Saturday, August 13, 2016

Installing a Code Signing Certificate, 2016

This is an update to my earlier article about the same subject. This process is much easier than it used to be.

Install a certificate from Comodo 

  1. Use IE11 for your browser for everything related to the purchase
  2. Use Comodo to buy your Code Signing Cert (still the cheapest provider, especially if you go through Tucows and buy a three year certificate.)
  3. When filling out the information during the purchase process, make SURE you click the checkbox to allow the private cert to be exported, or you will be very unhappy.
  4. After your identity is confirmed, you will receive an email from Comodo with a subject like ORDER #12345678 - Your Code Signing Certificate is ready!
  5. Install the new certificate by clicking the link in the email. Again, use IE11, not Edge.
  6. Remove your old certificate. If you are renewing an existing certificate, then keeping the old certificates installed isn't usually useful, and having multiple certificates will break SIGNTOOL if signtool is searching the certificate store. Go to Control Panel / Internet Options / Content, click Certificates, select your old certificate, and click Remove. The old certificate will probably be on the Personal page.
  7. Verify the installation. Go to Control Panel / Internet Options / Content, click Certificates, select your new certificate, and click View in the bottom right. The certificate will probably be on the Personal page.
  8. Make sure you have the private key. Again on the Certificates Page, at the end of the information, right under the "Valid from" dates, you should see something that says "You have a private key that corresponds to this certificate." If this isn't there, you may not have checked the box during the signup process as described in Step 3 above. You will probably need to get the certificate reissued (this is free with Comodo).

Export the PFX file

A PFX file can be used by many third party utilities. One advantage is that PFX files can be created without a password, which is handy in automated builds if you are using SIGNTOOL. You can see the complete process with pretty pictures at PentaWare (via the WayBack Machine). Here's the abridged version:
  1. Go back to the Certificates Page on Internet Options.
  2. Select your certificate
  3. Click Export.
  4. Click Next.
  5. Select "Yes, export the private key."
  6. Click Next.
  7. Select "Personal Information Exchange - PKCS #12 (.PFX)." (If this option is grayed out, then your private key was not imported).
  8. Check the box labeled "Include all certificates in the certification path if possible. THIS IS VERY IMPORTANT.
  9. Click Next.
  10. Provide a password.
  11. Click Next.
  12. Enter a filename.
  13. Click Next.
  14. Click Finish.
  15. To remove the password from the PFX file, use openssl as described in this post.

Sign your code!

If you need some hints on this, see my earlier post.

As of January 1, 2016, all Windows executables must be signed with SHA1 and SHA256. For details, see this excellent article.