Using Certificates and Signtool
September 12th, 2008 | by Jeff Fitzsimons |Obtain a Software Publisher Certificate
Your Certificate Authority will supply one of the following:
-
a Personal Information Exchange (.pfx) file
a Software Publisher Certificate (.spc), and a Private Key (.pvk) file
a CER-encoded X.509 Certificate (.cer), and a Private Key (.pvk) file
For the second and third case, these file must be converted to a Personal Information Exchange (.pfx) file.
Convert SPC or CER to Personal Information Exchange (.pfx)
Syntax for .spc conversion:
pvk2pfx -pvk filename.pvk -pi password -spc filename.spc -pfx output.pfx
The syntax is identical for .cer conversion:
pvk2pfx -pvk filename.pvk -pi password -spc filename.cer -pfx output.pfx
Sign the Executable
Signtool.exe can be used to sign executables (.exe) and Dynamic Link Libraries (.DLL).
Basic Signature
signtool.exe sign /v /f filename.pvk /p password executable
Signature With Timestamp
signtool.exe sign /v /f filename.pvk /p password /t url executable
Where url is the URL of your Certificate Authorities timestamp server (e.g. http://timestamp.verisign.com/scripts/timestamp.dll for VeriSign)
Signature Verification
signtool verify /pa executable
/pa indicates that the “Default Authenticode” verification policy is used. Omitting the switch will cause the verification to fail, which does not necessarily mean that a given file isn’t Authenticode signed.
Resources
-
Windows Driver Kit: Device Installation, Software Publisher Certificate (MSDN)
PKCS12 is the successor to PFX.