Created
November 5, 2022 21:57
-
-
Save chalvorson/bed7069e5ececbb39bb7453223847930 to your computer and use it in GitHub Desktop.
Create code-signing certificate to sign Windows executable
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Notes to create a personal code-signing certificate. Assumes that Easy-RSA is already set up as Certificate Authority. | |
Tools used: | |
OpenSSL | |
Easy-RSA | |
signtool.exe (winget install Microsoft.WindowsSDK) | |
Using OpenSSL: | |
Generate a key and a certificate signing request | |
openssl genrsa -out code.key | |
openssl req -new -key code.key -out code.req | |
Using Easy-RSA: | |
Import the certificate signing request | |
./easyrsa import-req code.req code | |
Sign the certificate for code-signing | |
./easyrsa sign-req code-signing code | |
To use our new certificate with signtool, we need to bundle everything together. Using OpenSSL, bundle the | |
private key, public certificate, and CA public certificate in a pkcs12 file. | |
openssl pkcs12 -export -out code.pfx -inkey code.key -in code.crt -certfile easy-rsa/pki/ca.crt | |
In Windows PowerShell, use the signtool to sign your executable. Depending on the version signtool.exe, it may | |
be in a different directory. For me, it is in "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\" | |
signtool.exe sign /f code.pfx /fd SHA256 /p 'mypassword' /t http://timestamp.digicert.com myprogram.exe | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment