[zz]How to sign .EXE, .DLL and .CAB files?

https://www.ascertia.com/helpdesk/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=14

 

How to sign .EXE, .DLL and .CAB files?

Solution

Product Versions	Certificate Centre
Operating System	Microsoft Windows
Creation Date	2009-03-16
Revised Date	-

 

Description

To sign a DLL, CAB or EXE file, use the SIGNTOOL.EXE utility included in the platform SDK for Microsoft Windows 2000/XP/2003 (if required download from here).

SignTool requires the CAPICOM 2.0 redistributable is installed on the local computer. The CAPICOM 2.0 redistributable is available here. You will also need a digital code signing certificate from Ascertia.  If you are required web browser rooted / OS trusted certificates then we are recommending first try with our free trial or Low Cost digital certificate and only purchase from commercial certification authorities (like VeriSign, Thawte, Globalsign, etc..) once successfully tested.

Signtool.exe is located in Bin directory of Platform SDK e.g. C:\Program Files\Microsoft Platform SDK\Bin.Visit Certificate Centre on http://www.ascertia.com/onlineca/ and Get your Trial or Low Cost code signing certificate. Download your certificate with private key and import in Windows user (internet explorer) key store; It will also import the Ascertia Public CA 1 (the issuer of your digital certificate) and Ascertia Root CA 2.

Note: You can download Ascertia Root CA 2 and Intermediate CA Certificate and import these certificates in Internet Explorer (user key store). These certificates are required for trust building on Ascertia CA hierarchy.

To download Ascertia Root CA 2 and Intermediate CA certificate use the links as below:

Ascertia Root CA 2 from: http://www.ascertia.com/onlineCA/CA/AscertiaRootCA2.crt

Ascertia Public CA 1 from: http://www.ascertia.com/onlineCA/CA/AscertiaPublicCA1.crt

Sign your File:

The following steps walk through the signing process:

• Go to: Start > Run.
• Type cmd and click Ok button.
• At the prompt change the directory to: C:\Program Files\Microsoft Platform SDK\Bin
• Type: signtool signwizard
• Digital Signature Wizard screen will appear, click on Next button.

 

• Browse to find the code to be digitally signed, and click on Next button.

 

• Select Custom option and click on Next button.

 

• Click on Select from store button and locate your code signing certificate.

 

 

 

•  Select the code signing certificate and click on Next button.

 

• Select Private Key in a CSP and click on Next button.

 

• Select sha1 and click on Next button.

 

• Choose “All certificates in certification path including the Root certificate” and click on Next button.

 

• If you would like you can now enter a description of your file and a web site address where more information can be located and click on Next button.

 

• Un select “Add a timestamp to the data”. if you want to timestamp your code you can use following address to Timestamp your code ”http://services.globaltrustfinder.com/adss/tsa” and click on Next button.

Note: Please note it that, currently this TSA is not supporting timestamps to code signing certificates; TSA for code signing will be activated soon. You can use TSA server of your choice.

 

• Verify all the information is correct and then click Finish.

 

•  You have successfully signed your file. Click OK to finish.

 

Test Your Signature

The Platform SDK SIGNTOOL.EXE utility contains a command to check a digital signature before distributing your file.

• Click on: Start > Run
• Type cmd and click OK.
• At the prompt change the directory to: C:\Program Files\Microsoft Platform SDK\Bin
• Type: signtool verify /pa /v <filename>. E.g. C:\>signtool verify /pa /v "C:\my project\my.exe". Press Enter.