Simply run "signtool signwizard" to start the signing wizard.
1. File Selection: Choose the EXE you wish to sign (ie, RSInstaller.exe)
2. Signing Options: Choose "Custom"
3. Signature Certificate: Click "Select from File" and choose "mycredentials.spc"
4. Private Key: Select "Private key file on disk" and choose "myprivatekey.pvk"
- Leave CSP at "Microsoft Strong Cryptographic Provider"
- Leave Provider Type at "RSA FULL"
5. Private Key Password: Enter "xxxxxxxxxx"
6. Hash Algorithm: Leave it at 'sha1'
7. Additional Certificates:
- Leave it at "All certificates in the certification path, including the root"
- Leave it at "No additional certificates"
8. Data Description: Enter the following:
- Description: Red Swoosh Installer
- Web Location: http://www.redswoosh.net
9. Digital Signature Wizard:
- Enable "Add a timestamp to the data"
- Timestamp service URL: http://timestamp.verisign.com/scripts/timstamp.dll
* Note: This enables the signature to work forever; not sure
what this means but the Verisign guy was pretty excited about it
10. Review and click OK
11. Enter private key password: Enter "xxxxxxxxxxx"
12. Done!
1. File Selection: Choose the EXE you wish to sign (ie, RSInstaller.exe)
2. Signing Options: Choose "Custom"
3. Signature Certificate: Click "Select from File" and choose "mycredentials.spc"
4. Private Key: Select "Private key file on disk" and choose "myprivatekey.pvk"
- Leave CSP at "Microsoft Strong Cryptographic Provider"
- Leave Provider Type at "RSA FULL"
5. Private Key Password: Enter "xxxxxxxxxx"
6. Hash Algorithm: Leave it at 'sha1'
7. Additional Certificates:
- Leave it at "All certificates in the certification path, including the root"
- Leave it at "No additional certificates"
8. Data Description: Enter the following:
- Description: Red Swoosh Installer
- Web Location: http://www.redswoosh.net
9. Digital Signature Wizard:
- Enable "Add a timestamp to the data"
- Timestamp service URL: http://timestamp.verisign.com/scripts/timstamp.dll
* Note: This enables the signature to work forever; not sure
what this means but the Verisign guy was pretty excited about it
10. Review and click OK
11. Enter private key password: Enter "xxxxxxxxxxx"
12. Done!
However, I have no luck whatsoever with with the command line. After a bunch of trial and error, here's the best I can come up with:
signtool sign /f mycredentials.spc /p xxxxxxxxxx /csp "Microsoft Strong Cryptographic Provider" /v /k myprivatekey.pvk /sha1 7E1C84D7F90B9A3F17DF5425D9B86DDD0D23816E RSInstaller-2.000-157.exe
The following certificate was selected:
Issued to: Red Swoosh, Inc.
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 8/5/2007 4:59:59 PM
SHA1 hash: 7E1C84D7F90B9A3F17DF5425D9B86DDD0D23816E
SignTool Error: The specified private key container was not found.
Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1
The following certificate was selected:
Issued to: Red Swoosh, Inc.
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 8/5/2007 4:59:59 PM
SHA1 hash: 7E1C84D7F90B9A3F17DF5425D9B86DDD0D23816E
SignTool Error: The specified private key container was not found.
Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1
What am I doing wrong
I apologize if this is the wrong group; I'm not sure where best to address this issue, and any pointers you have would be appreciated.
-david
How to sign EXE using signtool with Verisign SPC and PVK on the command line?
Allan Huang
I decided to use wizard mode..... though it is not easy to use, compared to command mode.
Thanks for your reply !
Pauly C
I have the same error reported when trying to sign cab file. Any hint
"signtool sign /f mycredentials.spc /csp "Microsoft Strong Cryptographic Provider" /k myprivatekey.pvk /sha1 "ABC.............." myfile.cab
SignTool Error: The specified private key container was not found."
CruzPedro
GregAbd
signcode -spc mycredentials.spc -v myprivatekey.pvk -t http://timestamp.verisign.com/scripts/timstamp.dll -n "<application name>" -i "<application URL>" <filename.cab/exe>
Give this a shot and let me know if it works for you.
-David Barrett (http://www.quinthar.com)
ftw761229
After a significant amount of experimentation, I found a combination of steps that worked.
I could never get signtool to work with independent .spc and .pvk files. It's my belief that the core problem with signtool is that there is no way to specify that the .pvk (private key) should come from a file. All the options that appear to be available in the help relate to a private key in a container. I could never figure out how to get a private key into a container store using the certificate manager application, so I gave up on that approach.
Here's what did work for me:
Use the pvk2pfx utility to combine the public certificate (.spc) and your private key (.pvk) into a single .pfx certificate. This combined .pfx certificate will then work perfectly with the -f option in signtool.
A warning about pvk2pfx.exe: Don't use the pvk2pfx wizard. It mysteriously only works when you use it in console mode with all three options. Using the pvk2pfx GUI at any point in the process either corrupts the certificate or somehow produces a certificate in an incompatible format.
As an added bonus, you can use the certificate manager application (CertMgr.exe) to add your .pfx certificate into your Personal certificate container. When it's in there, you can simply do this on the command line to sign a file:
signtool sign /a YourApp.exe
One last tip: Consider using the signtool that comes with the latest Platform SDK (5.2.3790.2568). It seems to be newer and has more options than the one that comes with the .NET tools.
Hope this helps someone. This was extremely frustrating and time consuming to figure out. It's hard to believe there is practically no documentation for this tool considering that it's such a commonly used tool for developers.
- Jul