Code signing process

Code signing is a process to digitally sign your product, which verifies the publisher of downloads and check that they have not been infected by a virus since they were created. It is Industry wide professional practice to sign the products which they are selling. Now a days most of the customers restrict downloading an unsigned product. So sign your code to keep up your reputation in delivering genuine software's.

To code sign you need following
1) Digital certificate (along with password)
2) Code signing tools
3) URL of a time stamping server

Digital certificate: You can create your own digital certificate's just for trying out signing process. But to do it professionally, you need to buy certificate's from trusted certification authorities like Comodo, Globalsign, Thawte and Verisign.

Code signing tools: Microsoft provides code signing tools like signcode.exe (comes along with Microsoft .NET Framework Software Development Kit) and signtool.exe ( along with Microsoft Visual Studio 2005).

URL of a time stamping server: s the URL of a time stamping server. This may be one of the following:
- http://timestamp.verisign.com/scripts/timstamp.dll
- http://timestamp.globalsign.com/scripts/timstamp.dll
- http://timestamp.comodoca.com/authenticode

Here is an example of code signing process using signtool.exe.

C:\p4clients\sign\tools> signtool.exe sign /f your-pfx-file /p password /t http://timestamp.verisign.com/scripts/timstamp.dll /v file-to-sign

Here is the Sample Output:
The following certificate was selected:
Issued to: SID Software Inc.
Issued by: Thawte Code Signing CA
Expires: 10/16/2011 2:17:15 AM
SHA1 hash: 4374SD894388B9H456E206124G06D9AV1535G12E

Done Adding Additional Store

Attempting to sign: jservice.exe
Successfully signed and timestamped: jservice.exe

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0


As you can see signtool.exe needs a certificate in the form .pfx. Here is the procedure to create it.
Open a command prompt in the folder containing the code signing tools, and type:
>> makecert.exe -sv mykey.pvk -n "CN=Acme Software Inc." mycert.cer

You can substitute your own business name for "Acme Software Inc." If the file mykey.pvk does not already exist, you will be prompted to enter a password for the private key file. The password may be blank.

On completion of this command you should have two files, mykey.pvk and mycert.cer. Now you need to convert the digital certificate into the Software Publisher Certificate (.spc) format. To do this, type:

 >>  cert2spc.exe mycert.cer mycert.spc

You will be prompted to enter the password for the private key file.
(Hopefully, you haven't forgotten it already!) When the program
finishes you should have a new file, mycert.spc. Only the two files mykey.pvk and mycert.spc will be used when signing your code.

If you are using the signtool.exe from Microsoft Visual Studio 2005 or
later or the Platform SDK, then you must first import your private key
and software publisher certificate into a single PFX file. This is a
one-off process that need only be repeated whenever you renew your code
signing certificate. Open a command prompt and type:
>>  pvk2pfx.exe -pvk mykey.pvk -pi  -spc mycert.spc -pfx mycert.pfx -po 
replacing  with your private key password. If you used
a blank password when you created your private key file then you can
omit the -pi 


Refer link http://www.tech-pro.net/code-signing-for-developers.html for detail explanation about code signing.