I am trying to code sign my application components using a digital certificate. The certificate format is .Pem
I referred the below url and try to implement the code signing using the Visual Studio SignTool.exe
CodeSign
C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC>"C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v7.0A\\Bin\signtool.exe" sign /d "C:\\Users\\hpara\\Desktop\\SignCert\\Test.exe" /f "C:\\Users\\guest\\Desktop\\SignCert\\Test.pem"SignTool
Signtool.exe returned the error : "Error: Missing filename.".
Question:
Can I sign the code using signtool.exe and .pem file?
My actual build environment is on Linux. Just for testing purpose, I copied the certificate file to Win 7 computer and tried to sign the application using visual studio signtool.exe.
The signing certifictae request (csr) is generated on Linux machine. Finally I need to sign the application on Linux machine.
How to codsign using the Pem file ?
Solution:
Step 1: Generate .pfx file from the .Pem File
openssl pkcs12 -inkey MyprivateKey.key -in MyCertificate.pem -export -out MyCert.pfx
Step 2: Sign the code using .pfx file (Ex: Microsoft SDK SignTool.exe)
signtool sign /f "MyCert.pfx" /p password /t http://timestamp.verisign.com/scripts/timestamp.dll "myapp.exe"
Related
I am signing an visual studio extension (VSIX) with the following command.
vsixsigntool.exe sign /f CodeSigningCertificate.pfx /p MyPassword /fd sha256 MyVSIXProject.vsix
The result of the command is successful, but when i add the extension to the VS i get the following message. "Invalid Signature"...Any idea?
Where the output.
Our Windows Store app is signed by Visual Studio with our custom code signing certificate to allow sideloading of the resulting AppX bundle.
The AppX bundle generated by Visual Studio (during the _CreateBundle build step I guess) will add no trusted timestamp to the digital signature. This prevents the bundle from being installed after the certficate has expired.
Is there a way to adjust or configure the _CreateBundle build task to add a timestamp during the packaging and singing process? I looked into SignTool (which we use for code signing MSI packages), but the documentation yields
You can't use the SignTool time stamp operation on a signed app package; the operation isn't supported.
.. and my package is already signed by Visual Studio within the _CreateBundle step as it seems.
To clearify the documentation: One cannot add a timestamp to an already signed package, but SignTool can re-sign the package and include a timestamp. So I added a post-build event to re-sign the bundle generated by Visual Studio:
if $(SolutionName) == Installer (
"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /fd SHA256 /a /f "$(ProjectDir)..\..\Build\CodeSigning.pfx" /tr http://tsa.starfieldtech.com "$(TargetDir)AppPackages\my_app\my_app.appxbundle"
)
I am trying to use Makecert.exe to create a signing certificate that I can use with our internal VS.NET applications, to be deployed using Clickonce on our local network
I have been following the MSDN guide MSDN: Certificate Expiration in ClickOnce Deployment
so I tried the below:
C:\Program Files (x86)\Microsoft Visual Studio 12.0>Makecert -sv DMTeam.pvk
-n "CN=DMTeam" DMTeam.cer -b 03/04/2015 -e 12/31/2020
in order to have a certificate for our applications
When I run the above command using the VS command prompt, I get the below error:
Error: Unable to create file for the subject ('DMTeam.pvk')
Error: Can't create the key of the subject ('DMTeam.pvk')
Failed
so what am doing wrong?
The key is to run the command prompt with Administrator privileges.
I did something very similar, though I wrote the pvk and cer files to my c:\Temp folder:
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin>MakeCert –sv C:\Temp\DMTeam.pvk –n “CN=DMTeam” c:\Temp\DMTeam.cer –b 03/04/2015 –e 12/31/2020 -r
Don't forget the "-r" option as it will "Create a self-signed certificate"! Without it the project will not build when you use the created pfx file.
I ran this under the VS2012 x86 Native Tools Command Prompt (with Run as Administrator) and it works just fine. Run without Administrative privileges and then it fails.
