Windows/codesign
From Attie's Wiki
(Difference between revisions)
m |
m (→Generate and Install a Task-Specific Certificate (signed by the root certificate)) |
||
| Line 51: | Line 51: | ||
-po %SUPER_SECURE_PASSWORD% | -po %SUPER_SECURE_PASSWORD% | ||
| + | rem Install the certificate and private key to your User's "Personal" certificates store | ||
rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx | rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx | ||
</source> | </source> | ||
Revision as of 23:50, 25 November 2015
Contents |
How to Sign a Binary for Windows
The tools used below come with the Microsoft SDKs.
In my case, they can be found here: C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\.
Preparation
%HOMEDRIVE% mkdir %HOMEPATH%\sign_bin cd %HOMEPATH%\sign_bin set PATH=%PATH%;C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\ set SUPER_SECURE_PASSWORD=test123 set BINARY_TO_SIGN=\path\to\bin.exe
Generate and Install a Root Certificate
makecert ^ -n "CN=My Root Cert,O=%COMPUTERNAME%" ^ -r ^ -pe ^ -a sha512 ^ -len 4096 ^ -cy authority ^ -sv %COMPUTERNAME%.pvk ^ %COMPUTERNAME%.cer certmgr.exe -add %COMPUTERNAME%.cer -s -r localMachine root
Generate and Install a Task-Specific Certificate (signed by the root certificate)
makecert ^ -n "CN=codesign@%COMPUTERNAME%" ^ -iv %COMPUTERNAME%.pvk ^ -ic %COMPUTERNAME%.cer ^ -pe ^ -a sha512 ^ -len 4096 ^ -sky signature ^ -eku 1.3.6.1.5.5.7.3.3 ^ -sv codesign@%COMPUTERNAME%.pvk ^ codesign@%COMPUTERNAME%.cer pvk2pfx ^ -pvk codesign@%COMPUTERNAME%.pvk ^ -spc codesign@%COMPUTERNAME%.cer ^ -pfx codesign@%COMPUTERNAME%.pfx ^ -po %SUPER_SECURE_PASSWORD% rem Install the certificate and private key to your User's "Personal" certificates store rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx
Sign the Binary
signtool ^ sign ^ /t http://timestamp.verisign.com/scripts/timstamp.dll ^ /f "codesign@%COMPUTERNAME%.pfx" ^ /p %SUPER_SECURE_PASSWORD% ^ /d %BINARY_TO_SIGN% ^ %BINARY_TO_SIGN%
