Digital Code Signing Tools and Resources

Code Signing Tools | DIGITAL SIGNATURE RESOURCES

Introduction to code signing

Q: Why sign code?
A: To prove that a piece of code came from a certain source, and has not been modified since.

People have been signing code for quite a while now.

To sign a file, you need to have
1. Your Certificate (*.spc) and Private Key (*.pvk)
2. Signing tools
3. The file to sign (winqual.exe?)

Microsoft provides signing tools as part of the "Microsoft .NET Framework software development kit (SDK) 1.1". You can download the SDK (162 MB) from Microsoft here.
After you install the SDK, the code signing files will be in "\Program Files\Microsoft.NET\SDK\v1.1\Bin"

From the many files found in the above BIN directory the following are of interest to us: signcode.exe, cert2spc.exe, chktrust.exe

If you have a *.cer file instead of a *.spc, you can use cert2spc.exe to generate a *.spc (Software Publisher Certificate)

I am attaching an earlier version of these tools which we use, from the Authenticode release in '98.
The older version (from the Authenticode release in '98) is compatible across all OSes. You might want to use the newer ones just to be safe, though the only relevant difference between the two is while signing kernel-mode code, when you have to cross-sign with a certificate approved by Microsoft. The older signtool.exe does not have the /ac option.

Please put the following files into a folder, say C:\Signing
° The contents of the .zip file attached, or the files from the SDK
° Your certificate (mycert.spc or a similiar *.spc file), sent to you by Verisign, or generated from a *.cer
° Your Private Key (mykey.pvk or a similiar *.pvk file), generated while applying for the Verisign ID

Within a command prompt (Start>Run>cmd), please navigate to the folder and type in
signcode -spc mycert.spc -v mykey.pvk -t http://timestamp.verisign.com/scripts/timstamp.dll winqual.exe

You will need to have internet access, and your firewall should permit signcode.exe to access VeriSign's timestamping server. You can use Verisign's service with certificates from any CA (certifying authority).

Later, you can use the chktrust.exe utility to verify if the file is properly signed.
chktrust winqual.exe

The above should normally work. If (only if) for some reason it doesn't, there are two things you might need to look at:
a) You might need to combine your cert and key into a private information exchange file using pvk2pfx and then use signtool instead of signcode.
b) Verisign has multiple root certificates, and you may need to use a different one.

Code Signing Tools and Resources at www.code-signing-tools.com by Pranab.