Then to create the pfx file do the following:
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin>pvk2pfx –pvk C:\Temp\DMTeam.pvk –spc C:\Temp\DMTeam.cer –pfx –po PasswordForPFXFile
Here are some good references:
See section: Test Certificates, MakeCert, RenewCert, and The Big Workaround
https://msdn.microsoft.com/en-us/library/ff369721.aspx
https://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx
ClickOnce signer's certificate not valid for signing when using makecer/pvk2pfx
My ClickOnce app now builds fine in Visual Studio 2013.
I'm trying to sign an assembly in Visual Studio 2010 with our PFX file, after I enter the password for the private key I get "An attempt was made to reference a token that does not exist"
Running Visual Studio as Administrator fixed this issue for me.
I have the same problem. Just use signtool from the Visual Studio command prompt instead. Sometimes signtool will claim your password is invalid, but usually after a couple of tries it starts working for me.
signtool.exe sign /f YOURCERT.pfx /p YOURPASSWORD YOURTARGET.exe
If you want Visual Studio to automatically sign the files and work with ClickOnce, this is what I had to do:
Get a copy of OpenSSL. It is available for Windows. Or use a Linux box as they all pretty much all have it.
Run the following to export to a key file:
openssl pkcs12 -in certfile.pfx -out backupcertfile.key
openssl pkcs12 -export -out certfiletosignwith.pfx -keysig -in backupcertfile.key
Then in the project properties you can use the PFX file.
This is what worked for me.
First try to build your project with the Key signing option enabled for your project. The build will fail, goto the 'Output' window and you'll see an error like:
Error 1 Cannot import the following key file: MyKey.pfx. The
key file may be password protected. To correct this, try to import the
certificate again or manually install the certificate to the Strong
Name CSP with the following key container name:
VS_KEY_7B9423FE45F4DBEB Project.SomeName
Save the Key Store name (e.g. VS_KEY_7B9423FE45F4DBEB), you will need this later.
Now follow these steps:
Import the digital certificate key (PFX) in the Windows Certificate Store. Double click the PFX key in Windows Explorer and install/import it into your key store (I actually imported it into the trusted root certificates store by selecting manually choose store).
Start Visual Studio 2010 as regular user (I don't face this key signing issue as an Administrator, but I want to debug my apps as a user) (keep it open through this entire process)
From the Start Menu open the Visual Studio Command Prompt (2010) shortcut (x64 if you on a x64 machine) AS AN ADMINISTRATOR (right click on the Visual Studio 2010 Command Prompt shortcut and select run as Administrator). This should open an administrative command prompt with the Visual Studio environment setup. (not a regular command prompt)
In the command prompt, enter sn -d VS_KEY_xxxx with Key Store name from error message you saved at the beginning
Then enter sn -i xxx.pfx VS_KEY_xxxx, enter password when prompted, xxx.pfx if your digital certificate
Go back to Visual Studio and rebuild your project
If you decide to sign your code, you'll need:
signcode.exe
makecert.exe
cert2spc.exe
pvk2pfx.exe
What's the best place to download these tools?
Is there a way to do this without downloading large quantities of the Microsoft Windows SDK?
Start with the Windows SDK. That should have most of what you are looking for.
Also, SignCode.exe has been deprecated after .NET 1.1. SignTool.exe is the replacement.
Without downloading the SDK?
In general, there are only a few SDK tools that are redistributable outside of the official package from Microsoft. They are listed in a redist.txt file. On my system, I found a .NET SDK redist.txt file in %ProgramFiles%\Microsoft.NET\SDK\v2.0 64bit (I assume the folder is called "v2.0" on x86 systems). Here's what it said:
.NET Framework SDK files
Subject to the license terms for the software,
the following .EXE files may be distributed unmodified:
MageUI.exe
Mage.exe
Makecert.exe
So it looks like the majority of those files will not be redistributable. So again, my answer is download the Windows SDK. Keep in mind you can install just a subset of the tools if you wish; the installer allows you to select/unselect any of the components (for example, just the .NET development tools).
