After reading my other post on Digitally Signing .NET Assemblies, someone recently emailed me to ask how I actually digitally sign assemblies using the Authenticode certificates (aka "code signing IDs", "digital certificates", or "software publisher certificates"). So I thought I'd describe what I've used in a build script to sign an assembly, verify the signature after signing it, and link to some related information. Below is the command line I use in a build script to authenticode sign assemblies:
"%DOTNETSDK_DIR%\Bin\signcode" -n "%AUTHENTICODE_NAME%" -i www.mywebsite.com -spc "%AUTHENTICODE_CERTFILE%" -v "%AUTHENTICODE_PRIVATEKEYFILE%" -t http://timestamp.verisign.com/scripts/timstamp.dll %AUTHENTICODE_FILETOSIGN%
Obviously the values in all capital letters surrounded by percentage sign characters are variables in the script. I've left them in because I figured the variable names are more informative than example values anyway. Signcode.exe is included with the .NET framework, as are the rest of the tools referenced below, and the following link points to some documentation on the signcode.exe (aka "File Signing Tool") tool referenced above: File Signing Tool (Signcode.exe) Documentation
Immediately after executing the signcode tool on a file using the command shown above, the command below is used to run chktrust.exe ("Certificate Verification Tool") on the same file to verify that signcode did its job correctly. If chktrust indicates an error, the build script is setup to stop and fail the build.
"%DOTNETSDK_DIR%\Bin\chktrust" -q "%AUTHENTICODE_FILETOSIGN%"
Documentation on chktrust.exe is at the following link:
Certificate Verification Tool (Chktrust.exe) Documentation
I believe one can use the makecert.exe (aka "Certificate Creation Tool") in combination with the cert2spc.exe (aka "Software Publisher Certificate Test Tool") to generate certificates to test with, but I must warn you I have not tried it. When using a test certificate, since the issuer (you) is not trusted (its not that they don't trust you, you're just not
that well known), it won't be considered a "valid" certificate in most cases, so ultimately you should get a good one from
Verisign. I think other certificate authorities can issue them such as
thawte, but you'll need to check the default trusted root certificate authorities in your environment, and I've only used Verisign. Some docs on makecert.exe and cert2spc.exe are below:
To satisfy my own curiosity I read through some related articles while looking into this stuff again. In case anyone is interested I've put the links below:
posted @ Friday, May 20, 2005 11:37 PM