If you decide to sign your code, you'll need:
- signcode.exe
- makecert.exe
- cert2spc.exe
- pvk2pfx.exe
What's the best place to download these tools?
Is there a way to do this without downloading large quantities of the Microsoft Windows SDK?
If you decide to sign your code, you'll need:
What's the best place to download these tools?
Is there a way to do this without downloading large quantities of the Microsoft Windows SDK?
Start with the Windows SDK. That should have most of what you are looking for.
Also, SignCode.exe has been deprecated after .NET 1.1. SignTool.exe is the replacement.
In general, there are only a few SDK tools that are redistributable outside of the official package from Microsoft. They are listed in a redist.txt
file. On my system, I found a .NET SDK redist.txt
file in %ProgramFiles%\Microsoft.NET\SDK\v2.0 64bit
(I assume the folder is called "v2.0" on x86 systems). Here's what it said:
.NET Framework SDK files Subject to the license terms for the software, the following .EXE files may be distributed unmodified: MageUI.exe Mage.exe Makecert.exe
So it looks like the majority of those files will not be redistributable. So again, my answer is download the Windows SDK. Keep in mind you can install just a subset of the tools if you wish; the installer allows you to select/unselect any of the components (for example, just the .NET development tools).
I just installed Windows SDK for Windows 8. And I still could not find neither SignTool.exe
nor SignCode.exe
.
Until I realized that Microsoft has changed its installation path. Now it's installed to one of the following locations:
C:\Program Files (x86)\Windows Kits\8.1\bin\x64
C:\Program Files (x86)\Windows Kits\8.1\bin\x86
C:\Program Files (x86)\Windows Kits\8.0\bin\x64
C:\Program Files (x86)\Windows Kits\8.0\bin\x86
EDIT on Windows 10, the binaries can be found under:
C:\Program Files (x86)\Windows Kits\10\bin\x86
I believe the first three are part of the .NET Framework SDK while the last one is on the Windows Driver Kit.
I couldn't find a document listing pvk2pfx.exe as part of the Platform SDK (now apparently Windows SDK), but that was where I originally thought it was from.
I tried the method below and it worked, although it does NOT get you SignCode.exe (which has been deprecated and replaced by SignTool.exe)
You can get SignTool.exe by installing just the C++ Windows Development Tools from the Visual Studio install (mine is ancient: 2005). More details on that @ Lindersoft.com.
How to convert PFX/P12 file to SPC/PVK format
Export Certificate with Private Key.
Use the export wizard with the following options:
Export Private Key (Yes)
DO NOT TICK include all certificates in the certification path if possible
TICK enable strong protection
DO NOT TICK delete private key
Prerequisite: OpenSSL 0.9.8 or better. OpenSSL 1.x preferred.
Note: If you are running Windows you may download OpenSSL here. Otherwise, you can find compiled binaries directly from the OpenSSL Website or consult your Operating System's package management feature.
Private Key (PVK)
Extract your Private Key from the PFX/P12 file to PEM format.
openssl pkcs12 -in PFX_FILE -nocerts -nodes -out PEM_KEY_FILE
Note: The PFX/P12 password will be asked. This is the password you gave the file upon exporting it.
Convert PEM Private Key to PVK format.
OpenSSL 0.9.8 series:
pvk -in PEM_KEY_FILE -topvk -out PVK_FILE
OpenSSL 1.x series:
openssl rsa -in PEM_KEY_FILE -outform PVK -pvk-strong -out PVK_FILE
Note #1: In order to use pvk for OpenSSL 0.9.8 series, you must download PVK Transform.
Note #2: A PEM passphrase may be asked. This will be the password/passphrase that you will use to sign your code.
Software Publisher's Certificate (SPC)
Extract Certificate from P12/PFX file.
openssl pkcs12 -in PFX_FILE -nokeys -out CERT_PEM_FILE
Convert Certificate to SPC format.
openssl crl2pkcs7 -nocrl -certfile CERT_PEM_FILE -outform DER -out SPC_FILE
Note: If you have exported your certificate from another browser outside of IE, then please ensure in the CERT_PEM_FILE that ONLY your certificate exists or else code signing will NOT WORK!
Example Conversion
PVK openssl pkcs12 -in my_pfx_file.pfx -nocerts -nodes -out rsa.pem openssl rsa -in rsa.pem -outform PVK -pvk-strong -out mykey.pvk
SPC openssl pkcs12 -in my_pfx_file.pfx -nokeys -nodes -out cert.pem openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc
This information courtesy of Komodo.
Step 1: Download:
http://download.microsoft.com/download/A/6/A/A6AC035D-DA3F-4F0C-ADA4-37C8E5D34E3D/winsdk_web.exe
or
http://www.microsoft.com/en-us/download/details.aspx?id=8279
Step 2:
C:\Users\user1>"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signto
ol.exe"