Click here to Skip to main content
12,243,074 members (51,977 online)
Rate this:
 
Please Sign up or sign in to vote.
See more: Windows
Hi,

I wrote a program (Simply copies some dll to a location), but unfortunately Bit-defender virus is giving it a pop up showing that it is not digitally signed!!!

Can any one tell me the step by step process?
Verisign is process to do this. But I do not want to pay for this.

Thanks

NOTE: Please add comment if you know process to do this, no need to give me suggestion like how to improve posting or any this foolish!!
Posted 20-Feb-13 5:35am
iDebD842
Edited 20-Feb-13 5:38am
v2

1 solution

Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 1

A certificate is purchased from a certificate authority (like VeriSign) because the certificate authority verifies your identity and the certificate they issue to you points to their certificate authority certificate that is already installed on PCs. It is a best practice to buy your signing certificate.

If you do not want to buy a certificate, then you must create your own certificate authority and a signing certificate derived from it. The certificate authority certificate must be installed on all of the PCs that will run your application. Many system administrators will not want to do this. If you are the system administrator for all of the PCs that will run your application, then it is something you may decide to do.

In all of the instructions below, replace COMPANYNAME with an abbreviation of your company name (like TATA, XEROX, IBM, HP, IAD, etc.)

I did this from memory so I hope it works for you. I don't claim to be an expert in this topic. But, after a lot of research and experimentation this process worked for me recently.

1. Create Certificate Authority Certificate
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME" -cy authority -a sha1 -sv "COMPANYNAME.pvk"  -r  "COMPANYNAME.cer"  
This will ask you for a password. Don't forget it!

2. Open MMC (Run mmc.exe)
* Click File then "Add/Remove Snap-in"
* Select Certificates from the left list, click "Add".
* Select "My user account", Click Finish
* Select Certificates from the list again and "Add" it
* Select "Computer account".
* Save This configuration of MMC (File, then Save) as "Certificates.msc" in the Start Menu, Programs, Administrative Tools directory so that you can access it in the future.

3. Install the new certificate authority certificate into the trusted store Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates ) of the computer that will do the signing and all of the computers that will run your application.
* Double-click Certificates (Local Computer)
* Right click on "Trusted Root Certification Authorities". Select "All Tasks", then "Import".
* Select the new certificate (*.cer), and place it into "Trusted Root Certification * Authorities".
The computer now implicitly trusts all certificates signed by that new certificate authority.

4. Create a signing certificate that is derived from the new certificate authority and store it in the Certificates - Current User / Personal / Certificates store on the PC that will do the signing. You do not have to install this certificate on your user's computers.
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME Software" -ic "COMPANYNAME.cer" -iv "COMPANYNAME.pvk" -a sha1 -sky exchange -pe -sr currentuser -ss my "COMPANYNAMESoftware.cer"
This will ask you for a password with which to lock the new private key you are creating for this certificate.
It will also ask you for the password to the certificate authority's private key from Step 1 above.
* Right click on "Personal" in "Certificates - Current User". Select "All Tasks", then "Import". Select the new certificate "COMPANYNAMESoftware.cer".

5. Create a BAT file in C:\BAT named SIGNCODE.BAT what contains this:
@ECHO OFF
REM create an array of timestamp servers...
REM The SET statement should be all on one line.
SET SERVERLIST=(http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timstamp.dll http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)

REM sign the file...
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe sign /n "COMPANYNAME Software" %1
 
set timestampErrors=0
for /L %%a in (1,1,300) do (
 
    for %%s in %SERVERLIST% do (
	Echo Try %%s
        REM try to timestamp the file. This operation is unreliable and may need to be repeated...
        C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe timestamp /t %%s %1
 
        REM check the return value of the timestamping operation and retry a max of ten times...
        if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded
 
        echo Signing failed. Probably cannot find the timestamp server at %%s
        set /a timestampErrors+=1
 
	Rem Wait 6 seconds
	choice /N /T:6 /D:Y >NUL
    )
 
    REM wait 12 seconds...
    choice /N /T:12 /D:Y >NUL    
)
 
REM return an error code...
echo sign.bat exit code is 1. There were %timestampErrors% timestamping errors.
exit /b 1
 
:succeeded
REM return a successful code...
echo sign.bat exit code is 0. There were %timestampErrors% timestamping errors.
exit /b 0

6. Sign the program
In a CMD Window, navigate to the directory that contains the program to be signed and run the BAT file.
C:\BAT\SIGNCODE.BAT SETUP.EXE
where "SETUP.EXE" is the program to be signed.
  Permalink  
v2
Comments
Andreas Gieriet 20-Feb-13 11:49am
   
My 5! Post it as a tip!
Cheers
Andi
bubaidada 6-Apr-13 12:05pm
   
can any one elaborate the 3rd step,I am stuck here
bubaidada 6-Apr-13 14:35pm
   
I am signing a Setup.exe here...that is Smart installer...it is signing but makeing the installer corrupted>...any clue why?
Mike Meinz 6-Apr-13 18:45pm
   
Sorry, I have never heard of or experienced that kind of problem. I regularly sign SETUP.EXE programs that are generated by the InstallShield Limited Edition software that is freely downloadable for registered purchasers of Visual Studio 2012. Maybe your SETUP.EXE has some sort of anti-tampering code that prevents signing. You could try asking the vendor of that software.
bubaidada 6-Apr-13 22:55pm
   
Yeah Mike, this thing is happening only for "Smart Installer"... I was checking 'InstallShield Limited Edition', but it integrated with vs; I want a separated one that is to be install and used, InstallShield Limited Edition is really a good option, if I found that is not simple, I have to use it;

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


Advertise | Privacy | Mobile
Web02 | 2.8.160426.1 | Last Updated 20 Feb 2013
Copyright © CodeProject, 1999-2016
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100