Login/Register
Signing a Windows EXE file
Asked Answered
windowscertificateexesign
J

9

287

I have an EXE file that I should like to sign so that Windows will not warn the end user about an application from an "unknown publisher". I am not a Windows developer. The application in question is a screensaver generated from an application that generates screensaver applications. As such I have no influence on how the file is generated.

I've already found out that I will need a code signing certificate from a CA like Verisign or instantssl.com. What I don't understand is what I need to do (if at all possible) to sign my EXE file. What is a simple explanation?

Mel Green's answer took me further, but signtool wants me to specify what certificate to use in any case. Can I get a free code signing certificate somehow to test if this will work for me at all?

Also please specify which certificate kind is the correct one. Most sites only mention "code signing" and talk about signing applications that are actually compiled by the user. This is not the case for me.

Jejune answered 31/10, 2008 at 0:17 Comment(5)
Just curious - how much one has to pay to buy a certificate?Directions
@Rigel roughly $400 a year, probably not worth :)Privation
@SharanArumugam: WHAAT?????? It is like Microsfot is against cheap/free software!Directions
How to: Create Temporary Certificates for Use During Development & Using SignTool to Sign a FileBumf
Does this answer your question? How do I create a self-signed certificate for code signing on Windows?Slovene
P
177

How to sign your app

Use Microsoft's SignTool to sign your app.

You download it as part of the Windows SDK. Note that it's also possible to install SignTool without installing the entire SDK. Once installed you can use SignTool from the command line like so:

signtool sign /a /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 MyFile.exe

This will sign MyFile.exe. Explanation of the used command line options:

  • /a will automatically use the certificate that is valid for the longest time. If you have no certificate, SignTool will display an error.
  • /fd SHA256 will use the SHA-256 digest algorithm for the file signature. Using SHA256 is recommended and considered to be more secure than the default SHA1 digest algorithm.
  • /tr http://timestamp.digicert.com adds a timestamp to your signed apps. This is extremely important because this will allow the signature to remain valid even after the certificate itself has already expired. The argument for the /tr option is a timestamp URL. You can use any of the timestamp URL's from this list of free RFC 3161 timestamp servers.
  • /td SHA256 will use the SHA-256 digest algorithm for the timestamp signature. As before, using SHA256 is recommended and considered to be more secure.

How and when to use self-signed certificates

If you'd like to get a hold of a certificate that you can use to test your process of signing the executable, you can use MakeCert to create a self-signed certificate.

Once you've created your own certificate and have used it to sign your executable, you'll need to manually add it as a Trusted Root CA for your machine in order for UAC to accept your self-signed certificate as a trusted source. Note that you can only do this on your own development machines. You usually can not do this on your user's computers, since most users will not accept to install a new Root CA for good reasons.

How to get rid of the "unrecognized app" warning

Even if your app is signed, you might still see the following warning message when trying to run the app:

Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.

How to avoid this warning is a somewhat complex topic. Please see this answer to get the whole picture about these Microsoft SmartScreen warnings and what you can do and should know about it.

Pt answered 31/10, 2008 at 0:32 Comment(9)
A working workflow in separate question: #85347Modesta
"This tool is automatically installed with Visual Studio. To run the tool, use the Developer Command Prompt (or the Visual Studio Command Prompt in Windows 7)." msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.110).aspxCaulis
Very curious about the certificate used by signtool too.Schnorr
"signwizard" option is not available after Windows SDK 7.0Inflation
Makecert has been deprecated and a PowerShell cmdlet New-SelfSignedCertificate should be used to create a testing certificate instead. Details in https://mcmap.net/q/99833/-how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows (answer to a question linked by The_Ghost).Rashad
@MelGreen your TechNet link doesn't work - you need techcommunity.microsoft.com/t5/windows-server-essentials-and/…Create
@will-croxford The article says that was made "even worse" by distributing the private key, but isn't that the only problem & only affect https? Say you had a program where the private key is in a public repo, as is a common practice. If the program didn't use the certificate for traffic, but only used it for signing the application, wouldn't that be fine? According to docs.microsoft.com/en-us/dotnet/standard/assembly/strong-named, application signing appears to be only for identifying the application uniquely (in GAC). So, you should use a different key for that and be fine, or what?Mcphail
When I download my program after I uploaded it, it says, "Failed, Virus Detected"Rollick
Can I use the "signtool.exe" tool without installing the whole SDK (1GB) crap?Directions
S
93

I had the same scenario in my job and here are our findings

The first thing you have to do is get the certificate and install it on your computer, you can either buy one from a Certificate Authority or generate one using makecert.

