The purpose of code signing is to verify who the author of the software is and verifying that the software hasn’t been tampered with since it was sign.
Threats of virus and potential damage that an executable can cause to a computer system is something we all know can cause a lot of time and money to fix. We as developers needs to relate to this and I will share my experience in this post.
Most have probably experience in setting your website up with SSL. This allows you to run secure websites using a private and public key issued by a trusted root certification authority. The same thing goes for Code Signing where you will have to obtain a Code Signing Certificate. I will show you how to do this.
There are 3 steps you will have to do to obtain your Code Signing Certificate and get it ready for signing your application.
1. Apply for a Code Signing Certificate from a certificate authority.
There are two types of Code Signing Certificates you can obtain from you certificate authority. Standard Code Signing Certificate or Extended Validation (EV) Code Signing Certificate. The difference is that the EV Code Signing Certificate offers a stronger level of assurance that the identity of the publisher is correct. In this case there will be a stricter vetting process to assure end users the identity of the publisher. The price will be a lot higher. Upside is that you will get those SmartScreen warning messages removed from windows. There are multiple Certificate Authorities to choose from I recommend DigiCert or GlobalSign, but a quick search online will give you a lot of options. They do differ in price and quality of support.
2. Install your Code Signing Certificate
There are several options to how to install your Code Signing Certificate. Some certificate authorities will provide you will a link and more or less install it for you in your browser’s Personal Certificate store. Some certificate authorities have less atomized approach where you will have to create your key on a server before applying and install in on the IIS you created the request. Both are fine, because what you are looking for is exporting your certificate to a .pfx file (Personal Information Exchange). This is the file you use to sign your executables.
3. Exporting your Code Signing Certificate to a .pfx file.
Exporting your Code Signing Certificate to a .pfx file will differ depending on where you have installed it. What browser or on IIS. I will give a short sample in case your Code Signing Certificate is installed on IE, but the approach would be the same on other browsers or IIS.
Go to Settings -> Internet Options -> Content and open Certificates
Click on Export
Make sure you select Yes, export the private key
Make sure you select Personal Information Exchange and Include all certificates in the certification path if possible.
Click Next and save and you now have a .pfx file you can use for signing both your executables and your setup file.
Thanks for reading.