Signing Windows Apps

By BrettComputing, Programming

Background: I’ve created some windows apps (winforms with .Net 4 and a WinWord x64 Add-In). These are packaged up into .msi installers by Advanced Installer. I need to digitally sign them to allow installation with “Unknown Publisher”

Broad Notes

  • You can purchase certificates for hundreds of dollars (annually). Probably get an “Extended Validation” one. Usually these are applied to companies.
  • Use a self-signed one is okay for internal-to-company use
  • Don’t use makecert anymore, use New-SelfSignedCertificate

Make a certificate

Use PowerShell to do this. Cmdlets are built-in. Default is 12 months. It will be self-signed.


# Make one and put it in Certificate Store (i.e. not a file, it's somewhere in the user profile)
New-SelfSignedCertificate -DnsName brettbeeson.com -Type CodeSigning -CertStoreLocation Cert:\CurrentUser\My -Subject "Brett Beeson" -NotAfter (Get-Date).AddMonths(24)
# Look it up (i.e. get the thumbprint)
 Get-ChildItem -Path Cert:CurrentUser\MY
# Check it 
Test-Certificate -Cert cert:\currentuser\my\XXXXXXXXXXXXXXXXXXXXXXXX -AllowUntrustedRoot

You also view certificates view Start>Run> certmgr.msc

Optional: Add your self-signed certificate as a Trusted Published and/or Root CA.

This obviously is only active on the local machine.

# CA
 Import-Certificate -FilePath ./brettbeeson.cer -Cert Cert:\CurrentUser\Root
# TP
Import-Certificate -FilePath .\brettbeeson.cer -Cert Cert:\CurrentUser\TrustedPublisher

Export to a file

# Password necessary for certificate
$CertPassword = ConvertTo-SecureString -String “XXXX” -Force –AsPlainText
# Certificate with private key encrypted
Export-PfxCertificate -Cert cert:\CurrentUser\77080EE8A3237AC0A6AA08B9DCC50B888B34709E -FilePath ./brettbeeson.pfx -Password $CertPassword
# Certificate only
Export-PfxCertificate -Cert cert:\CurrentUser\XXXXXXXXXXXX -FilePath ./brettbeeson.cer

Sign a file (Advanced Installer)

  • Install signtool.exe and point AI to it. Download the SDK 10 and uncheck all options except Signtool. Then in AI>File>Settings>External Tools set signtool.exe. See details.
  • Check AI->Digital Signatures>Enable Signing
  • Use “file from disk” (my Personal Store option hangs) to select the .pfx you exported.

Sign a file (powershell)

  • Looks like you can sign using signtool.exe or Set-AuthenticodeSignature

Check it

After making the MSI and AI signs it, you can right-click and see digital certificate info in the tab.

References

https://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows

https://www.advancedinstaller.com/forums/viewtopic.php?t=33226

https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool

Leave a Reply

Your email address will not be published. Required fields are marked *