Windows/codesign
From Attie's Wiki
(Difference between revisions)
m (→Generate and Install a Task-Specific Certificate (signed by the root certificate)) |
m (→Sign the Binary) |
||
Line 63: | Line 63: | ||
/p %SUPER_SECURE_PASSWORD% ^ | /p %SUPER_SECURE_PASSWORD% ^ | ||
/d %BINARY_TO_SIGN% ^ | /d %BINARY_TO_SIGN% ^ | ||
+ | /fd SHA512 ^ | ||
%BINARY_TO_SIGN% | %BINARY_TO_SIGN% | ||
</source> | </source> |
Latest revision as of 23:53, 25 November 2015
Contents |
[edit] How to Sign a Binary for Windows
The tools used below come with the Microsoft SDKs.
In my case, they can be found here: C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\
.
[edit] Preparation
%HOMEDRIVE% mkdir %HOMEPATH%\sign_bin cd %HOMEPATH%\sign_bin set PATH=%PATH%;C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\ set SUPER_SECURE_PASSWORD=test123 set BINARY_TO_SIGN=\path\to\bin.exe
[edit] Generate and Install a Root Certificate
makecert ^ -n "CN=My Root Cert,O=%COMPUTERNAME%" ^ -r ^ -pe ^ -a sha512 ^ -len 4096 ^ -cy authority ^ -sv %COMPUTERNAME%.pvk ^ %COMPUTERNAME%.cer certmgr.exe -add %COMPUTERNAME%.cer -s -r localMachine root
[edit] Generate and Install a Task-Specific Certificate (signed by the root certificate)
makecert ^ -n "CN=codesign@%COMPUTERNAME%" ^ -iv %COMPUTERNAME%.pvk ^ -ic %COMPUTERNAME%.cer ^ -pe ^ -a sha512 ^ -len 4096 ^ -sky signature ^ -eku 1.3.6.1.5.5.7.3.3 ^ -sv codesign@%COMPUTERNAME%.pvk ^ codesign@%COMPUTERNAME%.cer pvk2pfx ^ -pvk codesign@%COMPUTERNAME%.pvk ^ -spc codesign@%COMPUTERNAME%.cer ^ -pfx codesign@%COMPUTERNAME%.pfx ^ -po %SUPER_SECURE_PASSWORD% rem Install the certificate and private key to your User's "Personal" certificates store rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx
[edit] Sign the Binary
signtool ^ sign ^ /t http://timestamp.verisign.com/scripts/timstamp.dll ^ /f "codesign@%COMPUTERNAME%.pfx" ^ /p %SUPER_SECURE_PASSWORD% ^ /d %BINARY_TO_SIGN% ^ /fd SHA512 ^ %BINARY_TO_SIGN%