This article describes how to digitally sign your executable file, mainly a Windows application installer, with a Microsoft Authenticode Digital ID.
Microsoft has, of course, their own signing tools in the SDK, but another option is to use Mono. Mono's signing tools allow us to sign an executable even on a Mac or Linux box. These steps described here assume you're working on Mac.
Download and install the latest version of the Framework. It's open source and free software!
Export your certificate
- Open the Certificate Manager on Windows. Click the Start button and type
certmgr.mscinto the Search box.
- Find the certificate of your organization.
- Right-click on the certificate and select All Tasks > Export.
- In the Certificate Export Wizard, click Next.
- Select "Yes, export the private key" and click Next.
- Check "Include all certificates in the certificate path if possible" and click Next.
- Enter an arbitrary password to protect your secret key and click Next.
- Enter the file name, e.g.
- Complete exporting. A PFX file will be exported on your desktop.
Convert your certificate to SPC/PVK format
With OpenSSL, convert the PFX file to PVK and SPC files. OpenSSL comes with Mac.
openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
Once you get PVK and SPC files, keep them in safe custody. Delete the PFX and PEM files.
signcode \ -spc authenticode.spc \ -v authenticode.pvk \ -a sha1 -$ commercial \ -n My\ Application \ -i https://www.example.com/ \ -t https://timestamp.verisign.com/scripts/timstamp.dll \ -tr 10 \ MyApp.exe
- Microsoft Authenticode Digital ID Instructions - the official guide by VeriSign
- MSDN: Signing and Checking Code with Authenticode
- Converting a PFX file to SPC and PVK files - Comodo
- Signing an extension