Code signing how-to
What is code signing and why is it required?
Windows
Code signing provides benefits to application security features like Windows Defender Application Control (WDAC). It allows the system to cryptographically verify that a file hasn't been tampered with before any code is to run.
Windows doesn't require software developers to digitally sign their code. Users can install applications from sites other than the Microsoft Store if they allow such applications to run. When code sign is provided, Windows reduces the number of warnings when running.
macOS
Code signing your app assures users that it's from a known source and hasn’t been modified since it was last signed. Signing uses a certificate issued by Apple.
How to obtain Certificate?
A certificate can be obtained from certification authority companies. Both Microsoft and Apple specify which companies are compatible with their respective platforms.
Windows
Many certification authority companies provide a certification for code signing for windows.
Certum Open Source developer certificate program
Certum(r) is one of the certification authority services provided by Asseco Ltd.
They provide discounted a code signing certificate to FOSS projects. They not only check developer individual identities but also check the project itself.
Comodo certificate for individuals
Comodo provides a certification with affordable prices for individuals.
macOS
Certificate issued by Apple
Application notarized by Apple
Tools
Windows
signtool.exe
signtool.exe
is a utility bundled with Windows SDK.
SignTool is a command-line tool that digitally signs files,
verifies the signatures in files, and time stamps files.
The tool is installed in the \Bin
folder of the Microsoft Windows SDK installation path,
for example C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe
.
You can find more information at
https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
Linux
osslsigntool
osslsigncode is a small tool that implements part of the functionality of the Microsoft tool signtool.exe - more exactly the Authenticode signing and timestamping. osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where the commands exist.
See https://sourceforge.net/projects/osslsigncode/ for more informations.
OpenSC
OpenSC is an open source smart card tools and middleware. It supports PKCS#11/MiniDriver/Tokend.
The list of supported hardware is at OpenSC Wiki.