Trustzone

EV Code Signing for Windows 7 & 8

Code Signing issues or questions? Just call +45 88 33 10 00 or send an email to support@trustzone.com - we're here to help you

EV Code Signing for Windows 7 & 8

EV CODE SIGNING FOR WINDOWS 7 & 8

PREREQUISITES

  • GlobalSign Extended Validation Code Signing Certificate Installed onto a hardware token.
  • Windows Software Development Kit (SDK) For Windows 8.1
  • Cross Certificate(s):
    • MS Cross Certificate – Used for Kernel Driver Signing within Windows
    • EV Code Signing certificates will require the R1-R3 Cross Certificate 

Note: The R1-R3 Cross Certificate will need to be installed on the signing computer but not specified as an additional certificate during the signing procedure

IMPORTANT SIGNTOOL OPTIONS 

/ac  -  Specify an Additional Certificate.

/a  -  Automatically selects the best certificate to sign the file from your  Windows Certificate Store.

/fd SHA256  -  Specify the file digest algorithm used in creating file signatures.

/t  -  Specify a Microsoft Authenticode compatible time stamp server.

/tr  -  Specify an RFC 3161 compliant trusted time stamp server. *Recommended*

/td SHA256  -  Must be called after "/tr", this command specifies the TimeStamp digest Algorithm. *Recommended*

/sha1 Hash  - Used to select the signing certificate by the SHA-1 Hash (Thumbprint).

Note: Timestamping your Code is extremely important and is highly recommended for every piece of code that you sign. This timestamp will allow the file that you sign to remain valid long after the certificate itself has expired.

PROCEDURE

  • You can either sign files out of a working directory, or you can place them in your Windows SDK\bin folder.
  • Open the Command Prompt: Windows 7: Start > Run > cmd, or for Windows 8, press the
  • Windows Key, then type cmd and press enter.
  • Navigate to the directory with signtool.exe.
  • For Kernel Driver Signing acquire the Microsoft Code Signing Cross certificate (linked in the prerequisites) for GlobalSign and place it into your working directory.
  • Use the following command to sign your file:

signtool sign /a /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 c:/path/to/your/file.exe

Note: For Kernel Driver Signing include the argument “/ac GlobalSign Root CA.crt” to the signtool command in order to complete the cross certificate chain.

  • Enter your Token Password. If the signing is successful you will see a prompt informing you so.
  • To verify the successful signature use the following commands:

Authenticode: signtool verify /v /pa

Kernel Driver Signing: signtool verify /v /kp

Last Updated: March 14, 2017