Windows/codesign
From Attie's Wiki
(Difference between revisions)
(Created page with "=How to Sign a Binary for Windows= The tools used below come with the Microsoft SDKs. In my case, they can be found here: <code>C:\Program Files\Microsoft SDKs\Windows\v7.1\B...") |
m |
||
Line 4: | Line 4: | ||
In my case, they can be found here: <code>C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\</code>. | In my case, they can be found here: <code>C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\</code>. | ||
+ | ===Preparation=== | ||
<source lang="winbatch"> | <source lang="winbatch"> | ||
%HOMEDRIVE% | %HOMEDRIVE% | ||
Line 13: | Line 14: | ||
set SUPER_SECURE_PASSWORD=test123 | set SUPER_SECURE_PASSWORD=test123 | ||
set BINARY_TO_SIGN=\path\to\bin.exe | set BINARY_TO_SIGN=\path\to\bin.exe | ||
+ | </source> | ||
− | + | ===Generate and Install a Root Certificate=== | |
+ | <source lang="winbatch"> | ||
makecert ^ | makecert ^ | ||
-n "CN=My Root Cert,O=%COMPUTERNAME%" ^ | -n "CN=My Root Cert,O=%COMPUTERNAME%" ^ | ||
Line 25: | Line 28: | ||
%COMPUTERNAME%.cer | %COMPUTERNAME%.cer | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
certmgr.exe -add %COMPUTERNAME%.cer -s -r localMachine root | certmgr.exe -add %COMPUTERNAME%.cer -s -r localMachine root | ||
+ | </source> | ||
− | + | ===Generate and Install a Task-Specific Certificate (signed by the root certificate)=== | |
+ | <source lang="winbatch"> | ||
makecert ^ | makecert ^ | ||
-n "CN=codesign@%COMPUTERNAME%" ^ | -n "CN=codesign@%COMPUTERNAME%" ^ | ||
Line 53: | Line 51: | ||
-po %SUPER_SECURE_PASSWORD% | -po %SUPER_SECURE_PASSWORD% | ||
− | |||
rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx | rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx | ||
+ | </source> | ||
− | + | ===Sign the Binary=== | |
+ | <source lang="winbatch"> | ||
signtool ^ | signtool ^ | ||
sign ^ | sign ^ |
Revision as of 23:50, 25 November 2015
Contents |
How to Sign a Binary for Windows
The tools used below come with the Microsoft SDKs.
In my case, they can be found here: C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\
.
Preparation
%HOMEDRIVE% mkdir %HOMEPATH%\sign_bin cd %HOMEPATH%\sign_bin set PATH=%PATH%;C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\ set SUPER_SECURE_PASSWORD=test123 set BINARY_TO_SIGN=\path\to\bin.exe
Generate and Install a Root Certificate
makecert ^ -n "CN=My Root Cert,O=%COMPUTERNAME%" ^ -r ^ -pe ^ -a sha512 ^ -len 4096 ^ -cy authority ^ -sv %COMPUTERNAME%.pvk ^ %COMPUTERNAME%.cer certmgr.exe -add %COMPUTERNAME%.cer -s -r localMachine root
Generate and Install a Task-Specific Certificate (signed by the root certificate)
makecert ^ -n "CN=codesign@%COMPUTERNAME%" ^ -iv %COMPUTERNAME%.pvk ^ -ic %COMPUTERNAME%.cer ^ -pe ^ -a sha512 ^ -len 4096 ^ -sky signature ^ -eku 1.3.6.1.5.5.7.3.3 ^ -sv codesign@%COMPUTERNAME%.pvk ^ codesign@%COMPUTERNAME%.cer pvk2pfx ^ -pvk codesign@%COMPUTERNAME%.pvk ^ -spc codesign@%COMPUTERNAME%.cer ^ -pfx codesign@%COMPUTERNAME%.pfx ^ -po %SUPER_SECURE_PASSWORD% rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx
Sign the Binary
signtool ^ sign ^ /t http://timestamp.verisign.com/scripts/timstamp.dll ^ /f "codesign@%COMPUTERNAME%.pfx" ^ /p %SUPER_SECURE_PASSWORD% ^ /d %BINARY_TO_SIGN% ^ %BINARY_TO_SIGN%