Here are the pros and cons of the 2 options

Buy a certificate

Generate a certificate using Makecert

  • Pros:
    • The steps are easy and you can share the certificate with the end users
  • Cons:
    • End users will have to manually install the certificate on their machines and depending on your clients that might not be an option
    • Certificates generated with makecert are normally used for development and testing, not production

Sign the executable file

There are two ways of signing the file you want:

  • Using a certificate installed on the computer

    signtool.exe sign /a /s MY /sha1 sha1_thumbprint_value /t http://timestamp.verisign.com/scripts/timstamp.dll /v "C:\filename.dll"

    • In this example we are using a certificate stored on the Personal folder with a SHA1 thumbprint (This thumbprint comes from the certificate) to sign the file located at C:\filename.dll

  • Using a certificate file

    signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"

    • In this example we are using the certificate c:\path\to\mycert.pfx with the password pfxpassword to sign the file c:\path\to\file.exe

Test Your Signature

  • Method 1: Using signtool

    Go to: Start > Run
    Type CMD > click OK
    At the command prompt, enter the directory where signtool exists
    Run the following:

    signtool.exe verify /pa /v "C:\filename.dll"

  • Method 2: Using Windows

    Right-click the signed file
    Select Properties
    Select the Digital Signatures tab. The signature will be displayed in the Signature list section.

I hope this could help you

Sources:

Spires answered 6/4, 2018 at 15:41 Comment(0)
J
45

You can get a code-signing certificate from Certum if you're doing open source development. I've been using their certificate for over a year, and it does get rid of the unknown publisher message from Windows. Price history:

  • 2005 - €14.00
  • 2019 - €25.00
  • 2022 - €69.00

As far as signing code I use signtool.exe from a script like this:

signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f "MyCert.pfx" /p MyPassword /d SignedFile.exe SignedFile.exe
Joacima answered 18/9, 2014 at 21:24 Comment(6)
You're right it doesn't look free any more. fwiw I just renewed, and I didn't pay anything. Maybe I'm grandfathered in. Maybe their internal processes are broken. Their website sure is complicated.Joacima
Certum shop says that their open source certificate WILL NOT remove Microsoft SmartScreen Filter message.Beersheba
@MarkusLaire You can bypass SmartScreen by buying the expensive EV certificate. Otherwise your EXE (and your certificate) need to build "reputation" before SmartScreen will stop flagging it. Getting enough users—and apparently internal users are fine—will do the job, but how many users and for how long seems to be unpredictable.Shedevil
@TimPederick My understanding is that a person can't get EV certificate, that those are only available to corporations.Beersheba
@MarkusLaire Mine too. I'm just pointing out that you can get your software past SmartScreen even as a sole and/or open-source developer… you just have to have a userbase (e.g. testers) willing to click through its warnings at first.Shedevil
It now costs about the the same as a regular code signing cert at 69 Euros per year.Biquadrate
D
19

This is not a direct answer to the question, but it is closely related (and useful I hope) since sooner or later any individual programmer will have put his hand into the wallet.

So, prices for EV (Extended Validation) Code Signing Certificates, sorted by price:

AboutSSL
$240/Year (clickbait price)
$287/Year (real price, after coupon)

KSoftware.net
1 Year $350 + ($50 hidden fee!)
2 Year $600
3 Year $750

OV: $84 per year (for 3 years)

I purchased from them an EV. Some years later I purchased an OV. The eToken was sent on a USB stick. No reader needed. They are only intermediary. In the end, you actually purchase from Comodo (Sectigo). Sectigo is veeeeerrry slow. The second time, the verification took two full months. The phone verification failed multiple times. Everything was cumbersome. The tech support didn't have a clue about what is going on, probably just a guy in Pakistan reading through some script.

Sklep.certum.pl
1 Year 379 euro
(seems to be for Poland users only)

LeaderSsl.de
1 Year 364 euro or 307 euro (+19%VAT)
(OV 69+VAT)

Sectigo.com
1 Year $499 USD
3 Year $897 USD

GlobalSign.com
1 Year $410 total
2 Years $760 total
3 Years $950 total

Digicert.com
1 Year: $600 (it was $104)
3 Year: ?

symantec.com
1 Year: $700
3 Years: ridiculous expensive

More prices here:
cheapsslsecurity.com CodeSigning EV
cheapsslsecurity.com SSL only!

