.NET · Code signing · WPF

Code signing WPF Application – Part 2

By now you have obtained your Code Signing Certificate and exported it so you have your .pfx file ready to go. In case you have not done this you can read the 3 step guide on how to do this here.

Now we are ready to sign your executables with your trusted Code Signing Certificate. There are several options on how to do this depending on how atomized you want this to be. I will briefly step into a couple of ways of doing this.

1. The manual way using Signtool

This only applies to simple Code Signing an executable file, if you want to perform a dual Code Signing and make SHA256 catalogs that is a different story. Anyway, this would be a good and simple starting point.

Signtool itself is a part of Windows SDK and is a command-line tool that enables you to digitally sign files. You can also use this tool for time stamping files and verify that files are signed.
To sign your executables with Signtool going about this the manual way I usually create a .bat file that I can run after build on my application. I have created a WPF Application called CodeSigning and built it. I will then end up with an executable CodeSigning.exe.

In my CodeSigning Command I will need the following:

– Path to Signtool.exe: “C:\Program Files (x86)\Windows Kits\10\bin\x86\”
– Path to your .pfx file: /f “C:\your path\theexportedcertificate.pfx”
– Password: /p YouPfxPassword
– Path to the timestamp server: /t http://timestamp.digicert.com
– Path to the file you want to sign: “C:\your path\CodeSigning.exe” (My sample project executable)

So your SignMyApp.bat file will look like this:

C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /t http://timestamp.digicert.com /f "C:\your path\theexportedcertificate.pfx" /p YouPfxPassword "C:\your path\CodeSigning.exe"

Before you run this command with Signtool you can actually go to your executable and right click for properties to verify whether or not the application is sign. (Before signing it should of course not be)

codesigningpart2-1

I you now run you command and sign the file you will get and additional tab ‘Digital Signatures’ to your executable property tabs. Now you know that your application is sign with your Code Signing Certificate.

codesigningpart2-2

You can also verify that your application is sign using Signtool. Using /v will return the signer of the certificate as well.
C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe” verify /v “C:\your path\CodeSigning.exe”

2. Atomize the signing of your application in Visual Studio.

I actually prefer signing my application manually setting up a command-line script in an .bat file and running that just before deploy of my application. The reason for that is that I don’t really need signing the application on every build or deploy. Never the less there are many ways of setting this up in Visual Studio, here is what I found to be the best approach.

Add you .pfx Code Signing Certificate file into you project.

Right click your project in Visual Studio and click “Unload Project”

codesigningpart2-3

Right click you project again and click Edit yourprojectname.csproj

codesigningpart2-4

At the end of the file add your signing:

<Target Name="AfterCompile">
    <Exec Command="&quot;C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe&quot; 
      sign /f &quot;$(ProjectDir)theexportedcertificate.pfx&quot; /p YouPfxPassword
      /v &quot;$(ProjectDir)obj\$(ConfigurationName)\$(TargetFileName)&quot;" />
  </Target>

codesigningpart2-5

Now your application will be signed after each compile.

Thanks for reading.