Https://msdn.microsoft.com/zh-cn/library/9sh96ycy (vs.80). aspx
. NET Framework 2.0Other versions
The file Signing tool uses a Authenticode digital signature to sign a portable executable (PE) file (. dll or. exe file). You can sign an assembly or individual file that is contained in a multi-file assembly. If you are distributing an assembly, you should sign the assembly instead of the individual files. Running Signcode.exe without specifying any options will start the Help signing Wizard.
The file Signing tool is available only with the. NET Framework SDK versions 1.0 and 1.1. In the newer. NET Framework SDK version, use the Signing Tool (SignTool.exe) utility instead .
signcode [options] filename | AssemblyName
Parameters
Parameters |
Description |
FileName |
The name of the PE file to be signed. |
AssemblyName |
The name of the assembly to be signed. This file must contain an assembly manifest. |
Options |
Description |
-$ Authority |
Specifies the signing permission for the certificate, which must be individual or commercial. By default, Signcode.exe uses the highest permissions for certificates. |
-A algorithm |
Specifies the hash algorithm for the signature, which must be MD5(the default value) or SHA1. |
- c file |
Specifies the file that contains the Encoding software Publishing certificate. |
-CN name |
Specifies the common name of the certificate. |
- I. Info |
Specifies the location (usually a URL) for more information about the content. |
-j DllName |
Specifies the name of a DLL that returns an array of the validated attributes used to create the file signature. Multiple DLLs can be specified by repeating the-J option. |
-jp param |
Specifies the parameters passed for the aforementioned DLLs. For example:-j dll1 -jp dll1param. This tool allows only one parameter per DLL. |
- k KeyName |
Specifies the key container name. |
-ky KeyType |
Specifies the key type, which must be signature,Exchange , or an integer (such as 4). |
- n name |
Specifies the text name that represents the content of the file to be signed. |
- p provider |
Specifies the name of the cryptographic provider on the system. |
- R Location |
Specifies the location of the certificate store in the registry, which must be either currentuser(the default value) or localmachine. |
- s Store |
Specifies the certificate store that contains the signing certificate. The default is my store. |
-SHA1 Thumbprint |
Specifies thumbprint, which is the SHA1 hash of the signing certificate contained in the certificate store. |
-sp Policy |
Set the certificate store policy, which must be spcStore(the default) or chain. If you specify chain, all certificates in the validation chain, including self-signed certificates, are added to the signature. If spcStoreis specified, the trusted self-signed certificate will not be included with the certificate added to the signature in the validation chain. |
-spc file |
Specifies the SPC file that contains the software publishing certificate. |
- t URL |
Indicates that the timestamp server at the specified HTTP address will create a timestamp for the file. |
-tr Number |
Specifies the maximum number of times before a successful test timestamp, which defaults to 1. |
-TW Number |
Specifies the delay (in seconds) between the two data-stamp trials. The default is 0. |
- v Pvkfile |
Specifies the private key (. pvk) file name that contains the private key. |
-X |
Creates a timestamp for a file, but does not create a signature. |
- y type |
Specifies the type of cryptographic provider to use. Encryption standards and algorithms are implemented in cryptographic providers. For a list of default provider types, see "Microsoft Secret Service Providers" in the Platform SDK. |
-? |
Displays the command syntax and options for the tool. |
Notes
To create a signature using a Publisher certificate (SPC) file, you must specify the -spc and - v options If the private key is in the PVK file. If the private key is in the registry key container, you must specify the -spc and - k options. If you are using an SPC file to create a signature for a file, you should create the SPC file using the Certificate Creation tool and the Software Publisher Certificate Test Tool.
Example
The following command signs XYZ.exe using the private key in the XYZ.SPC software publisher certificate and registry key container XYZ .
SIGNCODE/SPC xyz.spc/k XYZ XYZ.exe
The following command uses the Certificate in MYCERTIFICATE.SPC and the private key in MYKEY.PVK to the assembly myassembly to sign.
SIGNCODE/SPC mycertificate.spc/v mykey.pvk myassembly
Please seeRefer to the. NET Framework Tools
Certificate Creation tool (Makecert.exe)
Publisher Certificate Test Tool (Cert2spc.exe)
SDK Command Prompt
Concept security permissions
Digital certificate, is really a magical thing, can ensure that the software is not modified, can indicate the date of the release of the file, the most important, can greatly reduce the anti-virus software false positives, of course, this will be the use of trusted institutions issued certificates.
It's not about applying for a certificate, it's about making your own certificate.
1. Install the Windows SDK
Both the Generate certificate and the signature tool are included, and Visual studio should have its own, and the tools used in the following can be found in the C:\Program Files\Microsoft Sdks\windows\v7.0a\bin
2. Create a certificate of
MSDN's Introduction to Makecert.exe (certificate Creation Tool):
The certificate Creation tool generates a certificate of only for a test purpose.
It creates a public and private key pair for digital signatures and stores it in a certificate file.
The tool also relates the key pair to the name of the specified publisher and creates a certificate that binds the user-specified name to the public part of the key pair.
Use this command line to create a certificate:
MAKECERT-SV abc.pvk-r-N "cn=xxx Company" Abc.cer
-SV ABC.PVK creates a key file to hold the private key, and you need to enter a password when you create it.
3. Create a Publisher Certificate
MSDN's Introduction to Cert2spc.exe (software publisher certificate testing tool):
The Publisher Certificate Test tool creates a Publisher certificate (SPC) from one or more of the certificates.
Cert2spc.exe is for testing purposes only.
You can obtain a valid SPC from a certification authority, such as VeriSign or Thawte.
Use the following command line to create the publisher certificate:
CERT2SPC Abc.cer ABC.SPC
4. Export the PFX certificate file
Export the PFX file from the pvk file using the Pvk2pfx.exe tool:
PVK2PFX-PVK Abc.pvk-pi mypassword-spc abc.spc-pfx abc.pfx-f
Replace the "MyPassword" password with the password entered in the second step
5. Sign your own software
Using SignTool.exe for signing, MSDN describes the SignTool.exe (signature tool):
The signing tool is a command-line tool for digitally signing files and verifying signatures in files and timestamp files.
If you want to sign Abc.exe:
SignTool sign/f abc.pfx/p MyPassword abc.exe
Replace the password with your own password.
6. Stamp your software with timestamps
You can use the timestamp service provided by Wosign: Http://timestamp.wosign.com/timestamp
SignTool timestamp/t Http://timestamp.wosign.com/timestamp Abc.exe
If the steps above are correct, then the result is this:
After signing, his software instantly becomes professional has wood has!
Of course, such a signature is just masturbation, there is no practical use, the real useful certificate or to go to the professional institutions to apply for.
SignTool to sign an EXE