What's the main difference between signcode.exe and signtool.exe? - code-signing

I can't really see a big difference other than signtool is newer and requires different file formats for your digital certificate?

They both accomplish the same thing -- code signing. As you pointed out, the principal difference is that signcode requires the private key and software publisher certificate to be in two separate files (.pvk, .spc).
The more modern signtool requires that they are contained in a single Personal Information Exchange (.pfx) file. (You also need the .pfx file format to use the Association of Shareware Professionals' PAD signing toolkit.)

In addition to John Feminella's answer above, signtool allows you to alternatively provide the thumbprint hash of the certificate instead of the .pfx file if the cert is loaded into the local (user or machine) certificate store.

A major difference is that SignCode can run as a Windows GUI and be configurable on demand, while SignTool can be run from the CMD prompt or from a .bat file.

Related

How to create a self signed cerficate using command prompt?

Is there a way to create a self signed certificate in IIS in windows 2012 R2 using command prompt?
I went many documents, everywhere there is tutorial using Windows powershell but not using command prompt.
I do not have makecert utility installed in my system. Is there any other command or utility.
I saw a selfssl utility but i am not sure whether it will work on windows 2012 RE server.
Try certreq tool. Data are given in a form of inf file. The before mentioned link contains information about the file structure. This link contains example inf file of an SSL certificate (could be of more help).
Then run
certreq -new your_inf_file.inf generated_req.req
As a side effect it will generate a self signed certificate in Certificate Enrollment Requests in the store you specified in the inf file. Just move the certificate to My store and also (because it is self signed) to Trusted Root Certification Authorities.
You can also use xca. It is a nice utility built on openssl which lets you create any certificates (self signed or any chain of CAs) and it is easy to use.
I wouldn't bother with makecert as it is deprecated. Instead, I would suggest you use PowerShell as it is the mainstream administration tool in Windows Server. Windows Server 2012 has a built-in cmdlet to generate self-signed certificates: https://technet.microsoft.com/en-us/library/hh848633(v=wps.630).aspx
When Microsoft deprecated makecert tool, they enhanced the certreq cmdline tool with the ability to generate self-signed certificates, though, with an overhead: http://blogs.technet.com/b/askds/archive/2012/08/14/rsa-key-blocking-is-here.aspx
The article rsa-key-blocking-is-here.aspx moved here.
rsa-key-blocking-is-here

Best Code Signing Practice

I have acquired and deployed a digital code signing certificate. I have added it to the installation program for a Windows application, signing the InstallShield setup.exe file and the msi file. Everything works perfectly in the installation program.
My application is installed as a single exe file along with a complied html help file.
Is the best practice to digitally sign the exe file in addition to the Windows installation program?
Yes. You should sign the executable as well.
You should also ensure you use a time-stamp server if possible when signing too. Thus users of your application know the code came from a valid source, and the certificate was valid when it was signed. (The time-stamping means users can check the signing is valid after the expiry date of your certificate - i.e. the signature will be valid for all time.)

How to install certificates on other's machine?

On my machine, I’m using a signed application with an installed certificate to get a trusted publisher dialog from Windows. I’ve created a certificate with makecert.exe and installed it to the certification store in windows. From there, I’ve exported the PFX and signed with signtool.exe my application. In order to get the same trusted publisher dialog on another machine, a certificate is necessary. Instead of installing the certificate by hand, an installer should accomplish the importation of the certificate. Unfortunately, the windows installer doesn’t support this feature. Because of that, I’m looking for a solution like a classical API command in windows. Is there something built-in in windows to make it easier or something comparable?
To install certificate with respect of MSI setup you have to use custom actions. If you not familiar with custom actions I recommend you to use the simplest custom action which allows you to start an exe. It can be an existing utility like CertUtil.exe (see here some examples and try certutil -importPFX -? to see help about the import of PFX files).

How do I sign exes and dlls with my code signing certificate

(I purchased a code signing cert from Thawte and have been going out of my mind with frustration at the whole process.
What I have from them are:
.spc / .p7b file
.pvk file
(NOTE I do not have a pfx file from them. God knows why, but I have been fighting with their tech support for a week)
In any case I find "help" links on their site and at MS for signcode.exe which is useless for me because I can't find that exe on my machine, however I do have signtool.exe.
Unfortunately i am mystified at the command line parameters listed on this MS help site.
Specifically, what parameters do I use and what values? I tried what I thought was obvious but it does not work at all.
I can get the signing wizard to work, however I need this to work non-interactively in a hudson CI batch file.
It really doesn't seem like it should be this difficult, but so far it is all black magic.
thanks for any help
First, you can generate your own pfx file using the pvk2pfx tool described at http://msdn.microsoft.com/en-us/library/ff549703(VS.85).aspx
Something like
pvk2pfx -pvk cert.pvk -spc cert.spc -pfx cert.pfx -pi password
ought to do the trick.
Secondly, signtool is the tool you're after. http://msdn.microsoft.com/en-us/library/aa387764(VS.85).aspx
signtool sign /?
Gets you the help, but the basic command you're probably after is
signtool sign /f cert.pfx /p password target.exe
Which will sign target.exe. It gets more complex if you want to put the certificate into the certificate store on the machine (this is the CSP bit). This is really useful though for doing signing on a lot of dev machines, or on build lab machines where you want to avoid putting the certificate in source control.

Get rid of "Publisher Unverified" warnings in Windows for executables

I have made an application for Windows & everytime I run the application by opening the executable file I get the "Publisher Unverified" warning in Windows. It is fine if I was the only audience for this app but thats not the case. Is there any way to program my app such that this message does not show up for the users.
The only way to do this is to obtain and use a code signing certificate from a trusted source. Microsoft calls this Authenticode.
Unfortunately for the little guy, these cost. Verisign sells theirs for about four hundie a year.
Here are some starting points you should read about Authenticode:
http://msdn.microsoft.com/en-us/library/ms537359(VS.85).aspx
http://technet.microsoft.com/en-us/library/cc750035.aspx
http://msdn.microsoft.com/en-us/library/aa379872(VS.85).aspx
Some certificate dealers:
http://www.verisign.com
http://www.thawte.com
http://www.globalsign.net
http://www.geotrust.com
For a cheaper code signing certificate, you can use Comodo. There is a reseller called KSoftware which sells their certificates for $99/yr:
http://www.ksoftware.net/code_signing.html
I used them a few years ago and had no problems.
You can then use SignTool from the .net SDK to sign your EXE files. There is a tutorial here:
http://www.tech-pro.net/code-signing-for-developers.html
I think there is a way to resolve this. We need to add digital signature to the executables. The way to add digital signatures is very nicely outlined at,
http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
Basically we will use OpenSSL to create our own digital signatures and then use the SignTool application by Microsoft to add it to our executable.

Resources