EV vs OV

With EV, nine additional steps are required including verifying a businesses’ public phone number, length of time in business, registration number and jurisdiction, as well as a domain fraud check, contact blacklist check and a telephone call to authenticate the employment status of the requestor.

Some recommend submitting a program signed with OV to Microsoft to be checked with their antivirus.

IF YOU FIND CHEAPER PRICES, let me know, and I will update the list!

How to use the certificate?

To sign the exe file, I used MS signtool.exe. For this you will need to download the bloated MS Windows SDK which has a whooping 1GB. FORTUNATELY, you don't have to install it. Just open the ISO and extract "Windows SDK Signing Tools-x86_en-us.msi". It has a merely 400 KB.

Then I built this tiny script file:

prompt $
echo off
cls

copy "my.exe" "my.bak.exe"

"c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd SHA256 /f MyCertificate.pfx /p MyPassword My.exe

pause

__

What happened after signing my EXE file?

So, after investing some money, I finally signed my EXE file. What happened after that? Nothing... On Win10 I still see the same "untrusted" window with the "Don't run" button. The "Continue" button is still invisible. My program has about 400 downloads per day. Let's wait and see how many downloads are necessary.

Directions answered 25/10, 2019 at 13:29 Comment(3)
Also see: #64135177Directions
Why OV doesn't help much?Pictorial
@Pictorial - Windows still shows some warnings when your app is signed with OV.Directions
A
18

The ASP's magazine ASPects has a detailed description on how to sign code (You have to be a member to read the article). You can download it through http://www.asp-shareware.org/

Here's link to a description how you can make your own test certificate.

This might also be interesting.

Azelea answered 27/11, 2008 at 13:3 Comment(3)
Addendum four years later: Comodo was compromised sometime in early 2012 (blogs.comodo.com/it-security/data-security/…) and so lots of user agents now reject certificates with a Comodo root authorityKitchenette
Is Comodo still a risky bet in mid 2013, and by 'user agents', does that mean Microsoft/Windows as surely they're the ones who decide whether to show that notorious 'unknown publisher' message.Seiden
Sorry, removed the explicit service recommendations, which are 1) out of date and 2) have been ruled off-topic now (because 1.).Leopard
Y
18

Another option, if you need to sign the executable on a Linux box is to use signcode from the Mono project tools. It is supported on Ubuntu.

Yorgo answered 21/2, 2015 at 7:3 Comment(2)
That's very helpful! The package is available in Debian as well, under the name mono-devel.Fennec
osslsigncode is a better option for me: "osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where these exist"Yorgo
E
12

Reference https://steward-fu.github.io/website/driver/wdm/self_sign.htm

Note: signtool.exe from Microsoft SDK

  1. First time (to make private cert)

    Makecert -r -pe -ss YourName YourName.cer

certmgr.exe -add YourName.cer -s -r localMachine root

  2. After (to add your sign to your app)

    signtool sign /s YourName YourApp.exe
Evante answered 8/2, 2018 at 10:26 Comment(2)
the makecert.exe is coming from Windows SDK right @kyc1109? And ... if i'm developing the executable program under Win7 it's better to use makecert.exe using Win7-SDK instead of the Win10-SDK am I right?Sought
Hi gumuruh, You are right, I think. But I do not try on it.Evante
I
8

Use following link to sign .exe (setup/ installer) file (sign exe/setup file without using Microsoft setup signtool)

https://ebourg.github.io/jsign/#files

Sample command:

jsign --keystore keystore.jks --alias alias --storepass password MyInstaller.exe

Worked for me :)

Iridium answered 28/3, 2018 at 4:43 Comment(2)
could you please define what is the keystore.jks file and from where we made it first? which one first, etc. etc...? @IridiumSought
@Sought keystore.jks is a Java keystore file holding the private key and the certificate. Jsign also supports PKCS#12 keystores (aka .p12 or .pfx) or plain PEM files, and also USB tokens for EV certificates.Hogback
P
7

And yet another option, if you're developing on Windows 10 but don't have Microsoft's signtool.exe installed, you can use Bash on Ubuntu on Windows to sign your app. Here is a run down:

https://blog.synapp.nz/2017/06/16/code-signing-a-windows-application-on-linux-on-windows/

Pvc answered 16/6, 2017 at 11:24 Comment(1)
osslsigncode is also available under cygwin, so if you are already using that (as I am), then you can sign in your current environment, rather than needing to switch to WSL.Cliffcliffes

© 2022 - 2024 — McMap. All rights reserved.