Here are the minimum steps required to self-sign an executable for development and testing:
makecert -sv mykey.pvk -n "CN=MyCompany" -len 2048 mycert.cer -r pvk2pfx -pvk mykey.pvk -spc mycert.cer -pfx mycert.pfx -po mypassword
Note: You’ll be prompted to create a certificate password and it must match whatever you supply to pvk2pfx with the -po switch.
To sign an executable, use:
signtool sign /f mycert.pfx /t http://timestamp.comodoca.com/authenticode /v executable.exe
Note: once you have a real code signing certificate, you’ll use whatever timestamp server your provider gives you. Comodo works fine for self-signing testing purposes.
To automatically sign a binary at build-time in Visual Studio, add go to your Project Settings | Build Events | Post-Build Event, and add something like this to the Command Line setting:
signtool sign /f MyCertificatePath\mycert.pfx /p mypassword /t http://timestamp.comodoca.com/authenticode /v $(TargetPath)
Explanation of makecert command:
-sv Specifies the private key file.
-n Specifies the certificate name.
-len Generated key length, in bits. This StackOverflow answer indicates that Microsoft released an update blocking certificates with keys under 1024 bits long.
-r Specifies self-signed, i.e. not a root certificate.