Skip to content

Code signing how-to

What and why code signing is required?

Windows

Code signing provides a benefits to application security features like Windows Defender Application Control (WDAC). It allows the system to cryptographically verify that a file hasn't been tampered with before any code is to run.

Windows doesn't require software developers to digitally sign their code. Users can install when user allows running application from other than Microsoft Store. When code sign is amendment, Windows may reduce warning when running.

macOS

Code signing your app assures users that it's from a known source and hasn’t been modified since it was last signed. Before your app can integrate app services, be installed on a device, or be submitted to the App Store, it must be signed with a certificate issued by Apple.

How to obtain Certificate?

A certificate can be obtained from certification authority companies. Both Microsoft and Apple specify which companies are compatible with its platform.

Windows

Many certification authority companies provide a certification for code signing for windows.

Certum Open Source developer certificate program

Certum(r) is one of certification authority services by Asseco Ltd. They provide unique but only produce line for Open Source developers.

They provide a code signing certificate with discounted fee. They check not only developer individual identities but also check OSS projects.

Comodo certificate for individuals

Comodo provides a certification with affordable prices for individuals.

macOS

Certificate issued by Apple

notarized by Apple

Tools

Windows

signtool.exe

signtool.exe is utility bundled with Windows SDK. SignTool is a command-line tool that digitally signs files, verifies the signatures in files, and time stamps files.

The tool is installed in the \Bin folder of the Microsoft Windows SDK installation path, for example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe.

You can learn it at

https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool

Linux

osslsigntool

osslsigncode is a small tool that implements part of the functionality of the Microsoft tool signtool.exe - more exactly the Authenticode signing and timestamping. But osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where these exist.

https://github.com/mtrojnar/osslsigncode

OpenSC

OpenSC is Open source smart card tools and middleware. It support PKCS#11/MiniDriver/Tokend.

There is a list of supported hardware at OpenSC Wiki.

openssl-pkcs11

macOS