All geek questions in one place

Windows Code-Signing Process and Alternative MS signtool.exe?

Using a compiler other than Microsoft, I wrote a small application for Windows that I would like to give away for free or sell for some trivial amount ($ 5). The program does not use the registry, but I would like to provide it as an installer executable file (for example, MyAppInstall.exe) created using freely available tools (for example, InnoSetup).

From Signing a Windows EXE file and other sources, I understand the following:

  • If I do not sign the installer, Windows will display a warning dialog box warning the user that the publisher is unknown, and prompting them not to run the software. This is undesirable.

  • If I sign the installer with a self-certified key, the pop-up dialog will at least provide the publisher name instead of "unknown". He will say that the publisher cannot be verified or the publisher is not trusted. This is probably a little better than being described as an unknown publisher.

  • If I pay $ 100 each year to CA, I can get a code signing certificate that allows me to give away useful free software that can be easily installed - without the appearance of scary and delayed dialogs.

  • I can use the Windows version of OpenSSL to create a self-signed key to sign the code. Thus, I do not need to download the 590 MB SDK installation file from MS to get Microsoft makecert.exe

  • Catch 22: The only code signing tool I've heard about is signtool.exe , which can only be obtained by downloading and installing at least 590 MB of other things (SDKs).

Q: Is there an alternative to Microsoft signtool.exe

+3
source share
4 answers

There is kSign , and their blog also has an article on how to integrate with Inno Setup .

This is not a complete replacement for signtool (i.e. it will not sign .cat and .sys files involved in signing driver packages), but it will digitally sign EXE, DLL, COM, CAB and OCX files.

+7
source

An alternative to signtool is Mono signcode . The Mozilla Developer Network has a very useful article on converting your certificate to SPC / PVK format and signing your EXE with Authenticode:

Convert PFX to SPC / PVK

 openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc

Sign EXE

 signcode \ -spc authenticode.spc \ -v authenticode.pvk \ -a sha1 -$ commercial \ -n My\ Application \ -i http://www.example.com/ \ -t http://timestamp.verisign.com/scripts/timstamp.dll \ -tr 10 \ MyApp.exe

Secret phrases

Unlike signtool , which accepts a passphrase as a command line argument, it seems that signcode should include a signcode on standard input. I was able to use signcode [arguments] < passphrase.txt .

+3
source

Catch 22: The only code signing tool I've heard about is signtool.exe, which can only be obtained by downloading and installing at least 590 MB of other material (SDK).

Not. You do not need to install the entire SDK to install signtool.exe. Use the SDK web installer and select "Tools" installation only.

However, the bad news does not mean that the signature tool will help you bypass the Windows warning if you do not have a certificate with a CA certificate, because it is impossible to create something out of nothing. The good news is that many CAs provide free open source code signing certificates, but you should use them to sign only FREE software. So, this is your choice: pay CA and continue selling your software, or don’t pay or distribute it for free. It looks fair enough.

0
source

Try this free application , which also allows you to set other properties of a signed executable file, such as company name, data, product name, etc.

0
source

Source: https://habr.com/ru/post/1496822/

More articles:


All Articles