Click here to Skip to main content
15,881,588 members
Search within:


Exe signing process?
Please Sign up or sign in to vote.
5.00/5 (1 vote)
See more:
Windows
Hi,

I wrote a program (Simply copies some dll to a location), but unfortunately Bit-defender virus is giving it a pop up showing that it is not digitally signed!!!

Can any one tell me the step by step process?
Verisign is process to do this. But I do not want to pay for this.

Thanks

NOTE: Please add comment if you know process to do this, no need to give me suggestion like how to improve posting or any this foolish!!
Posted
Updated 20-Feb-13 4:38am
v2
Add a Solution

1 solution

A certificate is purchased from a certificate authority (like VeriSign) because the certificate authority verifies your identity and the certificate they issue to you points to their certificate authority certificate that is already installed on PCs. It is a best practice to buy your signing certificate.

If you do not want to buy a certificate, then you must create your own certificate authority and a signing certificate derived from it. The certificate authority certificate must be installed on all of the PCs that will run your application. Many system administrators will not want to do this. If you are the system administrator for all of the PCs that will run your application, then it is something you may decide to do.

In all of the instructions below, replace COMPANYNAME with an abbreviation of your company name (like TATA, XEROX, IBM, HP, IAD, etc.)

I did this from memory so I hope it works for you. I don't claim to be an expert in this topic. But, after a lot of research and experimentation this process worked for me recently.

1. Create Certificate Authority Certificate
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME" -cy authority -a sha1 -sv "COMPANYNAME.pvk"  -r  "COMPANYNAME.cer"

This will ask you for a password. Don't forget it!

2. Open MMC (Run mmc.exe)
* Click File then "Add/Remove Snap-in"
* Select Certificates from the left list, click "Add".
* Select "My user account", Click Finish
* Select Certificates from the list again and "Add" it
* Select "Computer account".
* Save This configuration of MMC (File, then Save) as "Certificates.msc" in the Start Menu, Programs, Administrative Tools directory so that you can access it in the future.

3. Install the new certificate authority certificate into the trusted store Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates ) of the computer that will do the signing and all of the computers that will run your application.
* Double-click Certificates (Local Computer)
* Right click on "Trusted Root Certification Authorities". Select "All Tasks", then "Import".
* Select the new certificate (*.cer), and place it into "Trusted Root Certification * Authorities".
The computer now implicitly trusts all certificates signed by that new certificate authority.

4. Create a signing certificate that is derived from the new certificate authority and store it in the Certificates - Current User / Personal / Certificates store on the PC that will do the signing. You do not have to install this certificate on your user's computers.
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME Software" -ic "COMPANYNAME.cer" -iv "COMPANYNAME.pvk" -a sha1 -sky exchange -pe -sr currentuser -ss my "COMPANYNAMESoftware.cer"

This will ask you for a password with which to lock the new private key you are creating for this certificate.
It will also ask you for the password to the certificate authority's private key from Step 1 above.
* Right click on "Personal" in "Certificates - Current User". Select "All Tasks", then "Import". Select the new certificate "COMPANYNAMESoftware.cer".

5. Create a BAT file in C:\BAT named SIGNCODE.BAT what contains this:
@ECHO OFF
REM create an array of timestamp servers...
REM The SET statement should be all on one line.
SET SERVERLIST=(http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timstamp.dll http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)

REM sign the file...
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe sign /n "COMPANYNAME Software" %1

set timestampErrors=0
for /L %%a in (1,1,300) do (

    for %%s in %SERVERLIST% do (
	Echo Try %%s
        REM try to timestamp the file. This operation is unreliable and may need to be repeated...
        C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe timestamp /t %%s %1

        REM check the return value of the timestamping operation and retry a max of ten times...
        if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded

        echo Signing failed. Probably cannot find the timestamp server at %%s
        set /a timestampErrors+=1

	Rem Wait 6 seconds
	choice /N /T:6 /D:Y >NUL
    )

    REM wait 12 seconds...
    choice /N /T:12 /D:Y >NUL    
)

REM return an error code...
echo sign.bat exit code is 1. There were %timestampErrors% timestamping errors.
exit /b 1

:succeeded
REM return a successful code...
echo sign.bat exit code is 0. There were %timestampErrors% timestamping errors.
exit /b 0


6. Sign the program
In a CMD Window, navigate to the directory that contains the program to be signed and run the BAT file.
C:\BAT\SIGNCODE.BAT SETUP.EXE

where "SETUP.EXE" is the program to be signed.
 
Share this answer
 
Posted
Updated 20-Feb-13 5:31am
v2
Comments
Andreas Gieriet 20-Feb-13 11:49am    
My 5! Post it as a tip!
Cheers
Andi
iDebD 6-Apr-13 12:05pm    
can any one elaborate the 3rd step,I am stuck here
iDebD 6-Apr-13 14:35pm    
I am signing a Setup.exe here...that is Smart installer...it is signing but makeing the installer corrupted>...any clue why?
Mike Meinz 6-Apr-13 18:45pm    
Sorry, I have never heard of or experienced that kind of problem. I regularly sign SETUP.EXE programs that are generated by the InstallShield Limited Edition software that is freely downloadable for registered purchasers of Visual Studio 2012. Maybe your SETUP.EXE has some sort of anti-tampering code that prevents signing. You could try asking the vendor of that software.
iDebD 6-Apr-13 22:55pm    
Yeah Mike, this thing is happening only for "Smart Installer"... I was checking 'InstallShield Limited Edition', but it integrated with vs; I want a separated one that is to be install and used, InstallShield Limited Edition is really a good option, if I found that is not simple, I have to use it;
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How can you monitor a process (exe) to terminate and relaunch if it hangs?
Upload an exe application
Run exe/process with CultureInfo
Hide exe From process tab
attach dll to a process using exe
How to close an child exe process from another exe
Signing Smart Installer Setup.exe corrupting set up
How I solve the exe builder process?
Is there any way to pass values from one exe to another exe with Starting the process again
Sign Language Recognition

Advertise
Privacy
Cookies
Terms of Use
Last Updated 20 Feb 2013
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900