Labels
Posted by

Signing your Delphi applications with Microsoft Signtool

Today I'm coming with an interesting post about signing your Delphi applications (win32) with Microsoft Signtool. The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path. SignTool is available as part of the Windows SDK, which you can download from here.
With few steps I'll show you how to create PKCS#12 certificate with OpenSSL for windows and how to import this certificate into your applications. In most occasions we should use the certificate as a means of identifying the author of an application and establishing trust relationships between applications.

Creating a PKCS#12 certificate with OpenSSL:
Once I have installed OpenSSL on your machine, we need to run the following commands to create the certificate. To create a PKCS#12 certificate, you’ll need a private key and a certificate, so first of all, let´s create the certificate and the private key:

# create a file containing key and self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem


Now we are ready to generate the .pfx file (.PFX file (Personal Information Exchange format) is the file containing both a public (.cer file) and a private (.pvk file) keys) with myCert.pem:

# export mycert.pem as PKCS#12 file, mycert.pfx
openssl pkcs12 -export -out mycert.pfx -in mycert.pem -name "My Certificate"


You'll be asked to enter a password for your certificate.

Importing the certificate with Signtool:
Now copy the mycert.pfx file into the folder where your executable is placed and run the following command with Signtool:

Signtool sign /f mycert.pfx /p password thundaxballsdemo.exe


Now if we check our application it will be digitally signed with our certificate:

Then you can install this certificate into the "windows trusted certification store".

Related links:
Labels:

Comments

  1. Anonymous10 June 2013 at 16:07

    Hello,
    Excellent article.
    I get an error "No certificates were found that met all the given criteria"
    What am I doing wrong?
    Regards,
    K

    ReplyDelete
    Replies
    1. Jordi Corbilla10 June 2013 at 20:54

      Hi K,

      Is your certificate (.pfx) in the same folder as your executable?

      Regards,
      Jordi

      Delete
  2. Eliseu Corrona17 February 2014 at 17:46

    Hi Jordi, all fine?
    Excellent article friend.
    I'll making a little test but happend the follow errors:

    1) C:\_Dev\OpenSSL-Win32\bin>openssl pkcs12 -export -out mycert.pfx -in mycert.pe
    m -name "My Test"
    Loading 'screen' into random state - done
    Enter Export Password:
    Verifying - Enter Export Password:
    unable to write 'random state'

    Password used in test: 123

    2) After try sign the certificade happened this:
    C:\Program Files (x86)\Windows Kits\8.1\bin\x86>signtool sign /f mycert.pfx /p 123 AppTest.exe
    Done Adding Additional Store
    SignTool Error: Access is denied.
    SignTool Error: An error occurred while attempting to sign: AppTest.exe

    Number of errors: 1

    Only information:
    Application in Delphi XE and Windows 8.

    I followed the steps provided by you, but these issues occurred. Was there any situation that may let off?

    Thanks

    ReplyDelete
    Replies
    1. Anonymous3 May 2014 at 15:32

      The quickest solution is: set environment variable RANDFILE to path where the 'random state' file can be written (of course check the file access permissions), eg. in your command prompt:

      set RANDFILE=C:\MyDir\.rnd

      And that's work after !

      A.K.

      Delete
  3. Eliseu Corrona17 February 2014 at 19:43

    Hi Jordi. Ignore my last post. I found the problem.
    I add permission to the folder where my certificade was saved and work perfect.
    Sorry about my basic question. I not tested this situation.

    Thanks friend.

    Regarts,

    Eliseu Corrona.

    ReplyDelete
    Replies
    1. Jordi Corbilla17 February 2014 at 20:12

      Hi Eliseu,

      Yes, that's what I was going to tell you. Access denied is usually raised when the app doesn't have enough permissions.

      Regards,
      Jordi

      Delete
  4. Anonymous24 April 2015 at 11:22

    Thanks Jordi,
    Best tutorial about app signing.
    Regards

    ReplyDelete
  5. digital signatures3 June 2015 at 12:25

    THANK-YOU so much for taking the time to create this easy-to-understand post!

    ReplyDelete
  6. Unknown8 September 2015 at 20:16

    Excellent tutorial. But I have a problem. When I download the SDK, it comes packed with just a text file saying, "This disc contains a" UDF "file system and requires an operating system
    que supports the ISO-13346 "UDF" file system specification. ". I do not know how to solve this problem. It would have to help me?

    ReplyDelete
    Replies
    1. Jordi Corbilla8 September 2015 at 22:12

      Hi Junior,

      What software are you using to open the package? It seems what you are using does not support UDF.

      Regards,
      Jordi

      Delete
  7. Solla6 October 2015 at 15:03

    Excellent tutorial, thanks for sharing your knowledge!

    ReplyDelete
  8. Talvez um dia...4 February 2016 at 00:48

    Many Thanks, solv the big problem. Antivirus clean my apps.

    ReplyDelete

Post a Comment

Popular Posts