Saturday, 23 April 2011

Signing your Delphi applications with Microsoft Signtool

Today I'm coming with an interesting post about signing your Delphi applications (win32) with Microsoft Signtool. The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path. SignTool is available as part of the Windows SDK, which you can download from here.
With few steps I'll show you how to create PKCS#12 certificate with OpenSSL for windows and how to import this certificate into your applications. In most occasions we should use the certificate as a means of identifying the author of an application and establishing trust relationships between applications.

Creating a PKCS#12 certificate with OpenSSL:
Once I have installed OpenSSL on your machine, we need to run the following commands to create the certificate. To create a PKCS#12 certificate, you’ll need a private key and a certificate, so first of all, let´s create the certificate and the private key:

# create a file containing key and self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem


Now we are ready to generate the .pfx file (.PFX file (Personal Information Exchange format) is the file containing both a public (.cer file) and a private (.pvk file) keys) with myCert.pem:

# export mycert.pem as PKCS#12 file, mycert.pfx
openssl pkcs12 -export -out mycert.pfx -in mycert.pem -name "My Certificate"


You'll be asked to enter a password for your certificate.

Importing the certificate with Signtool:
Now copy the mycert.pfx file into the folder where your executable is placed and run the following command with Signtool:

Signtool sign /f mycert.pfx /p password thundaxballsdemo.exe


Now if we check our application it will be digitally signed with our certificate:

Then you can install this certificate into the "windows trusted certification store".

Related links:

13 comments:

  1. Hello,
    Excellent article.
    I get an error "No certificates were found that met all the given criteria"
    What am I doing wrong?
    Regards,
    K

    ReplyDelete
    Replies
    1. Hi K,

      Is your certificate (.pfx) in the same folder as your executable?

      Regards,
      Jordi

      Delete
  2. Hi Jordi, all fine?
    Excellent article friend.
    I'll making a little test but happend the follow errors:

    1) C:\_Dev\OpenSSL-Win32\bin>openssl pkcs12 -export -out mycert.pfx -in mycert.pe
    m -name "My Test"
    Loading 'screen' into random state - done
    Enter Export Password:
    Verifying - Enter Export Password:
    unable to write 'random state'

    Password used in test: 123

    2) After try sign the certificade happened this:
    C:\Program Files (x86)\Windows Kits\8.1\bin\x86>signtool sign /f mycert.pfx /p 123 AppTest.exe
    Done Adding Additional Store
    SignTool Error: Access is denied.
    SignTool Error: An error occurred while attempting to sign: AppTest.exe

    Number of errors: 1

    Only information:
    Application in Delphi XE and Windows 8.

    I followed the steps provided by you, but these issues occurred. Was there any situation that may let off?

    Thanks

    ReplyDelete
    Replies
    1. The quickest solution is: set environment variable RANDFILE to path where the 'random state' file can be written (of course check the file access permissions), eg. in your command prompt:

      set RANDFILE=C:\MyDir\.rnd

      And that's work after !

      A.K.

      Delete
  3. Hi Jordi. Ignore my last post. I found the problem.
    I add permission to the folder where my certificade was saved and work perfect.
    Sorry about my basic question. I not tested this situation.

    Thanks friend.

    Regarts,

    Eliseu Corrona.

    ReplyDelete
    Replies
    1. Hi Eliseu,

      Yes, that's what I was going to tell you. Access denied is usually raised when the app doesn't have enough permissions.

      Regards,
      Jordi

      Delete
  4. Thanks Jordi,
    Best tutorial about app signing.
    Regards

    ReplyDelete
  5. THANK-YOU so much for taking the time to create this easy-to-understand post!

    ReplyDelete
  6. Excellent tutorial. But I have a problem. When I download the SDK, it comes packed with just a text file saying, "This disc contains a" UDF "file system and requires an operating system
    que supports the ISO-13346 "UDF" file system specification. ". I do not know how to solve this problem. It would have to help me?

    ReplyDelete
    Replies
    1. Hi Junior,

      What software are you using to open the package? It seems what you are using does not support UDF.

      Regards,
      Jordi

      Delete
  7. Excellent tutorial, thanks for sharing your knowledge!

    ReplyDelete
  8. Many Thanks, solv the big problem. Antivirus clean my apps.

    ReplyDelete