I am trying to sign an EXE that must run with elevated priviledges (in Administrator mode). The manifest has this:
Development machine: Vista Enterprise x64, MS Visual Studio 2008 Team / Database, UAC off
Target machine: Vista Ultimate x64, UAC on
Obviously, I have a Comodo code signing certificate. Using it “as is” (exported to PFX using certificate manager with all options except Export Private Key off), and using certutil, both cause errors. Using the OpenSSL fix gets rid of the error, but does not seem to sign the assembly.
Obviously, I have a Comodo code signing certificate. Using it “as is” (exported to PFX using certificate >manager with all options except Export Private Key off), and using certutil, both cause errors. Using the >OpenSSL fix gets rid of the error, but does not seem to sign the assembly.
What errors you got?
How do you sign your exe file? Are you using signtool?
When using the Solution Properties → Signing → Sign the Assembly (NOT signtool.exe), the following occurs:
If I export the original certificate from Comodo and use the certutil.exe fix, I receive the “Object already exists” error on compile.
If I export the original certificate, then modify using OpenSSL saving to a .key file, and then re-creating a .pfx file, there is no error on compile. However, the EXE that is created is not signed – right clicking the EXE, and selecting properties shows no Digital Signatures tab. Also, the application comes up with the ugly UAC warning on privilege elevation.
WORKAROUND -
Signtool.exe works using the original provided certificate (and pretty much any variation of exported/reimported). However, it is a pain in the neck. Here is my procedure, on a solution that has my application project, and an Installer project:
I am using the 64-bit signtool.exe from the .NET framework 2 that is 75,776 bytes and dated 9/23/2005.
“Sign the Assembly” is unchecked (not turned on)
Open the solution that contains both the application project and the installer project.
In the solution explorer, click on the application project, click Build-> Build (build the application project, not the installer project, nor the entire solution)
Open cmd, run signtool with the signwizard option: signtool.exe signwizard
Browse to the obj\Release directory and select the EXE (NOT the exe in the bin directory)
Select Typical
Select from Store (the other buttons are greyed out), click Comodo certificate
Copy from the obj\Release directory to the bin directory. This step isn’t necessary if you’re continuing on, as step 10 copies the file from obj\Release → Bin; if you signed the copy in the Bin directory, it will get overwritten by the unsigned one obj\Release.
Click the installer project and build it (do not rebuild the application project!)
Go to the Bin directory, right click .exe, click properties, and make sure that the Digital Signatures tab is there.
Open cmd, run signtool with the signwizard option: signtool.exe signwizard
Go to the Installer\Release directory, select all file types, and select the .msi (not setup.exe)
Repeat steps 5-8
You now have a signed installation package. Note that it was not necessary to create a PFX; everything is done from the certificate store.
Now, this is a horrible pain in the neck, because there are many little steps, and Visual Studio will sometimes recompile .exe when the msi (installer) is built. This means the new msi has an unsigned EXE in it, and you don’t know this.
It would be so much better if you culd simply click “Sign the Assembly” and have it all work automatically…