⭕Code Signing

Information related to signing code with your Yubikey

❊ Why Sign Code?

Code signing does two things: it confirms who the author of the software is and proves that the code has not been altered or tampered with after it was signed. Both are extremely important for building trust with customers and safely distributing your software.

The process for code signing is similar to that used for SSL/TLS certificates, where a pair of cryptographic keys are used, one public and one private, to identify and authenticate both you and your code.

The best and safest way to obtain a private key is by generating your own certificate and then sending it out to a trusted certificate authority (CA) where it will be signed, who will take you through an authentication process. Once you have your certificate, you can then generate your private key. Your choice of CA is important as it can affect how far you are able to distribute your software.

Another type of certificate is popular in the open-source community and is known as a self-signed certificate. A self-signed certificate is not signed by a publicly trusted certificate authority (CA) but instead by the developer or company that is responsible for the website or software.

❊ Create Certificate

We need to generate a PIV certificate to store on your Yubikey. The new PIV certificate should be configured for Digital Signatures. We will store this new certificate on SLOT 9C of your Yubikey.

To keep our guides organized, the instructions for creating your Digital Signature certificate can be viewed on the PIV -> . After you're finished, come back here.

Before continuing, make sure you've followed the steps to import the PIV certificate onto your Yubikey.

❊ Obtain Certificate Thumbprint

In order to sign code, you need to know the thumbprint for the certificate you've created.

Click -> Run

Type certmgr.msc

Navigation to Certificates - Current User -> Personal -> Certificates

Locate your imported certificate and double-click.

Select and copy (CTRL + C) the Thumbprint.

Save your thumbprint somewhere that you'll be able to easily access it.

❊ Sign using Signtool.exe

Open Command Prompt, Terminal, or Powershell.

You need to navigate to the folder that contains signtool.exe, usually this is C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe

A few commands have been provided below in order to search for it:

where signtool.exe

gcm signtool

You can also simply type signtool in your console and see what outputs. Your signtool could be accessible from any folder if you have environment variables setup. If you get an error, then you must go to the folder where signtool is.

Finally, to sign an exe or dll, take the following command and modify it with your certificate thumbprint, as well as the file you wish to sign:

signtool sign /sha1 c67f754db0000000000000000000000000000000/fd SHA256 /t http://timestamp.comodoca.com/authenticode "C:\path\to\program.exe"

After entering the command, you should be prompted to enter your PIN:

Once you enter your PIN, a black command box should appear and then disappear in a few seconds.

Go to the exe or DLL file you were trying to sign, right click on it, and hit Properties.

You should have a new tab called Digital Signature which will display your certificate name, the algorithm, and the timestamp.

Select the and you should see additional information about your signature.

❊ Sign Windows Catalog File (Powershell)

A digitally-signed catalog file (.cat) can be used as a digital signature for an arbitrary collection of files. A catalog file contains a collection of cryptographic hashes, or thumbprints. Each thumbprint corresponds to a file that is included in the collection.

Plug and Play (PnP) device installation recognizes the signed catalog file of a driver package as the digital signature for the driver package, where each thumbprint in the catalog file corresponds to a file that is installed by the driver package. Regardless of the intended operating system, cryptographic technology is used to digitally-sign the catalog file.

To properly sign a file using the powershell Set-AuthenticodeSignature command, you MUST have your certificate installed in Certificates -> Current User -> Trusted Root Certification Authorities -> Certificates.

If you are unsure on how to do this, read our .

Open Powershell and execute the command:

$Cert = Get-ChildItem -Path 'cert:\currentuser\my' -CodeSigning | Out-GridView -PassThru

A box will open and ask you to select the certficate you wish to use for signing.

Next, we will create our catalog file.

To the below command, replace C:\path\to\file.txt with whatever file you wish to create a catalog for. It can be an exe, dll, or whatever else.

Also in the command below, replace C:\path\to\catalogFile.cat with the name of the catalog file you wish to create.

New-FileCatalog -Path "C:\path\to\file.txt" -CatalogFilePath "C:\path\to\myCatalog.cat" -CatalogVersion 2.0

A catalog file should appear in the folder you specified.

We will now sign the newly created catalog file by executing the following in Powershell:

Set-AuthenticodeSignature -FilePath "C:\path\to\myCatalog.cat" -HashAlgorithm SHA256 -Certificate $cert -TimestampServer 'http://timestamp.sectigo.com'

A dialog box requesting your PIV PIN should appear:

After you click OK, Powershell should output the results of your signature:

Directory: C:\Users\Aetherinox\

SignerCertificate                         Status                             StatusMessage                      Path
-----------------                         ------                             -------------                      ----
C67F754DB421E20CE5AFD13909481FCEBC86FD7C  Valid                              Signature verified.                myCatalog.cat

You can right click on the catalog file, and select Properties to check for the Digital Signatures tab to appear with your signature info:

PreviousBitlocker NextEFS

Last updated 1 year ago