From application and verification to installation and signing
Operating system: Windows 10 (64-bits)
Browser: Firefox Quantum 57.0.4 (64-bits)
Development software: Microsoft Visual Studio 2017
Setup software: IndigoRose Setup Factory 9.5
Intro
If you have ever distributed software on the Internet, you probably experienced security messages that Microsoft shows when downloading your software. In addition, it is of course good practice if your software is provided with a digital certificate so the user knows that he or she is dealing with a legitimate party and that the software is safe to use. A Code Signing Certificate can take care of all this. However, requesting such a certificate can be a long and frustrating process. And if you finally have the certificate, it can be quite a task to sign your software with the certificate. That is why i wrote this article with all the steps I have taken from start to finish. Hopefully it can help you throughout the certification process and signing your software.
First the how and why:
First the how and why:
- I have applied for the certificate as a private person
- I want to use the certificate to sign a Visual Studio application
- I want to use the certificate to sign the setup
Order the certificate
I ordered my Comodo Code Signing certificate at SSLPoint because of the price. SSLPoint forwards the order to Comodo. Be aware that you have to submit the order on the same computer and with the same browser that you will use to retrieve the certificate later on in the process. Pay attention! Chrome and Microsoft Edge do not work. I use Firefox. Comodo wants to verify your identity before the certificate is issued. As of 2017, they also do this for a renewal. Your identity must be verified by means of a face to face verification at a notary. Comodo sends you an e-mail with a link with which you can download the necessary documents. You must bring the following to the notary:
- The form of Comodo you just downloaded with instructions for the notary. The third page must be completed and signed by you and the notary.
- A valid identity card (ID card, driver's license or passport). Take your original ID and no copy. The notary makes copies.
- Bring one of the following financial documents:
- a credit card (what I did)
- a bank card if there is a validity date on it
- a mortgage statement no older than 6 months
- a bank statement no older than 6 months
- Bring one of the following documents:
- a bill of a fixed telephone line (mobile is not permitted)
- a gas, water or electricity bill, provided it is addressed to a fixed address
- a rental agreement no older than 6 months
- a official copy of your birth certificate
- a bill with municipal taxes of the past year
- a official copy of a court order
TIP 1: Always bring original documents. Documents must be dated and contain addresses of you and the sender.
TIP 2: Ensure that the notary provides all documents with a signature. I have personally experienced that i had to go back if this does not happen.
TIP 3: If you have a bill for a land line, take it with you to the notary because Comodo wants to verify your telephone number later on in the process by means of a land line bill! If someone has gone through this process without a land line, I would like to hear how that went.
Verifying my identity at the notary was free in my case. I can imagine that this is not the case with all notaries. If all forms have been completed and signed by the notary, you have to scan them and send them back to Comodo. Comodo also wants to make sure that they are dealing with a legitimate notary. It is therefore advisable to include a link in your e-mail from a notary's register with the link to the notary you went to. In the Netherlands you can use https://www.knb.nl/home.
Verifying my identity at the notary was free in my case. I can imagine that this is not the case with all notaries. If all forms have been completed and signed by the notary, you have to scan them and send them back to Comodo. Comodo also wants to make sure that they are dealing with a legitimate notary. It is therefore advisable to include a link in your e-mail from a notary's register with the link to the notary you went to. In the Netherlands you can use https://www.knb.nl/home.
The final step in the verification process (in my case) was a callback. You will receive an e-mail with a link you need to click. At that moment you will be called at the telephone number given by you. You will receive a PIN code which you then have to fill in on the relevant web page.
I like to hear experiences from people about how the verification process works if you do not have a land line.
Collecting the certificate
When Comodo has verified your identity, you will receive an e-mail stating that you can collect the certificate. You must click on a link to retrieve the certificate.
Attention! The e-mail states that you can do this with Chrome. At the time of this writing Chrome does not work! (Chrome Version 63.0.3239.132 Official build 64-bit). Microsoft Edge does not work either. Best option seems to be Firefox which I used. It also appears to be important that you retrieve the certificate with the same computer you used to apply for the certificate. No worries: once you have received the certificate you can use it on multiple computers.
Once the certificate has been collected and installed, you can check in Firefox if the installation is successful. Go to: Options, Privacy & Security and click the View Certificates button. Your certificate must be visible in the first tab (Your certificates).
It is advisable to create an account at https://www.comodo.com/login/comodo-members.php. In this environment you will see your certificate and you have the option to download it or to replace the already issued certificate if something has gone wrong during the collection of the certificate or if you have forgotten the password of the certificate.
