I am new to code signing. My goal is to be able to sign a setup.exe generated by Visual Studio and install it on my Windows 7 PC and my friends' Windows PCs without triggering unverified publisher or other warnings. The following approach did not work. What other steps do I need to take to achieve this?
On Windows 7, I followed the Original Answer at
How do I create a self-signed certificate for code signing on Windows? by completing following steps.
- created & imported CA
- created SPC & converted to PFX
- used first signtool command to sign a setup.exe generated by Visual Studio 2015.
The Digital Signatures General tab now says the "The digital signature is OK". But running the setup.exe on my Windows 7 PC triggers an Application Install Security Warning which says "The publisher cannot be verified. Are you sure you want to install this application?".
Related
I am trying to write a simple console app in Visual Studio 2022 and then debug it. This would be so simple but the IT dept here have added a group policy that all applications must be digitally signed before they can be executed.
How can I sign the compiled executable file in order to run it in the VS debugger? I have a PFX certificate file but nothing I've tried seems to add a signature to the file properties in the exe file in the bin folder.
Thank you in advance.
I have tried:
Installing the certificate which was successful.
Generating a strong name snk file and ticking the option to sign the assembly which was successful.
Running the signtool in PS to apply the certificate which failed.
I would like to sign the executable as part of the build process in order to hit F5 and debug as normal.
I am currently trying to sign VBA macros in Excel and Word and Powershell scripts via the cmd.
For this purpose I use the Microsoft signtool.exe as part of the Windows 10 SDK:
https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/
Signing Powershell scripts using the following command works fine:
signtool.exe sign /f "testca.pfx" /fd SHA256 /p "123456" "test.ps1"
For signing macros in Office documents, "Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects" is also required:
https://www.microsoft.com/en-us/download/confirmation.aspx?id=56617
I downloaded the .exe and executed it.
Registering the .dll files using: "regsvr32" also worked. The paths to the .dll files are visible in the registry.
Microsoft Visual C++ 2015-2019 Redistributable (x86) is also installed.
So theoretically I should be able to sign Excel macros now.
However, my server receives an error message with an error code, which I can't find anything about in Google.
Here is the complete output:
The following certificates were considered:
Issued to: TestCA
Issued by: TestCA
Expires: Wed Feb 03 08:53:09 2021
SHA1 hash: E19CE363C88CDBCE677FA170008D0AB0D98A02DC
After EKU filter, one certs were left. After expiry filter, 1 certs were left.
After Private Key filter, 1 certs were left. The following certificate was selected:
Issued to: TestCA
Issued by: TestCA
Expires: Wed Feb 03 08:53:09 2021
SHA1 hash: E19CE363C88CDBCE677FA170008D0AB0D98A02DC
The following additional certificates will be attached: Done Adding
Additional Store SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed. (-2147220492/0x800403f4)
I have now performed the installation as described above several times on different computers, all with admin rights and current updates:
Private win10 computer: .ps1 and .xlsm signing is possible
VM with win10 from work: .ps1 and .xlsm signing is possible
Private VM with win 7: only .ps1 signing works
Private VM with Win10: only .ps1 signing works
TerminalServer with Windows Server 2012: only .ps1 signing works
What you can probably say is that signtool.exe works as such, because I can sign PowerShell scripts on all machines.
But signing macros does not always work. Probably has something to do with the interface packages?
I hope somebody has had the same problem before and can help. Because I'm going crazy with this. Thanks a lot!
Well, it took me a long time, but I'm up and running now. If anybody else has the same problem:
The "Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects" .zip contained a readme.txt saying "Microsoft Visual C++ Redistributal (x86)" must be installed. The link behind it downloaded the "Microsoft Visual C++ 2015-2019 Redistributal (x86)", which is the latest version.
I have now tested all available versions of the last years and the only working one is the 2010 version. I don't know why the readme.txt refers to a different version, but the bug and the "solution" are definitely reproducible.
Anyway, use Visual C++ 2010 and everything is fine!
I have a question related with code signing.
I have EV Code Signing certificate and crypto card. Usually when I sign exe or msi I use VS Command Prompt and SignTool but in case of VSTO SignTool does not recognize the file format.
