Obtain a Software Publisher Certificate
Your Certificate Authority will supply one of the following:
-
a Personal Information Exchange (.pfx) file
a Software Publisher Certificate (.spc), and a Private Key (.pvk) file
a CER-encoded X.509 Certificate (.cer), and a Private Key (.pvk) file
For the second and third case, these file must be converted to a Personal Information Exchange (.pfx), using the Pvk2Pfx.exe tool.
Convert SPC or CER to Personal Information Exchange (.pfx)
Syntax for .spc conversion:
pvk2pfx -pvk filename.pvk -pi password -spc filename.spc -pfx output.pfx
The syntax is identical for .cer conversion:
pvk2pfx -pvk filename.pvk -pi password -spc filename.cer -pfx output.pfx
Sign the Executable
Signtool.exe can be used to sign executables (.exe) and Dynamic Link Libraries (.DLL).
Basic Signature
signtool.exe sign /v /f filename.pvk /p password executable
Signature With Timestamp
signtool.exe sign /v /f filename.pvk /p password /t timeurl executable
Where timeurl is the URL of your Certificate Authority’s timestamp server (e.g. http://timestamp.verisign.com/scripts/timestamp.dll for VeriSign)
Signature Verification
signtool verify /pa executable
/pa indicates that the “Default Authenticode” verification policy is used. Omitting the switch will cause the verification to fail, which does not necessarily mean that a given file isn’t Authenticode signed.
Resources
-
Windows Driver Kit: Device Installation, Software Publisher Certificate (MSDN)
PKCS12 is the successor to PFX.