Exporting the certificate
The certificate has been installed but now you want to sign software with it. To be able to sign software you first need to export the certificate. Go to Firefox (or the browser you use) and go to: Options, Privacy & Security and click the View Certificates button.
Select the certificate and click the Create backup button. Choose a location and a name. Save the certificate with the extension .p12. The p12 type is equal to pfx. So if necessary you can simply rename the certificate to a pfx extension. A password will be requested when saving. Give a password and make sure you do not forget it! You can export the certificate as many times as you like, as long as you have the computer and operating system on which the certificate was originally installed.
Sign your own software
There are several ways to sign the software you developed with Microsoft Visual Studio. The most logical choice is to do this within Visual Studio at the properties of your project and the signing tab. You will probably get the following error message when building: Can not import the following key file: certificate.pfx. The key file may be password protected. To correct this, try to import the certificate again. There are various articles on the internet to solve this problem. The most articles focus on the sn command with which a certificate can be installed.
In the end, only one way worked for me, and that is to include a post build event at the project properties and build events. Here I use the signtool.exe from Visual Studio. You can find the signtool (with Visual Studio 2017) at the following location: "C: \ Program Files (x86) \ Windows Kits \ 10 \ bin \ 10.0.15063.0 \ x64 \ signtool.exe". If the tool is not there, you have to install it by starting the Visual Studio Installer. Go to 'Individual Components' and select 'Windows 10 SDK (10.0.15063.0) for UWP: C #, VB, JS'.
The big advantage of this method is that you can sign the application twice. Once for SHA-1 (pre Windows 7 systems) and once for SHA-256. If the signtool.exe is installed, enter the following at the post-build events in Visual Studio.
The big advantage of this method is that you can sign the application twice. Once for SHA-1 (pre Windows 7 systems) and once for SHA-256. If the signtool.exe is installed, enter the following at the post-build events in Visual Studio.
SHA-1 signing
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\signtool.exe" sign /f "C:\Projects\YourProjectMap\YourCertificate.pfx" /p YourCertificatePassword /t http://timestamp.comodoca.com/authenticode $(TargetPath)
SHA-256 signing
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\signtool.exe" sign /f "C:\Projects\YourProjectMap\YourCertificate.pfx" /p YourCertificatePassword /fd sha256 /tr http://timestamp.comodoca.com/authenticode /td sha256 /as $(TargetPath)
If you now build your project, the application will be signed twice with your certificate. Finally! :)
Check the boxes at 'Code sign setups', 'Sign with SHA-256' and 'Sign with SHA-1'. As with Visual Studio, Setup Factory also needs the signtool.exe. Enter it at 'SignTool location'. Select your Code Signing certificate with 'SHA-256 certificate' and enter the password in the next field. In the timestamp field type the following: http://timestamp.comodoca.com/authenticode. Finally, select the option 'Use SHA-256 certificate'. Your setup will now be neatly signed.
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\signtool.exe" sign /f "C:\Projects\YourProjectMap\YourCertificate.pfx" /p YourCertificatePassword /t http://timestamp.comodoca.com/authenticode $(TargetPath)
SHA-256 signing
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\signtool.exe" sign /f "C:\Projects\YourProjectMap\YourCertificate.pfx" /p YourCertificatePassword /fd sha256 /tr http://timestamp.comodoca.com/authenticode /td sha256 /as $(TargetPath)
If you now build your project, the application will be signed twice with your certificate. Finally! :)
Sign you setup program
If you make your program available for download on the internet, you will experience security notifications unless you sign the setup.exe with a certificate. Signing the setup.exe can be done with the same certificate. Below is a description of signing the setup.exe with Setup Factory 9.5 from Indigo Rose. Open your setup project in Setup Factory and choose Publish -> Settings in the menu. Go to the Code Signing tab. It is possible to provide the setup.exe with a certificate for both pre-Windows 7 systems (SHA-1) and for systems with Windows 7 and later (SHA-256).Check the boxes at 'Code sign setups', 'Sign with SHA-256' and 'Sign with SHA-1'. As with Visual Studio, Setup Factory also needs the signtool.exe. Enter it at 'SignTool location'. Select your Code Signing certificate with 'SHA-256 certificate' and enter the password in the next field. In the timestamp field type the following: http://timestamp.comodoca.com/authenticode. Finally, select the option 'Use SHA-256 certificate'. Your setup will now be neatly signed.
