I have made a little tool. It is a console application that when running on Win7 brings the UAC security prompt.
I tried to sign this EXE file in Visual Studio 2010 using the following steps:
Project properties
Signing
Create new key as shown below
The key file was successfully created, as you can see in the capture below.
Issues:
File is still being blocked by the UAC security prompt. When I checked the file whether signed or not using the signtool.exe, it tells me, no signature was found.
Please correct me if I'm following the wrong steps.
Assembly signing != Authenticode signing.
To authenticode sign an assembly with signtool, you'll need a code signing certificate from a trusted issuing authority.
You can then issue the following post-build command to sign your executable:
"signtool.exe" sign /f "$(SolutionDir)myCertificate.pfx" /p certPassword /d "description" /du "http://myinfourl" /t "http://timeserver.from.cert.authority/" $(TargetPath)
Everything you need to know about Authenticode Code Signing
Basically you have 2 options, using a command that you manually execute or execute via a batch file
signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "D:\Source\Certificates\CodeSign.pfx" /as /p MyPassword "{path to exe}"
becomes a bit frustrating after a while
Better add it on your project's option page in the Build Events.
In your post build you would enter
call "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "D:\Source\Certificates\CodeSign.pfx" /p MyPassword $(TargetPath)
the Macro $(TargetPath) will be filled with the path to your compiled exe or dll.
Now each time you compile you will get a signed file.
Would look something like this:
Related
I have a Visual Studio 2015 C# Solution, it has about 8 assemblies and executable and some exes require elevated permission. So I sign my executable and assemblies with a certificate on the post-build of each executable and assembly. Then I sign them on the pre-build of the installer, and then I post-build my MSI.
As a result, the MSI is signed while the install, but the executable that requires elevated permission does not, and it has the same date and time as the MSI (just a second before).
Here is the script that I am using..
"c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f C:\Work\source\Certificate\CodeSign.pfx /p xxxxpasswordxxxx /tr http://tsa.starfieldtech.com /td SHA256 "c:\source\app\bin\Debug\app.exe"
What am I doing wrong?
Update: As per Microsoft signtool removes administrative privileges? I have set the requestedExecutionLevel to requireAdministrator in the app's manifest.
After seeing what VS does with the file, it adds the files to the OBJ folder, so I had to sign the file that was in the obj\debug folder on pre-compile, and it works.
"c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f C:\Work\source\Certificate\CodeSign.pfx /p xxxxpasswordxxxx /tr http://tsa.starfieldtech.com /td SHA256 "c:\source\app\obj\Debug\app.exe"
We have an Excel plugin as part of our Visual Studio solution. The plugin is built once and then deployed out to different environments (dev, uat, prod) as part of our CI/CD process.
During the deploys we apply an app config transform to update the Excel plugin config with the correct environmental config.
As such, the manifest and VSTO needs resigning. I've been through a number of SO posts (Use mage.exe to create a ClickOnce deployment manifest for *.deploy files, Resign manifest of click-once application change from 4.0 to 4.5, Resign Clickonce manifest using mage.exe etc.) and MSDN posts and cannot work out the correct way to call mage.exe for this to work.
I've tried mage.exe -update ..., mage.exe -sign ... and a couple of other combinations that all result in broker or invalid manifests when I try to launch the VSTO e.g.
C:\Tools\mage.exe -update "$CodeBasePath\MyCompany.vsto" -certFile "$CertFile" -password "$CertPassword" -appManifest "$AppManifestPath"
Does anything know the correct order of signing and flags to use with mage.exe when re-signing a VSTO?
before updating the VSTO file you need to first update the application manifest.
mage -update yourFile.dll.manifest -CertFile certificate.pfx -Password password
Then you need to update the VSTO with the application manifest you already updated.
mage -update yourFile.vsto -appmanifest yourFile.dll.manifest -CertFile certificate.pfx -Password password
just additional info to the above correct answer is, incase using Certificate Store or USB Token, then you need to provide -CertHash "certificate thumbprint" instead of -CertFile "certificate file path"
mage -update yourFile.dll.manifest -CertHash "cert-thumb-print"
I have been doing a lot of research on code signing and the windows security prompt. I have a code signing certificate from comodo and everything appears to work great for the most part.
1) If all the files are on my local disk - works fine
2) If the files are on a UNC path and the server is on the same domain as my local machine - gravy
However, If the files are on a UNC path and its on another domain or no domain I get a nasty dialog "We can't verify who created this file..." Even though the file properties dialog shows the file is properly signed with no errors on the certificate.
The command I am using to sign my files
signtool.exe sign /v /ph /tr http://timestamp.comodoca.com/rfc3161 /ac "<comodo key>" /f "<my key>" /p <mypass> <file>
am I missing something or is this just the way it is?
When I try to run mi compiled application Windows advertises that the APP don't have any signature and asks if I really want to run my app.
I don't know the reason wich causes that but I think to avoid this I need a digital signature, so from the web I followed this steps:
I've created my own cert with the makecert tool from Windows SDK's, following a example with this code:
makecert -r -pe -a sha1 -n "CN=name, E=name#Hotmail.com, C=US" -b 01/01/2013 -e 01/01/2050 -ss My
Then I can see my own certificate in the "Personal" Folder:
Now I've exported the certificate with this command:
certutil -exportPFX -p "Password" my 586a7358ebdce8854def26875f0f38ab "C:\Test.pfx"
But when I opened the signing tab in my project setings and choosed "Select from file...", VS says this:
The selected certificate is not valid for code-signing. Choose another certificate file.
I did bad something? I don't know how to correctly code-sign my project,
maybe I need a ".cer" certificate instead a ".pfx" certificate?
then how I can generate a valid CER certificate?
I am trying to sign an application with my new code signing key, but SignTool keeps giving me a File not Found: C:\Users\Eaton
Why? The paths are all correct. When I put the key in the same dir and just put CodeSigningKey.pfx without the path, it works fine, but I don't want to do that, I want it to be in that specified path.
Here is my command, the /f param being the problem:
signtool sign /f C:\Users\Eaton\Desktop\Other Things\CodeSigningKey.pfx /p dsdsds /t http://timestamp.comodoca.com/authenticode app.exe
What am I doing wrong there?
The path to the cert file contains a space and since you have not put it in quotes, the command line arguments parsing treats it as a two separate arguments.
Try this one instead:
signtool sign /f "C:\Users\Eaton\Desktop\Other Things\CodeSigningKey.pfx" /p dsdsds /t http://timestamp.comodoca.com/authenticode app.exe
While Franci's solution above set me in the right direction I found it didn't quite work in my case.
To resolve, I needed to go to Inno Setup > Tools > Configure tools ...
click the 'Add' button and then respond as follows:
Name of Signtool:
MySignTool
Command of Signtool:
"c:\fullpath\signtool.exe" sign /f "C:\fullpath\CodeSigningKey.pfx" /p mypassword /t http://timestamp.comodoca.com/authenticode $f
Then in the Inno Setup script itself, under the [Setup] section, I updated the following:
SignTool=MySignTool
SignedUninstaller=true
etc.