5

Using a non-Microsoft compiler, I have written small application for Windows that I'd like to give away for free or sell for some trivial amount ($5 say). The program doesn't use the registry but I'd like to provide it as an installer executable (e.g. MyAppInstall.exe) created using freely available tools (e.g InnoSetup).

From Signing a Windows EXE file and other sources my understanding is as follows:

  1. If I do not sign the installer, Windows will pop-up a warning dialogue box warning the user that the publisher is unknown and suggesting they should not run the software. This is undesirable.

  2. If I sign the installer with a self certified key, The popup dialogue will at least provide a publisher name instead of "unknown". It will say the publisher could not be verified or the publisher is untrusted. This is probably marginally better than being described as an unknown publisher.

  3. If I pay ~$100 every year to a CA, I can get a code-signing cert that will allow me to give away useful free software that can be easily installed - without scary and off-putting dialogues appearing.

  4. I can use the Windows edition of OpenSSL to create a self-certified key for code signing. This way I don't have to download an install a 590 MB SDK file from MS just to obtain Microsoft's makecert.exe

  5. Catch 22: The only code signing tool I have heard of is signtool.exe which can only be obtained by downloading and installing at least 590 MB of other stuff (the SDK).

Q: Is there an alternative to Microsoft's signtool.exe

Community
  • 1
  • 1
RedGrittyBrick
  • 3,827
  • 1
  • 30
  • 51
  • First of all, using self-signed certificate is, well, useless as it doesn't save you from warning messages. Besides signtool you can write your own EXE signer using our SecureBlackbox, but that one is commercial (and this doesn't make sense in your case). We had a plan to make a public tool similar to signtool (signtool has certain shortcomings we'd like to avoid) but this plan is still a plan and not work in progress. Though, I think, we got to make one as demand exists. – Eugene Mayevski 'Callback Aug 13 '13 at 17:59

4 Answers4

7

There is kSign, and their blog also has an article about how to integrate with Inno Setup.

It is not a complete replacement for signtool (i.e. it won't sign .cat and .sys files involved in signing driver packages) but it will will digitally sign EXE,DLL,COM,CAB and OCX files.

sschuberth
  • 28,386
  • 6
  • 101
  • 146
Fotios Basagiannis
  • 1,432
  • 13
  • 14
3

An alternative to signtool is Mono's signcode. Mozilla Developer Network has a very useful article on converting your certificate to SPC/PVK format and signing your EXE with Authenticode:

Convert PFX to SPC/PVK

openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc

Sign EXE

signcode \
 -spc authenticode.spc \
 -v authenticode.pvk \
 -a sha1 -$ commercial \
 -n My\ Application \
 -i http://www.example.com/ \
 -t http://timestamp.verisign.com/scripts/timstamp.dll \
 -tr 10 \
 MyApp.exe

Passphrases

Unlike signtool, which accepts the passphrase as a command-line argument, it seems like signcode must be given the passphrase on standard input. I was able to use signcode [arguments] < passphrase.txt.

Ben Hutchison
  • 4,823
  • 4
  • 26
  • 25
0

Catch 22: The only code signing tool I have heard of is signtool.exe which can only be obtained by downloading and installing at least 590 MB of other stuff (the SDK).

No. You are not required to install the whole SDK to install signtool.exe. Use SDK Web installer and choose to install "Tools" only.

However, the bad news is no signing tool will help you to bypass Windows warning if you have no CA-signed certificate because it is not possible to create something from nothing. The good news is many CA provides FREE code signing certificates for open-source developers, but you should use it to sign only FREE software. So, it is your choise: pay to CA and continue to sell your software, or do not pay and distribute it for free. It looks fair enough.

user3177472
  • 1
  • I tried the web installer back in September, the smallest selection (just ".Net development tools") produced "Disk Space Requirements" of 507.5 MB. The only CA I can find offering free code-signing certs is [Unizeto](https://sklep.unizeto.pl/en/ankieta/form.php) in Poland - and you have to give them permission to process your personal details for marketing purposes. Any other CA suggestions? – RedGrittyBrick Jan 09 '14 at 14:22
  • What if the software is FREE and open-source, but it has in-app purchases, will that be eligible for a FREE CA-signed certificate? – orr burgel Mar 14 '22 at 15:31
0

Try this free application which also allows you to set other properties of the signed executable such as company name, details, product name, etc.

Michael Haephrati
  • 3,660
  • 1
  • 33
  • 56
  • The referenced link is unavailable. It appears the domain does not exist or is abandoned. – Br.Bill Dec 02 '16 at 17:22
  • 1
    Sorry about that. Problem with the web site. Here is an alternative link for the software https://www.codeproject.com/script/Membership/Uploads/5956881/signpe.zip – Michael Haephrati Dec 04 '16 at 13:12