I also skipped using the timestamp while signing as thinking that when setup.exe is signed and verifier.exe are different in my case (as I’ll be building setup.exe after signing verifer.exe) but it didn’t help.
If I sign either of the two everything works fine and the install is completed. This is a strange issue as when I sign, both, the exe contacting server (further refereed as verifier.exe) and the main (parent) exe (further refereed as setup.exe), verifier.exe cannot contact server and the installer is at a standstill during installation. I’m trying to add digital signature to an exe that contains other exes files.Īll of the exes work great except one that tries to contact server to validate a unique key (unique key is input key from user and is provided by me) REM * certutil -addstore -f -enterprise -user root D:\ia.p12 > NULĬomment by Fetha - Monday 22 February 2016 0:05 REM (But I tried and think this is note necessary) REM THE FOLLOWING LINE GETS AN ERROR ON WINDOWS 7, 8 and 10 REM * certutil -addstore -f -enterprise -user root D:\ia.crt > NUL REM * certutil -addstore -f -enterprise -user root D:\ca.crt > NUL REM IF YOU WANT TO SEE THE PROCESS REMOVE REM * FROM LINES BELLOW
REM To see the certutil commands edit a bat file with the command: REM Press Windows+R or click on Window RUN REM ? Is there a way to hide this Gui por automate the confirmation ? REM privilegies, BUT the prompt Gui for confirmation will be shown. REM If we remove the -enterprise, we can run the. REM Edit a “StoreKeys.bat” and copy the script bellow:Ĭertutil -addstore -f -enterprise -user root C:\ca.crt > NULĬertutil -addstore -f -enterprise -user root C:\ia.crt > NULĬertutil -addstore -f -enterprise -user root C:\ia.p12 > NUL
REM in Windows Vista and Windows 7 – WINDOWS XP it is necessary CERTUTIL earlier version.
REM We will use the “CERTUTIL.EXE” which exists under c:\windows\system32 folder
I’am trying to automate the store task, and with the code bellow, almost getting. Your Generate certificates page is great. If you didn’t make a backup of notepad.exe and want to remove the signature, use my digital signature tool disitool. But if you check this signature on another machine or with another account (which doesn’t trust our root CA), we’ll get a warning that although the signature is valid, we don’t trust the root CA: This certificate is OK because we installed the root CA certificate in our certificate store. It’s easy to add one, for example using Verisign’s timestamp service: (of course, using this option requires Internet access).įinally, click finish for the wizard to do its work:įrom now on, notepad.exe’s properties displays a Digital Signatures tab: Select the certificate with key we installed: use Select from Store…īy default, the signature doesn’t include a timestamp signed by an external authority (a counter-signature). We’ll use the default options presented by the wizard (except for the timestamp): Actually, notepad is not signed by Microsoft with an embedded signature, but using a security catalog. When you sign an executable that is already signed, the existing signature is overwritten. Now start signtool from a command-line like this: signtool signwizard.įor the purposes of this howto, we’ll sign notepad.exe. And you also need to install this root CA certificate if you want to automatically trust all certificates issued by this root CA (or its subordinate CAs). It is not necessary to install this root CA certificate for code signing purposes, but if you don’t, signtool will not include the root CA certificate in the certificate chain. Double-click the file and let the wizard do its work with the default option:īecause the wizard will also install the root CA certificate found in the PKCS12 file, it will ask you if you trust it.
I use signtool in my makefile with command line options to automatically sign compiled code, but in this howto, I’ll show the interactive use.įirst we will install the certificate with key we’ll use to sign code.
To obtain signtool, download the platform SDK or the. You’ll need to create your own certificate and key (or buy one) to sign code.
This howto shows you how to use signtool. Signtool.exe is the default Windows development tool to add a digital signature (Authenticode) to Windows executables ( PE files).