Using SignTool For Signing The Assemblies And Installer (MSI) With Visual Studio (2015, 2013 etc.)

Decided to share my Post-Build scripts which we use to sign the assemblies and the Installer package for our products. The whole thing started during the certification of on of our products for “Windows Server R2” Microsoft Gold Partner level. One of the requirements is that all assemblies and installers (exe, msi) should be Authenticode signed.

Steps:

    1. Buying a certificate – https://msdn.microsoft.com/en-us/library/windows/hardware/hh801887.aspx
    2. Placing the pfx file in Source Control
    3. Setting environment variable for the Certificate password. One of the issues is that usually the company does not want all of the developers to be able to sign files with the Company certificate, so I had to figure out a way to manage this. Decided to use environment variables (system – because we want multiple accounts to access them on the Build server)
    4. Post-Build script which must sign two files:
      • the binary (assembly/executable) in the output folder
      • the binary (assembly/executable) in the obj folder (this is needed for the Setup project)
        Sample:
      • if "$(ConfigurationName)"=="Debug" GOTO  end
        set x=%COMPANYSIGNPASSWORD%
        if "%x%"=="" (
        echo No environment variable for code signing - BSCODESIGNPASS. The assembly will not be signed! 
        ) ^
        else (
         if "$(PlatformName)"=="AnyCPU" (
         "C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /tr http://timestamp.CERTIFICATEPROVIDERNAME.com/scripts/timestamp.dll /d "$(SolutionName)" /f "$(SolutionDir)CERTIFICATEFILE.pfx" /p %x% /a "$(ProjectDir)obj\$(ConfigurationName)\$(TargetFileName)"  "$(TargetDir)$(TargetFileName)"
         ) ^
         else (
         "C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /tr http://timestamp.CERTIFICATEPROVIDERNAME.com/scripts/timestamp.dll /d "$(SolutionName)" /f "$(SolutionDir)CERTIFICATEFILE.pfx" /p %x% /a "$(ProjectDir)obj\$(PlatformName)\$(ConfigurationName)\$(TargetFileName)"  "$(TargetDir)$(TargetFileName)"
         ) 
        )
        )
        :end

        Notes:

        • COMPANYSIGNPASSWORD is the name of the environment variable which holds the password for the certificate
        • We are signing only in “Release” mode to avoid performance issues with normal debugging
        • Handling the name of the obj folder using the $(PlatformName) Visual Studio environment variable
    5. Post-Build script which must sign the exe and msi of the setup project:
      FOR %%a in ("$(ProjectDir)debug\*.exe") DO "C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /tr http://timestamp.CERTIFICATEPROVIDERNAME.com/scripts/timestamp.dll /f "$(ProjectDir)..\OS201510053914.pfx" /p %COMPANYSIGNPASSWORD% /as "%%a"
      FOR %%a in ("$(ProjectDir)debug\*.msi") DO "C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /tr http://timestamp.CERTIFICATEPROVIDERNAME.com/scripts/timestamp.dll /f "$(ProjectDir)..\OS201510053914.pfx" /p %COMPANYSIGNPASSWORD% "%%a"

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *