Code signing how-to
What and why code signing is required?
Windows
Code signing provides a benefits to application security features like Windows Defender Application Control (WDAC). It allows the system to cryptographically verify that a file hasn't been tampered with before any code is to run.
Windows doesn't require software developers to digitally sign their code. Users can install when user allows running application from other than Microsoft Store. When code sign is amendment, Windows may reduce warning when running.
macOS
Code signing your app assures users that it's from a known source and hasn’t been modified since it was last signed. Before your app can integrate app services, be installed on a device, or be submitted to the App Store, it must be signed with a certificate issued by Apple.
How to obtain Certificate?
A certificate can be obtained from certification authority companies. Both Microsoft and Apple specify which companies are compatible with its platform.
Windows
Many certification authority companies provide a certification for code signing for windows.
Certum Open Source developer certificate program
Certum(r) is one of certification authority services by Asseco Ltd. They provide unique but only produce line for Open Source developers.
They provide a code signing certificate with discounted fee. They check not only developer individual identities but also check OSS projects.
Comodo certificate for individuals
Comodo provides a certification with affordable prices for individuals.
macOS
Certificate issued by Apple
notarized by Apple
Tools
Windows
signtool.exe
signtool.exe
is utility bundled with Windows SDK.
SignTool is a command-line tool that digitally signs files,
verifies the signatures in files, and time stamps files.
The tool is installed in the \Bin
folder of the Microsoft Windows SDK installation path,
for example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe
.
You can learn it at
https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
Linux
osslsigntool
osslsigncode is a small tool that implements part of the functionality of the Microsoft tool signtool.exe - more exactly the Authenticode signing and timestamping. But osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where these exist.
https://github.com/mtrojnar/osslsigncode
OpenSC
OpenSC is Open source smart card tools and middleware. It support PKCS#11/MiniDriver/Tokend.
There is a list of supported hardware at OpenSC Wiki.