Menu
I have a C#/.NET 4.5 x64 project in Visual Studio 2013. More than one developer works on this project, so the code is managed in Git. I'm signing the compiled .dlls and .exe with signtool.exe. My company bought a code signing certificate, and if I sign it manually from the command line like so:
signtool.exe sign /f cert.p12 /p "password" "compiled.dll"
...then it looks like everything's great: I get a success message and properties of the compiled DLL in Windows Explorer show it as properly signed. So, I have no problem with the actual signing process.
But, the certificate and its password must not live in Git. They will be provided out-of-band to all developers on the project. I can make the assumption that every developer when he's building the project will have the certificate stored in a predefined location on his computer and he'll know the password for it.
So, here's my question: how can I configure Visual Studio 2013 to automatically sign its compiled output without keeping the certificate or its password in Git? I want it to be as simple as, once the developer has the certificate in a predefined path (or imported, or whatever), and working on the assumption that the developer knows the password for the certificate, that clicking "Build" in Visual Studio 2013 just builds and signs it, no questions asked.
If the signing process can be non-interactive (no password prompt), that's a bonus. Eventually this will be part of a continuous integration (CI) server that may sign its output too, and because it's automated, nobody will be there to enter the password. However, I'll take any solution for now.
My certificate is a PKCS #12 format and is protected with a password. Windows claims it's not marked for export.
676
Steps to Sign Executable FilesInsert the USB token that you got from your CA into your system. Open the software SafeNet Client that you installed in your system. Open the command-line tool SignTool. Use the following command to digitally sign and timestamp your executable using SHA-256.
Extended Validation (EV) Code Signing Certificates include all the standard benefits of digitally signed code plus a rigorous vetting process and hardware security requirement, so your users can have even greater confidence in the integrity of. your applications.
There are no free code signing certificates. And be dubious of anyone that says they can offer you free code signing certificate for free. The short answer is there are compliance constraints that prevent it, and economic incentives to abide those constraints.
SignTool is a command-line tool that digitally signs files, verifies the signatures in files, and timestamps files. For information about why signing files is important, see Introduction to Code Signing.
A different way is to import the certificate in each developers private certificate store and then use the thumbprint with signtool like this:
signtool ... /sha1 'hex thumbprint' ...
Then you only need the password during the initial import of the certificate and not during builds.
159
A solution I've used before is similar to @Mikko's answer, but it's split into two pieces:
A local non-controlled script that just sets an environment variable containing the password. This is the file you give to each developer.
@echo off
set SIGNPASS=whatever
A source-controlled script that calls the previous script and the does the actual signing.
@echo off
setlocal
call "C:\local\signing_password.bat"
"C:\toolpath\signtool.exe" sign /f "c:\certpath\cert.p12" /p "%SIGNPASS%" "%1"
endlocal
The setlocal/endlocal pair ensure that the password doesn't leak into the environment if the script is run manually.
The "%1" is the path to the executable passed as a script parameter in the Post Build step.
..
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
