Windows/codesign
From Attie's Wiki
(Difference between revisions)
(Created page with "=How to Sign a Binary for Windows= The tools used below come with the Microsoft SDKs. In my case, they can be found here: <code>C:\Program Files\Microsoft SDKs\Windows\v7.1\B...") |
m (→Sign the Binary) |
||
(4 intermediate revisions by one user not shown) | |||
Line 4: | Line 4: | ||
In my case, they can be found here: <code>C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\</code>. | In my case, they can be found here: <code>C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\</code>. | ||
+ | ===Preparation=== | ||
<source lang="winbatch"> | <source lang="winbatch"> | ||
%HOMEDRIVE% | %HOMEDRIVE% | ||
Line 13: | Line 14: | ||
set SUPER_SECURE_PASSWORD=test123 | set SUPER_SECURE_PASSWORD=test123 | ||
set BINARY_TO_SIGN=\path\to\bin.exe | set BINARY_TO_SIGN=\path\to\bin.exe | ||
+ | </source> | ||
− | + | ===Generate and Install a Root Certificate=== | |
+ | <source lang="winbatch"> | ||
makecert ^ | makecert ^ | ||
-n "CN=My Root Cert,O=%COMPUTERNAME%" ^ | -n "CN=My Root Cert,O=%COMPUTERNAME%" ^ | ||
Line 25: | Line 28: | ||
%COMPUTERNAME%.cer | %COMPUTERNAME%.cer | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
certmgr.exe -add %COMPUTERNAME%.cer -s -r localMachine root | certmgr.exe -add %COMPUTERNAME%.cer -s -r localMachine root | ||
+ | </source> | ||
− | + | ===Generate and Install a Task-Specific Certificate (signed by the root certificate)=== | |
+ | <source lang="winbatch"> | ||
makecert ^ | makecert ^ | ||
-n "CN=codesign@%COMPUTERNAME%" ^ | -n "CN=codesign@%COMPUTERNAME%" ^ | ||
Line 53: | Line 51: | ||
-po %SUPER_SECURE_PASSWORD% | -po %SUPER_SECURE_PASSWORD% | ||
− | rem Install | + | rem Install the certificate and private key to your User's "Personal" certificates store |
rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx | rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx | ||
+ | </source> | ||
− | + | ===Sign the Binary=== | |
+ | <source lang="winbatch"> | ||
signtool ^ | signtool ^ | ||
sign ^ | sign ^ | ||
Line 63: | Line 63: | ||
/p %SUPER_SECURE_PASSWORD% ^ | /p %SUPER_SECURE_PASSWORD% ^ | ||
/d %BINARY_TO_SIGN% ^ | /d %BINARY_TO_SIGN% ^ | ||
+ | /fd SHA512 ^ | ||
%BINARY_TO_SIGN% | %BINARY_TO_SIGN% | ||
</source> | </source> |
Latest revision as of 23:53, 25 November 2015
Contents |
[edit] How to Sign a Binary for Windows
The tools used below come with the Microsoft SDKs.
In my case, they can be found here: C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\
.
[edit] Preparation
%HOMEDRIVE% mkdir %HOMEPATH%\sign_bin cd %HOMEPATH%\sign_bin set PATH=%PATH%;C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\ set SUPER_SECURE_PASSWORD=test123 set BINARY_TO_SIGN=\path\to\bin.exe
[edit] Generate and Install a Root Certificate
makecert ^ -n "CN=My Root Cert,O=%COMPUTERNAME%" ^ -r ^ -pe ^ -a sha512 ^ -len 4096 ^ -cy authority ^ -sv %COMPUTERNAME%.pvk ^ %COMPUTERNAME%.cer certmgr.exe -add %COMPUTERNAME%.cer -s -r localMachine root
[edit] Generate and Install a Task-Specific Certificate (signed by the root certificate)
makecert ^ -n "CN=codesign@%COMPUTERNAME%" ^ -iv %COMPUTERNAME%.pvk ^ -ic %COMPUTERNAME%.cer ^ -pe ^ -a sha512 ^ -len 4096 ^ -sky signature ^ -eku 1.3.6.1.5.5.7.3.3 ^ -sv codesign@%COMPUTERNAME%.pvk ^ codesign@%COMPUTERNAME%.cer pvk2pfx ^ -pvk codesign@%COMPUTERNAME%.pvk ^ -spc codesign@%COMPUTERNAME%.cer ^ -pfx codesign@%COMPUTERNAME%.pfx ^ -po %SUPER_SECURE_PASSWORD% rem Install the certificate and private key to your User's "Personal" certificates store rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx
[edit] Sign the Binary
signtool ^ sign ^ /t http://timestamp.verisign.com/scripts/timstamp.dll ^ /f "codesign@%COMPUTERNAME%.pfx" ^ /p %SUPER_SECURE_PASSWORD% ^ /d %BINARY_TO_SIGN% ^ /fd SHA512 ^ %BINARY_TO_SIGN%