11

Executables and DLL's can be digitally signed. It suggests trust to the user.

However, my research upon this topic is slowly leading nowhere. I think I need a complete step-by-step idiot's guide on how to digitally sign binaries, directly upon compilation. What I mean is: Click on "Build" and retrieve a signed executable. I really don't want to manually sign everything myself.

Visual Studio has a "Signing" tab in project properties, so I guess I have to look there. It seems like I need a .pfx file for that. But where exactly do I get one that contains my name and how do I use it correctly?

Also, does this cost money? - Per binary / only once / not at all?

Example of a signed binary:

example

bytecode77
  • 14,163
  • 30
  • 110
  • 141
  • You need to pay for a "Code Signing certificate" from a certificate authority. They range from about $50 to $500 and if you want to be able to get crash dumps through Microsoft there are additional requirements. The price is for as long as the certificate is valid, you may need to renew over time. See also: http://stackoverflow.com/questions/1077800/which-code-signing-authority-should-i-go-with – jessehouwing Aug 17 '15 at 20:04
  • 1
    Retrieving crash dumps sounds delicious, but paying $500 for a one year valid certificate is just disgusting for a non-profit developer. Is it possible to sign a binary without a counter signature (or whatever it's called)? – bytecode77 Aug 17 '15 at 20:19
  • Only with a certificate that would show up as untrusted. Or with a cert from someone else. – jessehouwing Aug 17 '15 at 20:38
  • Okay so not an option for me. I'll still leave this answer here. Maybe it will help someone sometime. – bytecode77 Aug 17 '15 at 20:39

1 Answers1

6

I have always signed my dlls and applications manually. To make your signature last even after code sign certificate expires you need to add a timestamp to the signature.

To sign a dll/exe you need to buy the codesign certificate but there are CAs (i.e. if you are open source developer) where you can get it for free. One of them is Cetrum CA (which I am currently using). Take a look here. The process of obtaining it is a torture, but the certificate itself is OK. (it doesn't work with all browsers - use FF, single signon needs to be done on every page and mails are in Polish language.)

Timestamp can be obtained for free (i.e. from the link in Hanselmans blog or you can find a list of free RFC 3161 compliant timestamp authorities here)

Community
  • 1
  • 1
pepo
  • 8,644
  • 2
  • 27
  • 42
  • Can I sign all my binaries with one certificate? – bytecode77 Aug 17 '15 at 20:54
  • Yes, of course. I was using `signtool.exe` where what to sign is the last parameter. I used `*.dll *.exe`. – pepo Aug 18 '15 at 05:54
  • Note that, if, after a year, you want to sign a new application, you still need a valid certificate. The timestamp only protects already signed apps, but you can't sign an application with an expired certificate. – jessehouwing Aug 18 '15 at 07:57
  • @jessehouwing True, you need to get another codesign after the previous expires to sign any binaries again. Might be a year or two. But if you do not add timestamp to the signature and you don't publish any new version of the application then the old one stops working after codesign certificate expires. – pepo Aug 18 '15 at 09:39