How to Sign

When you sign your file you actually add a small packet of information (1-4 KB) to the end of the file. When the browser downloads the file it reads this packet and contacts a CA (Certificate Authority) like verisign.com, tawthe.com and others... to verify with them the authenticity of the file.

Getting started

How to get started with code signing?

The current set of tools were released with the introduction of Microsoft Visual Studio 2005.

The tools are provided as part of the Visual Studio 2005 and in the Platform SDK. To download the Platform SDK, visit the following Microsoft Web site: http://msdn.microsoft.com

After you install the SDK you will have the code signing files on your PC:

The following files are of interest to us:

• signtool.exe
• makecert.exe
• cert2spc.exe
• pvk2pfx.exe

All the above tools are actually small console programs that should be run from a command prompt. When run, each program expects command-line parameters in a special syntax. 

Public Certificate

Where to get a Public Certificate?

To be able to sign your code you will need a certificate. Certificates are issued by Certificate Authorities (CA). There are many Certificate Authorities, you can get a full list of CAs by going to: Microsoft Root Certificate Program Members . TruePersona™ can supply code signing certificates recognised by the major CA's.

Acquiring a certificate from TruePersona™ is an easy and straight forward process. You provide sufficient information to enable TruePersona™ to identify you or your organization and then a certificate is issued.

If you do not want to go to the expense of buying a public certificate, you can begin with a test certificate. The test certificate can be used to sign your program in a test run. A program signed with a test certificate should not be distributed on the net.

Test Certificate

How to create a Test Certificate?

The following command line may be used to create a Test Certificate (CER) file:

• persona.pvk - a "Private Key" file needed to create the certificate.
• persona.cer - a "Public Key" file needed to create the certificate.

When running - "makecert.exe" will present the following dialog:

You should enter a password to protect your "Private Key".

Create Software Publishing Certificate

How to create a Software Publishing Certificate?

The "Software Publishing Certificate" (*.SPC file) is created from the "Public Key" file (*.CER) you created in the previous step.

The following command is used to create the "Software Publishing Certificate" (SPC) file:

• persona.spc - a "Software Publishing Certificate" file.

When running - "cert2spc.exe" will present the following dialog:

Enter here the same password you used when creating the "Test Certificate" or the "Public Certificate".

Purchase Software Publishing Certificate

How to purchase a Software Publishing Certificate?

You can purchase a certificate from TruePersona.

TruePersona can create the certificate for you or you can create your own through the website link provided by us. When you click the [Buy] button, you will go through a process that includes the following steps:

• Enter your personal and company details.
• Pay for the certificate.
• Run a special applet that will create a Private Key file (*.PVK) on you computer.

During the creation of the Private Key file you will be prompted for a password. You should remember this password so that you can use it later when you sign your application. You must also copy the Private Key file to a safe place.

When creating the Private Key file on your computer, the applet will also create the corrsponding "Public Key" file.

It is then necessary to verify and approve your organization and domain. This process usually take few days. During this time you may be approached by telephone or other means and requested for means of identification.

When the verification process is concluded you will receive a link to a Certificate File (*.SPC). Download this file and do the following:

• Copy the *.PVK file and the *.SPC file to a common directory.
• Rename both files so that they have the same name (but different extensions).

Personal Information Exchange

How to create a Personal Information Exchange file?

• persona.pfx - a "Personal Information Exchange" file.

Sign Your Code

How to sign your code?

You can use signtool.exe to sign your code. 

The following commands may be used to sign your code.

At the end of this process the program file "true.exe" in this example will be signed.

As can be seen, this command expects the following parameters:

Verify your Digital Signature

How to verify your digital signature?

The following commands may be used to verify your digital signature.

As can be seen, this command expects only one parameter the name of the file under test.

Verify using Properties

• Open Explorer.
• Browse to the file you just signed.
• Right Click the file name and select "Properties".

Explorer will present you with the properties dialog of the file.
This properties dialog will include a new tab "Digital Signatures".
You can now read the details of the signature in this tab.

Further Information

Use the following links to learn more about Code Signing and Authenticode

MICROSOFT - Utilities to Sign Files and Check Signatures
MICROSOFT - Root Certificate Program Members