How do I sign a Windows App?

Once you have built your app you will want to be able to share it, either with testers or customers. However, to successfully share your app your users must be able to install it easily. Windows 10 requires all applications to be signed, if your app is not signed your users will see warnings and may not be able to install it.

This lesson will show you how to sign a Windows application using the SignTool command-line tool.

Pre-requisites

In this lesson we will be using the SignTool command-line tool. This tool is part of the Windows SDK which you can download here.

In the lesson we will also use PowerShell, PowerShell comes installed by default on Windows.

The app to be signed

In this lesson I will use a very simple app that has been built as a Windows Standalone.

Windows 10

Creating a Certificate

Before signing your app you will need to obtain a certificate. For testing you can start by create a self-signed certificate but for distribution you will need a certificate from a Certificate Authority.

This is a quote from the Microsoft Documentation.

App package signing is a required step in the process of creating a Windows 10 app package that can be deployed. Windows 10 requires all applications to be signed with a valid code signing certificate.

To successfully install a Windows 10 application, the package doesn't just have to be signed but also trusted on the device. This means that the certificate has to chain to one of the trusted roots on the device. By default, Windows 10 trusts certificates from most of the certificate authorities that provide code signing certificates.

Creating a Self-Signed Certificate

A self-signed certificate can be used for testing purposes. We will create a self-signed certificate using PowerShell running in elevated mode.

To open PowerShell in elevated mode search for PowerShell in the Search box, when it appears in the result right-click and choose 'Run as Administrator'.

Windows 10

Create the Certificate

To create your certificate run this command in PowerShell

New-SelfSignedCertificate -Type Custom -Subject "Your Publisher Details go here" -KeyUsage DigitalSignature -FriendlyName "Your friendly name goes here" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
  • KeyUsage: For a self-signing certificate, this parameter should be set to DigitalSignature.
  • TextExtension: Indicates addition uses for the certified public key and whether or not the certificate is a ¬†Certificate Authority. For a self-signing certificate the certificate is not a Certificate Authority.

After running the command, the certificate will be added to the local certificate store, specified in the "-CertStoreLocation" parameter. The result of the command will also produce the certificate's thumbprint.

You can find further details in the Microsoft Documentation here.

Export the Certificate

Before you can use the certificate to sign your app you need to export it to a Personal Information Exchange (PFX) file.

Firstly create a password

$password = ConvertTo-SecureString -String <Your Password> -Force -AsPlainText 

then export the certificate

Export-PfxCertificate -cert "Cert:\CurrentUser\My\<Certificate Thumbprint>" -FilePath <FilePath>.pfx -Password $password

This will create a PFX file that you can use to sign your app.

Requesting a Certificate from a Certificate Authority.

When you are ready to distribute your app, either yourself or via a store, you will need a certificate from a recognized Certificate Authority. There are many Certificate Authorities and options for certificates so you will need to find one that suits your needs best.

Create a PFX file

You will need to create a PFX file using the Pvk2Pfx command-line tool. This will create a PFX file from your pvk and spc files.

pvk2pfx -pvk <mypvkfile.pvk> -pi <mypassword> -spc <myspcfile.spc> -pfx <mypfxfile.pfx> -f

This will create a PFX file you can use to sign your app.

You can find more information in the Microsoft Documentation here.

Sign your app

Once you have your PFX file you can sign your app using SignTool.

SignTool sign /f <mypfxfile.pfx> /p <mypassword> <MyApp>.exe

You can find more information in the Microsoft Documentation here.

Checking the Digital Signature

Once you have signed your app you can check the Digital Signature by opening the Properties of the exe.

The unsigned app

Banners and Alerts

The app signed with a self-signed certficate

Banners and Alerts

Running the app

You can then check your signing by running the app on another machine. The first screenshot is the unsigned app, the second screenshot is the app signed with a certificate from a Certificate Authority.

Creating an installer

If you choose to create an installer for your app you would use the same process to sign the installer once it has been built.

  • Sign the app
  • Create the installer
  • Sign the installer

0 Comments

Add your comment

E-Mail me when someone replies to this comment