I've created VSTO Excel 2010 addin (with compatibility with Office 2010, 2013 and 2016) and whole app packed into Windows Setup Project => msi.
I can sign msi using SignTool so during installtion the publisher is Windows prompt is safe/known. But then when I start Excel there is a prompt to install addin as it is from unknown publisher...
I've tried to use mage to update .vsto and .manifest files but with no success -> mage could not use this certifiacte to sign error and nothing else ...
Thanks in advance for any tips how to sign vsto using EV Code Signing with password.
Ok, so I figured out problem...
Deployment machine - Windows 10 build 15063.296 (64-bit)
Visual Studio 2017
EV Code Signing Certificate
Steps to undertake:
Update Visual Studio to version 15.5.
Open solution.
Clean solution.
Switch off all things from usb ports...
Switch on crypto card USB.
Right click on project.
In signing check the Sign the ClicOnce Manifest.
Select From Store and select Your EV certificate.
Build solution - You should get prompt for password to Your crypto card.
In my case solution was deployed using Windows Setup Project.
So:
Build setup project - You should also get prompt for password to Your crypto card.
Open Developers command prompt and use SignTool.exe to sign .msi with EV certificate.
As a result Your installer is signed and You are trusted publisher. When You open Office then Your add in is also from trusted publisher.
I am working with the infrastructure team on deploying a Windows 10 Universal app and running into some roadblocks. They are currently requesting a release version application that does not require a developer license to install. They are using SCCM, a tool that I am not familiar with, and are only being presented with OS requirements of Windows 10 Mobile (not Windows 10 (x86), (x64)) and are on hold until I solve the developer license issue.
Here is what I have done:
Create appx bundle via Visual Studio 2015 Professional
I chose that it will NOT be uploaded to the store
Used x86 and x64 in release mode for the configuration
License used from a domain CA for code signing and appears to work
Enabled "Allow all trusted apps to install" in local GP editor (my dev device)
Enabled sideloading in settings/update & security/for developers
When running the Powershell script, I am greeted with "Before installing this app, you need to do the following: - Acquire a developer license" and then it does some administrator prompting and cannot acquire a developer license.
If I put the device in developer mode, the script runs flawlessly and the application runs as expected.
Am I missing something that is causing me to require a developer license? Does it have anything to do with the package folder ending in _Test? It is the only output that it creates.
If I can provide any additional information, let me know. Thank you!
OK... I finally figured it out. It was nothing to do with the configuration or the app packaging. It was the Visual Studio 2015 generated PowerShell script that was requiring the developer license (Developer Mode). If I simply ran my own Add-AppxPackage PathToAppxBundle in PowerShell, it installed without certificate or developer prompt in Sideload mode. Note that the certificate is already installed via group policy in my case.
I'm developing a Windows Mobile application for internal company use, using the Windows Mobile 6 Professional SDK. Same old story: I've developed and tested on the emulator and all is well, but as soon as I deploy to advice I get an UnauthorizedAccessException when writing files or creating directories.
I'm aware that an application installed to a device needs to be signed but I'm running into roadblocks at every turn:
Using the project properties 'Devices' window I select 'Sign the project output with this certificate, and choose one of the sample certificates from the SDK. This results in a build error: "The signer's certificate is not valid for signing" when running SignTool.
If I try to run SignTool.exe from the commandline, I get an error telling me to run SignTool.exe from a location in the system's PATH.
I can't use the 'Signing' tab in the Project Properties to create a test certificate - this is greyed out (presumably for WinMobile projects?).
If at all possible, I would like to avoid having to go through Versign or the like to get a Mobile2Market certificate. If I have to go this route for a final version that's fine, but I need to at least be able to test the app on real devices.
Any advice would be most welcome!
First, make sure you really do need to sign it (you might be able to adjust the device security model).
If you do, then run signtool.exe, but from a Visual Studio command prompt. The easiest way to get there is fromt he Start menu, select Microsoft Visual Studio 2008->Visual Studio Tools->Visual Studio 2008 Command Prompt. This will set up all the proper pathing for you.