Digital Code Signing, what a chore.
As with some of my blog posts, they are all about recording information so that I can reference that info in the future, should I completely forget how to do something later on. That’s what this post is about, how I got my apps digitally signed.
Starting the process, I went to startssl.com and purchased a level 2 verification for $60.
In the mean time, I had to create a CSR (code signing request or something like that) in order to submit to startssl.com once my verification was completed.
To create the CSR I needed to download the windows openssl binaries. Once installed, I opened up a command prompt and navigated to the opensslxxxbin directory, and ran this command:
openssl req -new -newkey rsa:4096 -nodes -keyout codesign_privatekey.pem -out codesign_certificate_request.csr -config openssl.cfg
I had a hard time with this as none of the instruction I found on the internet specified the -config parameter, so I kept getting errors that it couldn’t find the configuration (it was asking for openssl.cnf) in some linux structured path. I found that the config file was, in later versions of openssl, and maybe just on Windows, named openssl.cfg despite what the error was telling me, and it was in fact right there in the bin directory along with everything else.
Once I answered a few questions to match my identification submitted to startssl.com (leaving the password blank) I had my .csr file to submit to startssl.com. You merely open the file in notepad and paste everything including the header/footer in their request box when requesting a code signing certificate.
After a while they gave me a cert! I pasted that into a plain text file and named it codesign_certificate.crt
From there, I’m back to my openssl command prompt. Then, I ran the command:
openssl pkcs12 -export -out codesign.pfx -inkey codesign_privatekey.pem -in codesign_certificate.crt
Again, leaving the password blank, that generated the handy dandy codesign.pfx file. Next I opened MMC and added the Certificates snap-in for my Windows user account, and opened the Personal tree. Right click > All Tasks > Import and pointed it to my pfx file to install it. I didn’t enable strong key protection and I marked the cert as exportable…
Now it was finally time to sign an app. I used signtool.exe from MS, specifically I had already had it installed along with my VS 2010 installation. So I opened up a command prompt and navigated to the bin directory where signtool.exe was, and ran a command such as this:
signtool.exe sign /d “My App Project Name” /du “http://www.website.com/myproject/” /f “%pathtomypfx%codesign.pfx” /t “http://timestamp.verisign.com/scripts/timestamp.dll” /v “myapp.exe”
Finally, my app is signed!