How to sign an exe?

[Raptisoft]

Well, this is sorta in line with the other signed exe thread, but this one is more specifically technically.

What's the easiest way to sign an exe? Don't you need to reserve space in the exe for the signcode? How the heck do you do that?

[princec]

I think a signing tool should do this for you, adding the signature as a chunk to the .exe and writing the new .exe out again. I expect there's a free one available...

Cas

[Raptisoft]

Hey, have I mentioned how much SP2 sucks?

Not only this signing... but all the interfaces to accept ActiveX/Files are TERRIFYING!

[Greg Squire]

Whoever you get your Digital Signing ID from should provide you with a tool to use it, or at least point you to a free tool to use it.

[Mike Boeh]

AFAIK, only thawte and verisign provide code signing- does anyone know of anyone else who does it? Thawte is half the price of verisign, which I think is funny considering verisign owns thawte

[Coyote]

Actually, ANY CA (Certificate Authority) can do it... I used to work for one. The trick is getting yourself on Microsoft's default list of approved authorities. There's a bit of cost involved to make sure you follow correct procedures. But I can ask around my old buddies from the industry and see if the concept of providing low-cost signatures for executables makes sense. I can see this being a very lucrative new market.

When I was there, every year they'd say "This is the year of PKI" (Public Key Infrastructure). It never happened. Maybe it will now.

[Fost]

Microsoft provide a tool here

but you will require a certificate with which to sign it. (they include a test one within the above pack so you can try it out)

[Redclaw]

Actually, ANY CA (Certificate Authority) can do it... I used to work for one. The trick is getting yourself on Microsoft's default list of approved authorities.

Is there a way for us plebs to check who is on that list? Nick has mentioned that instantssl.com has very cheap certs, but if they aren't on the list then obviously the downloader would still get a security warning (like using a self signed cert on a secure web page).