Automated Code Signing for Microsoft Authenticode

Microsoft AuthentiCode Technology enables software developers to deliver their software together with information about themselves and their code. It uses digital signatures and a certificate provider for verification. If you have software which you want to distribute on the Internet as signed by AuthentiCode and verified by a TTP (trusted third part) certificate provider, the recipe below can be useful for automated code signing:

• Obtain a certificate from a provider. As a result of your application, you will get a private key file (.pvk extension) protected by a password known only by you and a certificate file (.spc extension).
• Install Microsoft Platform Core SDK to obtain signtool.exe, capicom.dll and pvk2pfx.exe. You need only to install Tools and Resdistributable Components of the Core SDK.
• Convert your private key to private key exchange format:
  pvk2pfx.exe -pvk privatekey.pvk -spc certificate.spc -pfx newpfx.pfx -po password
• Sign your application:
  signtool.exe sign /f privatekey_.pfx /p _password_ /v /t URL time_stamp_service application.exe
• Verify your signed application:
  signtool.exe verify /a /v application.exe