![]() |
![]()
|
![]() |
![]() |
![]() |
![]() |
|
![]() |
Getting code signedSomething that has bothered me for a while is the hassle in putting together all the pieces to sign my download files. I finally got around to looking it all up, and it isn't easy as you have to piece all the things together. I hope that this will give you an insight into how it can really work, since I managed to actually achieve what I wanted and sign my code. This article is a list of the steps I had to take, and you will probably need to review the commands yourself if you have problems.
The processGet a certificate from http://www.ascertia.com/onlineCA/Issuer/CerIssue.aspx who will do a free code signing certificate. Obviously any alternative is good, but this will prove the concept for you, and you can go buy another from them or elsewhere later. The email address is included in the certificate, so use a sensible one you are happy for the world to see. Accept the installation of the certificate into the browser as it won't be emailed even though they say it will. Make sure you chose exportable. Then get the Microsoft code signing stuff (codesigningx86.exe) from the MSDN web site (google will find its current location). Use the certmgr to view your certificate and export it. Export it as a certificate (.cer file), and with the key (.pvk) file. Use cert2spc to convert the cer file into an spc file. That's the first half of the process done. Now you need a key file compatible with the signcode application. From http://support.globalsign.net/en/objectsign/transform.cfm:
I didn't do that last bit - already did that stage. Note that you are transforming into a PEM file as an intermediate step. I got that bit wrong first time round. Okay, so now you have all the right bits. You now can just run signcode.exe and use the wizard to check it all works. Select the advanced mode so you can use files, and all should go well. You'll have to enter the password at various points. If it all worked, then we are nearly there. To actually sign the code, and I used FinalBuilder to make sure it is done each time and every time reliably, you need the following command.
If it fails, then you probably got a path wrong or a missing file or something silly. Took me ages to spot that I'd got an extra letter in a path. Grr. The only fly in the ointment is that you need to type the password for each file. It's not hard to write an app to do the typing for you, but the security of your password is obviously at risk. An update: Thanks to Hugo Logmans who also provided the script additions to allow FinalBuilder to check that it worked okay, which ensures that you don't think you signed it.
Update: After some issues that someone identified with the ascertia certificate on their machine (which I couldn't replicate), I bought a two year certificate from http://www.instantssl.com/code-signing/ which is from a fairly new certificate authority, but is cheap therefore and is in the XP SP2 root certificates and thus answers the issues. Update: The codesign executable is a moving target, and is becoming harder to find. So forget the Microsoft codesign executable, and use one that is much easier to use and not only command line compatible but more comprehensive. Give X2Net SignCode a whirl - both GUI and command line options available. Matthew Jones
|
![]() |
![]()
![]()
![]()
|
![]() |
||||||||||||||||||||||||||||||||||||||||||||
![]() |
|