SignTool to sign an EXE

Https://msdn.microsoft.com/zh-cn/library/9sh96ycy (vs.80). aspx . NET Framework 2.0Other versions

The file Signing tool uses a Authenticode digital signature to sign a portable executable (PE) file (. dll or. exe file). You can sign an assembly or individual file that is contained in a multi-file assembly. If you are distributing an assembly, you should sign the assembly instead of the individual files. Running Signcode.exe without specifying any options will start the Help signing Wizard.

The file Signing tool is available only with the. NET Framework SDK versions 1.0 and 1.1. In the newer. NET Framework SDK version, use the Signing Tool (SignTool.exe) utility instead .

signcode [options] filename | AssemblyName

Parameters

Parameters	Description
FileName	The name of the PE file to be signed.
AssemblyName	The name of the assembly to be signed. This file must contain an assembly manifest.

Options	Description
-$ Authority	Specifies the signing permission for the certificate, which must be individual or commercial. By default, Signcode.exe uses the highest permissions for certificates.
-A algorithm	Specifies the hash algorithm for the signature, which must be MD5(the default value) or SHA1.
- c file	Specifies the file that contains the Encoding software Publishing certificate.
-CN name	Specifies the common name of the certificate.
- I. Info	Specifies the location (usually a URL) for more information about the content.
-j DllName	Specifies the name of a DLL that returns an array of the validated attributes used to create the file signature. Multiple DLLs can be specified by repeating the-J option.
-jp param	Specifies the parameters passed for the aforementioned DLLs. For example:-j dll1 -jp dll1param. This tool allows only one parameter per DLL.
- k KeyName	Specifies the key container name.
-ky KeyType	Specifies the key type, which must be signature,Exchange , or an integer (such as 4).
- n name	Specifies the text name that represents the content of the file to be signed.
- p provider	Specifies the name of the cryptographic provider on the system.
- R Location	Specifies the location of the certificate store in the registry, which must be either currentuser(the default value) or localmachine.
- s Store	Specifies the certificate store that contains the signing certificate. The default is my store.
-SHA1 Thumbprint	Specifies thumbprint, which is the SHA1 hash of the signing certificate contained in the certificate store.
-sp Policy	Set the certificate store policy, which must be spcStore(the default) or chain. If you specify chain, all certificates in the validation chain, including self-signed certificates, are added to the signature. If spcStoreis specified, the trusted self-signed certificate will not be included with the certificate added to the signature in the validation chain.
-spc file	Specifies the SPC file that contains the software publishing certificate.
- t URL	Indicates that the timestamp server at the specified HTTP address will create a timestamp for the file.
-tr Number	Specifies the maximum number of times before a successful test timestamp, which defaults to 1.
-TW Number	Specifies the delay (in seconds) between the two data-stamp trials. The default is 0.
- v Pvkfile	Specifies the private key (. pvk) file name that contains the private key.
-X	Creates a timestamp for a file, but does not create a signature.
- y type	Specifies the type of cryptographic provider to use. Encryption standards and algorithms are implemented in cryptographic providers. For a list of default provider types, see "Microsoft Secret Service Providers" in the Platform SDK.
-?	Displays the command syntax and options for the tool.

Notes

To create a signature using a Publisher certificate (SPC) file, you must specify the -spc and - v options If the private key is in the PVK file. If the private key is in the registry key container, you must specify the -spc and - k options. If you are using an SPC file to create a signature for a file, you should create the SPC file using the Certificate Creation tool and the Software Publisher Certificate Test Tool.

Example

The following command signs XYZ.exe using the private key in the XYZ.SPC software publisher certificate and registry key container XYZ .

SIGNCODE/SPC xyz.spc/k XYZ XYZ.exe

The following command uses the Certificate in MYCERTIFICATE.SPC and the private key in MYKEY.PVK to the assembly myassembly to sign.

SIGNCODE/SPC mycertificate.spc/v mykey.pvk  myassembly

Please seeRefer to the. NET Framework Tools
Certificate Creation tool (Makecert.exe)
Publisher Certificate Test Tool (Cert2spc.exe)
SDK Command Prompt
Concept security permissions

Digital certificate, is really a magical thing, can ensure that the software is not modified, can indicate the date of the release of the file, the most important, can greatly reduce the anti-virus software false positives, of course, this will be the use of trusted institutions issued certificates.

It's not about applying for a certificate, it's about making your own certificate.

1. Install the Windows SDK

Both the Generate certificate and the signature tool are included, and Visual studio should have its own, and the tools used in the following can be found in the C:\Program Files\Microsoft Sdks\windows\v7.0a\bin

2. Create a certificate of

MSDN's Introduction to Makecert.exe (certificate Creation Tool):

The certificate Creation tool generates a certificate of only for a test purpose.
It creates a public and private key pair for digital signatures and stores it in a certificate file.
The tool also relates the key pair to the name of the specified publisher and creates a certificate that binds the user-specified name to the public part of the key pair.

Use this command line to create a certificate:

MAKECERT-SV abc.pvk-r-N "cn=xxx Company" Abc.cer

-SV ABC.PVK creates a key file to hold the private key, and you need to enter a password when you create it.

3. Create a Publisher Certificate

MSDN's Introduction to Cert2spc.exe (software publisher certificate testing tool):

The Publisher Certificate Test tool creates a Publisher certificate (SPC) from one or more of the certificates.
Cert2spc.exe is for testing purposes only.
You can obtain a valid SPC from a certification authority, such as VeriSign or Thawte.

Use the following command line to create the publisher certificate:

CERT2SPC Abc.cer ABC.SPC

4. Export the PFX certificate file

Export the PFX file from the pvk file using the Pvk2pfx.exe tool:

PVK2PFX-PVK Abc.pvk-pi mypassword-spc abc.spc-pfx abc.pfx-f

Replace the "MyPassword" password with the password entered in the second step

5. Sign your own software

Using SignTool.exe for signing, MSDN describes the SignTool.exe (signature tool):

The signing tool is a command-line tool for digitally signing files and verifying signatures in files and timestamp files.

If you want to sign Abc.exe:

SignTool sign/f abc.pfx/p MyPassword abc.exe

Replace the password with your own password.

6. Stamp your software with timestamps

You can use the timestamp service provided by Wosign: Http://timestamp.wosign.com/timestamp

SignTool timestamp/t Http://timestamp.wosign.com/timestamp Abc.exe

If the steps above are correct, then the result is this:

After signing, his software instantly becomes professional has wood has!

Of course, such a signature is just masturbation, there is no practical use, the real useful certificate or to go to the professional institutions to apply for.

SignTool to sign an EXE