Windows code-signing in 5 minutes or less
Note: this might be unsafe - only use this as a quick reference if you know what you’re doing.
Create the self-signed certificate #
Save this into
ssl.cfg or similar.
[req] distinguished_name = req_distinguished_name req_extensions = default_req_extensions [req_distinguished_name] # empty [default_req_extensions] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, nonRepudiation extendedKeyUsage = critical, codeSigning, msCodeInd, msCodeCom
Make the certificate and private key #
ssl.cfg refers to the file created above. Adjust the subject as necessary.
openssl req -x509 -newkey rsa -keyout testkey.pem -nodes -days 3650 -sha256 -config ssl.cfg -subj "//CN=Demo code-signing certificate" -out testcert.pem
You can get OpenSSL in either Git for Windows or Cmder.
Create a PFX and import it into your personal certificate store #
openssl pkcs12 -export -inkey testkey.pem -in testcert.pem -out testpfx.pfx -nodes -passout pass:
mmc.exe, add the Certificates snap-in and select My user account, then right-click on the Personal trust store and Import.
Import the certificate into the system’s trust store #
In the previously opened window, right-click on Trusted Root Certification Authorities and import the certificate (and not the PFX which includes the private key).
Remove the user-specific certificates snap-in and add a Computer account certificates snap-in, then do as outlined above to import the certificate.
Sign some code #
"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign mybinary.exe
You can get
signtool from Microsoft’s Windows 7 SDK.