Windows/codesign

From Attie's Wiki
Revision as of 23:47, 25 November 2015 by Attie (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

How to Sign a Binary for Windows

The tools used below come with the Microsoft SDKs. In my case, they can be found here: C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\. 

%HOMEDRIVE%
mkdir %HOMEPATH%\sign_bin
cd %HOMEPATH%\sign_bin
 
set PATH=%PATH%;C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\
 
set SUPER_SECURE_PASSWORD=test123
set BINARY_TO_SIGN=\path\to\bin.exe
 
rem Generate a root certificate for this machine
makecert ^
  -n "CN=My Root Cert,O=%COMPUTERNAME%" ^
  -r ^
  -pe ^
  -a sha512 ^
  -len 4096 ^
  -cy authority ^
  -sv %COMPUTERNAME%.pvk ^
  %COMPUTERNAME%.cer
 
pvk2pfx ^
  -pvk %COMPUTERNAME%.pvk ^
  -spc %COMPUTERNAME%.cer ^
  -pfx %COMPUTERNAME%.pfx ^
  -po %SUPER_SECURE_PASSWORD%
 
rem Install %COMPUTERNAME%.cer
certmgr.exe -add %COMPUTERNAME%.cer -s -r localMachine root
 
rem Generate a task-specific certificate
makecert ^
  -n "CN=codesign@%COMPUTERNAME%" ^
  -iv %COMPUTERNAME%.pvk ^
  -ic %COMPUTERNAME%.cer ^
  -pe ^
  -a sha512 ^
  -len 4096 ^
  -sky signature ^
  -eku 1.3.6.1.5.5.7.3.3 ^
  -sv codesign@%COMPUTERNAME%.pvk ^
  codesign@%COMPUTERNAME%.cer
 
pvk2pfx ^
  -pvk codesign@%COMPUTERNAME%.pvk ^
  -spc codesign@%COMPUTERNAME%.cer ^
  -pfx codesign@%COMPUTERNAME%.pfx ^
  -po %SUPER_SECURE_PASSWORD%
 
rem Install codesign@%COMPUTERNAME%.pfx
rundll32.exe cryptext.dll,CryptExtAddPFX codesign@%COMPUTERNAME%.pfx
 
rem Sign the binary
signtool ^
  sign ^
  /t http://timestamp.verisign.com/scripts/timstamp.dll ^
  /f "codesign@%COMPUTERNAME%.pfx" ^
  /p %SUPER_SECURE_PASSWORD% ^
  /d %BINARY_TO_SIGN% ^
  %BINARY_TO_SIGN%
Retrieved from "https://wiki.attie.co.uk/w/index.php?title=Windows/codesign&oldid=3256"
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox