We're starting to sign some custom code, and I was looking for a quick and easy way to sign from Linux, since only one of our dev's use windows most of the time I needed a snazzy/easy way to sign from Linux workstations.
I'll drop this here for everyone since I spent a TON of time researching and trying it the mono way with
signcode, and failed miserably every time I tried it.
osslsigncode works extremely well.
Install osslsigncode using yum or apt:
sudo apt-get install osslsigncode sudo yum install osslsigncode
For our purpose, we will use a self signed key, to generate:
openssl req -x509 -newkey rsa:4096 -keyout key-hotlines.pem -out cert-hotlines.pem -days 365
Now, to sign the executable:
osslsigncode sign -certs "cert.pem" -key "key.pem" -pass "PaSSw0Rd1!" -n "MyApp 1.2" -i "https://www.mysite.com" -t "http://timestamp.comodoca.com/authenticode" -in "app.exe" -out "signed-app.exe"
What it all means
osslsigncode = signing application "sign" = tells osslsigncode to sign -certs = certificate file -key = key file -pass = decryption key you set on the certificate -n = application name -i = site address -t = timestamp -in = compiled, non signed executable -our = signed executable
Verification is easy!
osslsigncode verify signed-app.exe
should end with a certificate dump and
succeeded if all goes well and it's signed, or "No Signature Found" if the application is not signed. Be careful, even if you are unable to see signatures, the command still ends with
Should I do an EV/OV Signing cert?
We plan on getting a valid certificate soon, as a self-signed cert will work given enough time, but an EV cert will be trusted by windows smart screen immediately. If you do a self signed, expect needing hundreds of installs before your software can be trusted on Windows. A signing cert can be had for $200(OV) to $300(EV).
How do you guys sign your code? I tried a few different ways and it always failed miserably! But this seems to work perfectly, so I'm sticking it in my site for when I need it again.