Minimal Steps to Fake Authenticode Signature (Self-Signing)

Here are the minimum steps required to self-sign an executable for development and testing:

makecert -sv mykey.pvk -n "CN=MyCompany" -len 2048 mycert.cer -r
pvk2pfx -pvk mykey.pvk -spc mycert.cer -pfx mycert.pfx -po mypassword

Note: You'll be prompted to create a certificate password and it must match whatever you supply to pvk2pfx with the -po switch.

To sign an executable, use:

signtool sign /f mycert.pfx /t /v executable.exe

Note: once you have a real code signing certificate, you'll use whatever timestamp server your provider gives you. Comodo works fine for self-signing testing purposes.

To automatically sign a binary at build-time in Visual Studio, add go to your Project Settings | Build Events | Post-Build Event, and add something like this to the Command Line setting:

signtool sign /f MyCertificatePath\mycert.pfx /p mypassword /t /v $(TargetPath)

Explanation of makecert command:

-sv Specifies the private key file.

-n Specifies the certificate name.

-len Generated key length, in bits. This StackOverflow answer indicates that Microsoft released an update blocking certificates with keys under 1024 bits long.

-r Specifies self-signed, i.e. not a root certificate.

About Jeff Fitzsimons

Jeff Fitzsimons is a software engineer in the California Bay Area. Technical specialties include C++, Win32, and multithreading. Personal interests include rock climbing, cycling, motorcycles, and photography.
This entry was posted in Technology, Windows. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *