Navigation:  Actions > Files > Sign Code >

Sign Code Action Steps to Automate Code Signing

Previous pageReturn to chapter overviewNext page

Steps to Automate Code Signing


1. Obtain the Code Signing Tools


First, you need to obtain the necessary code signing tools. Several security-related tools will be required. If you have Visual Studio 2005 or later installed, these are already available (and added to the PATH of a Visual Studio Command Prompt).


Otherwise, download and install the Microsoft Windows SDK to install the necessary tools (only the Core SDK Tools need to be installed [about 40MB]). The required programs are installed to the Bin path under the Platform SDK install path.


Your digital certificate(s) can be viewed in the Windows certificate store using the Certificate Manager (certmgr.exe), which can also be launched from Internet Explorer (Tools | Internet Options | Content | Certificates for IE 6) or Outlook Express (Tools | Options | Security | Digital IDs for OE 6). The Certificate Manager is also used to import and export certificates.


2. Obtain a Code Signing Certificate


The next step is to get a code signing certificate (or digital ID) from a certification authority (CA) such as Ascertia, Comodo, GlobalSign, Symantec, or Thawte. You will need a Class 3 digital certificate for code signing.


During the sign-up process, a private key will be generated; make sure to mark the key as exportable. During this process, you will need to provide an email address, password, and challenge phrase, as well as additional information about your company. Save the private key to a local .pvk file and store it and the information associated with it in a secure location. Once your company information has been verified, the CA will issue the public portion of your digital certificate; you should save this to a local .cer file during the installation process and also store in a safe place.


Note: You can also create test certificates using makecert.exe.


3. Convert the Certificate File Format


After receiving your code signing certificate (.cer), you need to convert it into a software publishing certificate (.spc) cert2spc.exe. From a DOS/Command Prompt change to the path containing the .cer file and run:


cert2spc xyz.cer xyz.spc


Then you should convert your certificate (the public [.spc] and private [.pvk] portions) into a single Personal Information Exchange (.pfx or PKCS #12) file.  This simplifies later steps and avoids incompatibility problems when using the certificate on different versions of Windows:


pvk2pfx -pvk xyz.pvk -pi <pvkpassword> -spc xyz.spc -pfx <xyz.pfx> -po <pfxpassword> -f


Store the .pfx file and the associated password in a secure location.


Finally, import your certificate into a certificate store on the build box by running certmgr.exe, clicking Import, entering the .pfx filename, the .pfx file password, and leaving Enable strong private key protection unchecked.


4. Add Code Signing to the Automated Build


Add a Sign Code step to your Visual Build project for each file to be signed (to sign multiple files, this can be simplified by using the Process Files action) by specifying information about the certificate in the certificate store or by providing the .pfx file and its associated password.