I just installed Windows SDK for Windows 8. And I still could not find neither SignTool.exe nor SignCode.exe.
Until I realized that Microsoft has changed its installation path. Now it's installed to one of the following locations:
64-bit, version 8.1: C:\Program Files (x86)\Windows Kits\8.1\bin\x64
32-bit, version 8.1: C:\Program Files (x86)\Windows Kits\8.1\bin\x86
64-bit, version 8.0: C:\Program Files (x86)\Windows Kits\8.0\bin\x64
32-bit, version 8.0: C:\Program Files (x86)\Windows Kits\8.0\bin\x86
EDIT on Windows 10, the binaries can be found under:
C:\Program Files (x86)\Windows Kits\10\bin\x86
etc.
I believe the first three are part of the .NET Framework SDK while the last one is on the Windows Driver Kit.
I couldn't find a document listing pvk2pfx.exe as part of the Platform SDK (now apparently Windows SDK), but that was where I originally thought it was from.
I tried the method below and it worked, although it does NOT get you SignCode.exe (which has been deprecated and replaced by SignTool.exe)
You can get SignTool.exe by installing just the C++ Windows Development Tools from the Visual Studio install (mine is ancient: 2005). More details on that # Lindersoft.com.
How to convert PFX/P12 file to SPC/PVK format
Export Certificate with Private Key.
Use the export wizard with the following options:
Export Private Key (Yes)
DO NOT TICK include all certificates in the certification path if possible
TICK enable strong protection
DO NOT TICK delete private key
Prerequisite: OpenSSL 0.9.8 or better. OpenSSL 1.x preferred.
Note: If you are running Windows you may download OpenSSL here. Otherwise, you can find compiled binaries directly from the OpenSSL Website or consult your Operating System's package management feature.
Private Key (PVK)
Extract your Private Key from the PFX/P12 file to PEM format.
openssl pkcs12 -in PFX_FILE -nocerts -nodes -out PEM_KEY_FILE
Note: The PFX/P12 password will be asked. This is the password you gave the file upon exporting it.
Convert PEM Private Key to PVK format.
OpenSSL 0.9.8 series:
pvk -in PEM_KEY_FILE -topvk -out PVK_FILE
OpenSSL 1.x series:
openssl rsa -in PEM_KEY_FILE -outform PVK -pvk-strong -out PVK_FILE
Note #1: In order to use pvk for OpenSSL 0.9.8 series, you must download PVK Transform.
Note #2: A PEM passphrase may be asked. This will be the password/passphrase that you will use to sign your code.
Software Publisher's Certificate (SPC)
Extract Certificate from P12/PFX file.
openssl pkcs12 -in PFX_FILE -nokeys -out CERT_PEM_FILE
Convert Certificate to SPC format.
openssl crl2pkcs7 -nocrl -certfile CERT_PEM_FILE -outform DER -out SPC_FILE
Note: If you have exported your certificate from another browser outside of IE, then please ensure in the CERT_PEM_FILE that ONLY your certificate exists or else code signing will NOT WORK!
Example Conversion
PVK
openssl pkcs12 -in my_pfx_file.pfx -nocerts -nodes -out rsa.pem
openssl rsa -in rsa.pem -outform PVK -pvk-strong -out mykey.pvk
SPC
openssl pkcs12 -in my_pfx_file.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc
This information courtesy of Komodo.
Step 1: Download:
http://download.microsoft.com/download/A/6/A/A6AC035D-DA3F-4F0C-ADA4-37C8E5D34E3D/winsdk_web.exe
or
http://www.microsoft.com/en-us/download/details.aspx?id=8279
Step 2:
C:\Users\user1>"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signto
ol.exe"