code, so that you don't need to re-sign the code when the certificate expires.

RichTea
marius
I've corrected the spelling in the code sample.
RichTea
@Rich I only see a [SignFile](http://msdn.microsoft.com/en-us/library/ms164304.aspx) task. What is this "SignTool" task you speak of?
Will
@Will, it's a custom MSBuild task that I created to wrap signtool.exe. Basically it subclasses [ToolTask](http://msdn.microsoft.com/en-us/library/microsoft.build.utilities.tooltask.aspx) which means there's barely any work involved. The source is too big to post in a comment but I could email it to you if you like, contact rich [at] prabang [dot] co [dot] uk
RichTea
A: 

You'll need the code-signing command line utility from Microsoft.

And then:

signtool.exe sign /v /f "MyCertificate.pfx" -t "http://timestamp.verisign.com/scripts/timstamp.dll" "MyApp.exe"

or alternativly

signcode.exe -a "sha1" -spc "MySoftwarePublishingCertificate.spc" -v "MyPrivateKeyFile.pvk" -t "http://timestamp.verisign.com/scripts/timstamp.dll" "MyApp.exe"
Ian Boyd