Sign your distributables free and easy!

I was using signtool.exe a while ago to see what it does and learned that it is a security tool to sign any executable or dll (thus not .net only). Maybe even other weird filecontainer formats that Microsoft made are supported.

Anyway, I was struggling with openssl and makecert alot to make it work. Well, not really struggling but if you don't have a lot of PKI knowledge then your in for a treat! Months passed and then I found the nice and free certificate provider CAcert. I registered and scored enough points to get me a nice personally named certificate. The system is comparable with Thawtes web of trust but I think Thawte's certificates can only be used for e-mail signing and encryption.

I am busy with a tool that can backup running virtual server machines. Don't know if this functionality is already made by somebody or that it is available in the R2 release. More on this in a future post. I thought that it would be nice if would sign those assemblies and started signtool in the wizard mode.

    signtool.exe signwizard

It was really easy to sign my assemblies with my personal CAcert certificate. I really don't understand why major software providers like Mozilla took so long before they started signing there Windows downloads when it is so easy to do.

The signwizard is a bit problematic in an automated build environment like a nightlybuild (or even better a nice continious integrated one). Luckily for us were also able to do all of this from the commandline.

    signtool.exe sign /a /d "Ramon Smits" /du http://bloggingabout.net/  *.exe *.dll

This assumes that the certificate it stored in the personal store without
There is also a timestamp option. Verisign has a public timestamp service and you only have to add the following to make use of it.

    /t http://timestamp.verisign.com/scripts/timstamp.dll

After signing you can view the results by viewing the properties of your application and selecting the digital signatures tab that has become available. Selecting details will bring up the following dialog.


The most important thing about signatures is that you check if you trust the specified party including it's certification path. Any application can have a valid certificate but that doesn't mean I will trust everyone :-).


My favorite browser is FireFox but is has doesn't have the nice security option that internet explorer has. When you download an executable with internet explorer and this executable is opened locally then you will see the following dialog.


Windows shows this message because Internet Explorer had added meta information about the download in an alternate filestream. Downloading it with firefox and then run it will not have any check performed. I don't remember this very well but I think Windows Vista does show this message with any application. Clicking on the first url will navigate to blogginabout.net (the /du param of signtool.exe) and the second shows the same dialog as explorer (Digital Signature Details).

A major benefit of codesigning downloads is that you can easily host your download at other locations without the risk that others can modify it. Downloaders have a quick and easy way to check it the download is valid and not been tampered with.