Using Tech-Pro CodeSign

Tech-Pro CodeSign is a graphical shell for the Microsoft command line code signing tools. It has been designed to make it easy for developers to install and use the Microsoft code signing tools. For more information on Authenticode code signing and how it works, see Code Signing for Developers.

Tech-Pro CodeSign main window Tech-Pro CodeSign can be used to sign code in three different ways:

After selecting the file to be signed, you can optionally enter a file description or information URL, type the private key password and specify whether the file should be time stamped.

Note: If an executable file is not time stamped, users will receive a warning that the certificate has expired when they try to run the program after the expiry date of the code signing certificate.

Click Sign to run the tool and sign the file. Any output from the command line tool will appear in the results window.

Tools

Setting up the code signing tools Before you may use Tech-Pro CodeSign you must install the Microsoft code signing tools (if you don't already have them) and then register them with Tech-Pro CodeSign. To do this, select the Tools tab.

Tech-Pro CodeSign supports both the original Microsoft Authenticode command line tools (signcode.exe) as well as the Microsoft Visual Studio / Platform SDK command line tools (signtool.exe) and also the ASP tools for signing PAD files. It can also use the PVK import tools included in either of these tookits to convert a .pvk / .spc pair into a .pfx file as required by signtool.exe and signpad.exe.

Set the check box Use Microsoft Visual Studio SDK tools according to which version of the tools you wish to use. Note that the names of some of the tools change according to the setting of the check box.

Now click the Browse (...) button next to Path to signcode.exe / signtool.exe to locate the tool. If you don't have any code signing tools installed on your computer, click the link Download Code Signing Tools and then follow the instructions to install the files (but see the box "Which tools should you use?")

If you wish to sign PAD files or import .pvk and .spc files to a .pfx file, download the appropriate tools (if necessary) and then locate their paths on your computer in a similar manner. The Microsoft Visual Studio / SDK tools include their own (different) PVK import tool. If you have both, you may use either, but the VS / SDK one does not seem to be able to create .pfx files that don't have a password.

Note: Since this program was written, the location of the PAD signing tools has changed. Download PAD Signing Tools here.

Which tools should you use?

Which version of the code signing tools you can use is determined by the format in which you hold your code signing certificate. However, it is possible to convert between the different formats.

Certificate format Code signing tools Conversion options
In browser certificate store Not supported by Tech-Pro CodeSign Export to PFX
PFX file signtool.exe, signpad.exe Export to PVK + SPC
PVK + SPC pair signcode.exe Import to PFX

Tech-Pro CodeSign can import a PVK + SPC pair to a PFX file (if the PVK Import tool is installed.) Certificates in other formats may only be converted using a manual process.

Certificates

Setting up the code signing certificate You must register your code signing certificate files with Tech-Pro CodeSign so that it knows where to find them. This is done on the Certificate tab.

You will need to buy a code signing certificate if you don't already have one. Click Order a Comodo code signing certificate to purchase a Comodo certificate through Tech-Pro.net. Comodo is the lowest cost trusted certification authority available.

To sign code using Tech-Pro CodeSign you need either of:

If you are using Windows Vista then the certificate may have been downloaded to your web browser's certificate store. In this case, you will need to export it to a Personal Information Exchange (.pfx) file before proceeding.

Once you have your code signing certificate file(s), click the Browse (...) buttons to the right of the path fields to register the file paths with Tech-Pro CodeSign.

If you will be using the Microsoft Visual Studio SDK tool signtool.exe and/or the ASP PAD signing tools then you will need to import the .pvk/.spc pair into a .pfx file. Click the link Import private key + certificate to PFX (if this button is disabled, you didn't install the import tool in the step above) and then locate the path in the last of the three fields using the Browse (...) button.

If you have only a Personal Information Exchange (.pfx) file but wish to use the signcode.exe tool for code signing, you will need to export the code signing certificate and private key to a .pvk / .spc pair, and then register the files with CodeSign.

Defaults

Setting up defaults To save time when signing new files, Tech-Pro CodeSign lets you set up default settings for code signing. This is done on the Defaults tab. These settings are used whenever a file is signed for the first time, but may be overridden by making changes in the main window. Any changes you make to the settings for one file will be re-used the next time the same file is signed.

The File description and Information URL fields are optional information that can be added to the signature of each file. You may leave them blank if you wish, as it is unlikely that users will see the information.

The Information URL field, if used, could be the home page of your website, or it could be a specific page related to the product you are signing. The File description field could be a generic description of the product of which the file being signed is one part, or it may be a specific description of the file itself.

If you specified a password when creating your private key file, and wish this to be entered automatically when signing files, you may enter it in the Password field. Be aware, though, that the password will be stored, fairly weakly encrypted, in Tech-Pro CodeSign's configuration data.

Finally you may specify whether files should be time stamped by default (normally, they should be) and which time stamping server to use. You may select one of the time stamp servers shown in the list, or enter a different one in the Time stamp URL field.

Test certificates

Creating a test certificate Tech-Pro CodeSign makes it easy to create a self-signed software publishing certificate, which you can use to try out code signing before buying a proper authenticated certificate. This can be done using the Test tab.

First, you must locate the paths to the two tools makecert.exe and cert2spc.exe that will be used to create the certificate, using the Browse (...) buttons to the right of the fields.

Next, you must specify a folder in which the certificate files will be created, using the Browse button to the right of that field.

You must specify the Certificate name. This should be your own name, if an individual, or the name of your company, though as this is only a test certificate it could really be anything.

Now click Create test certificate to create the certificate files. You will be asked for a password for the private key file (if it needs to be created) but you may leave this blank if you wish.

If all goes well, you should now have two files, test.pvk and test.spc in the folder you specified. You may now return to the Certificate tab to ensure that they are installed in the application, and start using them to sign software files.

Note: You should not publish software that has been signed using the test certificate, or users will see warnings that the certificate is invalid or the publisher could not be verified. The ASP PAD signing tools will not allow a PAD file to be signed using a self-signed certificate.

Backing up your configuration

It is advisable to back up the configuration file of Tech-Pro CodeSign so that the individual application settings are not lost if you move it to another computer.

The settings are stored in an XML format file located in <user account>\Application Data\Tech-Pro CodeSign.