Code Signing on a Shoe-String Budget

Tuesday, June 14, 2005

I don't need a professional Code Signing infrastructure complete with 24/7 Indonesian support and free Hot Pocket delivery within the tri-state area. I just want to make sure people know they have something of mine for less than, or equal to, $0.

Solution 1 of 1:
Free code signing. (I must remind everyone of the lack of official support for what I'm about to describe. If you are running a real business, go pay the money.)

Requirements:
Windows (I'm using XP)
Compiled binary of OpenSSL
GlobalSign's PVK transform utility (Mirror)
Microsoft's code signing stuff (Mirror)

Steps:
Get a free certificate from Ascertia.
Note: The "Name" you enter will be the name seen on the certificate. Don't worry if you can't decide on a good name, you can change it after you register.

Generate and download the certificate using Internet Explorer.
It failed to download the ActiveX file in all the other browsers I tried, including Firefox.

Run certmgr.exe from codesigningx86, select the certificate, and export.
Select the option to export without the private key and in DER encoded binary. I did not test the other encoding methods, but, in theory, they all should work.
This should produce a cer file. I put all my files on the desktop to shorten all the path names. There is nothing worse than typing and searching for errors in long pathnames.

[I had a beautiful tutorial written just before the power went out. For speed, I will just give you the bare bones.]

cert2spc <insert cer file path> <insert new spc file path>

Run certmgr.exe, select the same certificate, and export again.
This time export the private key. Make sure "Include all certificates in the certification if possible" is checked and "Delete the private key if the export is successful" is unchecked.
This will export a pfx file. (Make sure to remember the password you set.)

openssl pkcs12 -in <insert pfx file path> -nocerts -nodes -out <insert new pem file path>

pvk -in <insert pem file path> -topvk -out <insert new pvk file path>

You only need the spc and pvk files, so you can, and should for security reasons, delete the other data files.

signcode -spc "<insert spc file path>" -v "<insert pvk file path>" -a md5 -i "<insert some information, usually your websites url>" -n "<insert short file description>" -t http://timestamp.verisign.com/scripts/timstamp.dll "<insert target file path>"

You don't have to pay Verisign to use their timestamp server. You should, and again you should just pay the money if you are running any form of business, but it works whether you do or not.

That will do it. You can verify the signature by opening the properties of the signed file, and clicking the Digital Signatures tab. If there is no Digital Signatures tab, you failed.

Thanks to Matthew Jones for the help.