I ordered a verisign code signing certificate (microsoft authenticode) and I now have a .cer file that has my certificate.
I have checked the signtool.exe documentation and I now require a .pfx file. How do I get the .pfx file and how do I get my private key (.pvk file)?
you get this file from verisign on any other provider.
they usually install the certificate on your machine and you need to export it as pfx to use it with signtool.
Use MMC and add the Certificate snap-in to do it.
You will find a detailed help in your certificate provider site. make sure you've bought a code signing certificate.
Related
Need help on how to package code sign certificate with webapp developed in visual studio.
The application setup/installer will be available for download on public website, so we plan to code sign it so it is smoothly installed on client PC.
(1)
how to package code sign certificate
where to get code sign
certificate at reasonable rate
current focus is windows
platform, in future, we need to prepare installer for other
platforms too (Apple, Linux ... )
You can check comodo code signing certificate
Using VS2013 and Windows 8.1
I have a .cer and .pfx file bought from Verisign. I am new to store apps. I have couple of questions
What is the difference between signing the package and code signing (done using the VS 2013 packaging tab of Package.appxmanifest) -
my understanding so far
(a) I guess this is similar to using signtool.exe tool right?
(b) both will install the public key(.cer) to certificate store(mmc) and sign the appx with private key(.pfx) so i would need to manually install .cer file in the live machines inorder to install my app?
(c) Code is signing is done in order to ensure the code has not been tampered with but do we need to do this for all main store app and other components used part of dfferent project (.dll)
Do we need both package and code signing inorder to publish store apps on client machine?
I can't use the same .pfx used for package signing for code signing because of some chaining information. Is this how it is supposed to used different .pfx for both is this a normal way?
For the regular Windows Store apps:
You don't need to sign windows store apps manually.
No. Windows Store will sign the package automatically.
Code signing is for Windows Classic apps or drivers and not for Windows Store apps.
For the sideloaded apps:
Windows store enterprise apps can be signed by any certification authority that is trusted on your PCs (where the app will be installed). It's better to sign with visual studio. There is documantation for an exact procedure.
If you will sign with Verisign certificate, you don't need to install anything except the app, because verisign root is already trusted in Windows. Visual studio signs only application package.
I have an application developed with Visual Studio 2008 and distributed throught ClickOnce. This application is created especially for one client. The network administrator of this company allows me to install this application only with signed executable with a digital certificate. A policy rule will check for the signed certificate on my executable and block otherwise.
My question: do I need to have both setup.exe (ClickOnce) and mysoft.exe (the application installed by this ClickOnce package) signed with a digital certificate?
Thanks.
Yes, you would need to sign both files, but this is not a problem at all - just another line in the building script.
Note, that you would also need to timestamp the signature. Timestamp server address is specified as a parameter in signtool.exe call. The issuer of the code signing certificate (CA) should provide the address of its timestamping server, but not all CAs have timestamping servers. In any case you can use timestamping servers of large CAs such as Verisign, Comodo or GlobalSign.
Good article how to configure VisualStudio to sign app before ClickOnce publishing: http://www.systenics.com/blog/sign-click-once-applications-with-godaddy-code-signing-certificate-and-visual-studio-2012-for-deployment-over-internet/
Firstly, the setup.exe bootstrap file generated by Visual Studio needs to be signed, then the application and deployment manifests need to be signed and finally the application executable needs to be digitally signed.
I have a VS 2008 Setup Project created. I am trying to install this on a Windows 7 machine as a Standard User. I am getting a warning during install about an unknown publisher. I have used makecert to create a certificate, then converted it to a password pfx file. I have digitally signed the msi and setup.exe with the pfx file. When I go into the file properties, I can see the digital certificate attached. On the Windows 7 machine, I imported the pfx file to "Trusted Publishers". What do I need to do to get rid of the warning? I can't have the admin user and password required to install the app. I can't change the UAC settings. I need to make the change to the certificate / setup files to get this to work.
Makecert creates certificates only for testing purposes. To sign your installer you need a real certificate purchased from an official authority. You can try purchasing one from Verisign or Comodo.
Windows UAC recognizes only real certificates.
HI
I have created an application for my windows mobile 6.0 device and I need to sign it so that the user can download updates without having to select that they trust the publisher
I'm not entirely sure what I'm doing here but I created the following files on the command line
.pfx using pvk2pfx
.spc using cert2spc
.cer using makecert
.pvk using makecert
and signed all the dll's and exe in my application using signtool sign
I then copied the certificates to my mobile device clicked on them and installed them
then copied my signed assemblies to the device but when I run the application I'm still being asked if I wish to run the application from an unknown and untrusted publisher
if anybody has any suggestions on how to get this working I'd be very grateful
Thanks
colm
Take the certificate that you've signed the application with and place it in the trusted store on the device.
Assuming you're using Visual Studio you can run the Device Security Manager, which will allow you to easily install the certificate on the device.
Note that you only need to place the .cer file, not the entire .pfx on the device.