How to digitally sign Add-In
We use authentic code signing for our software just to prove that the installer is from us and "safe to use", otherwise you might see a big warning from Windows that the application is from an "unknown publisher".To avoid this, you need a code signing certificate and need to sign your file.
A digital signature is a specific type of electronic signature (e-signature) that relies on public-key cryptography to support identity authentication and provide data and transaction integrity.
Signing protects a file from tampering and allows users to verify the signer based on a signing certificate.
The digital signature confirms the integrity of the message. This signature ensures that the information originated from the signer and was not altered, which proves the identity of the organization that created the digital signature. Any change made to the signed data invalidates the whole signature.
1. Create a Self-Certificate using PowerShell Script
Procedure for signing the Dll/exe digitally using the self certificatePrerequisites:
Note: These steps are just used for testing purposes and do not include any paid tools for certificate creation and signing.
- Open "Windows PowerShell".
- Syntax to create your own public certificate: Run below commands in Windows PowerShell
$certname = "{certificateName}" ## Replace {certificateName}
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Example
$certname = "MyCertificate" $cert = New-SelfSignedCertificate -Type CodeSigning -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export-Certificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.cer" ## Specify your preferred location
Example
Export-Certificate -Cert $cert -FilePath "D:\$certname.cer"
This will now export the created "MyCertificate.cer" file at the D Drive.
- Now double click on "MyCertificate.cer" to install the certificate. This will open window like below image shows.
Click Install Certificate. And follow the steps until the import is finished.
- Once certificate is created, Verify your certificate is properly inserted into Microsoft's local certificate manager store (certmgr.msc)
From your windows search open "certmgr.msc"
This will open the window like shown below, the imported certificate should appear here.
2. Sign your dll with Created Self-Signed Certificate
- Once certificate is created, now sign your dll with the newly created certificate.
- Use SignTool.exe, It's a Microsoft's tool for signing the dll or exe etc.
- The default location for this dll is C:\Program Files (x86)\Windows Kits\10\bin\x86
- Follow below procedure to sign your dll with "SignTool.exe"
- Run the "Command Prompt" as an administrator mode.
Change the command prompt directory to SignTool.exe location. Here it is C:\Program Files (x86)\Windows Kits\10\bin\x86 (User may need to change this as per SignTool.exe location)
cd C:\Program Files (x86)\Windows Kits\10\bin\x86
signtool sign /f "c:\codesigningcertificate\digicert_certificate\codesigningcertificate.pfx" /p yourpasswordhere /td SHA256 /fd SHA256 "c:\codesigningcertificate\example_software.dll "
The parameters herein above command may increase or decrease based on requirements.
Example
1. signtool sign /f "D:\MyCertificate.cer" /td SHA256 /fd SHA256 "D:\PIAlignmentCreator.dll" 2. signtool sign /a /td SHA256 /fd SHA256 "D:\PIAlignmentCreator.dll"
The command prompt shows successfully signed message
after successfully signing the dll.
"http://timestamp.sectigo.com" This is a freely available timestamp server url used here .
signtool timestamp /t "http://timestamp.sectigo.com" "D:\PIAlignmentCreator.dll"
Command prompt shows successful message on completion
