Signing Binaries (Compact 7)

  • Article

3/12/2014

Binaries that you include in the run-time image do not need to be signed because they are automatically trusted by Security Loader, also known as the Loader Verifier Module (LVMOD). However, binaries that you do not include in the run-time image must be signed with a known certificate to run. This topic describes the process for signing binaries that are not included in the run-time image.

Choose a signing certificate and a certificate chain that can be used to sign and validate the signatures. The certificate and chain you choose will depend on whether you have an existing certificate infrastructure.

We recommend that your certificate chain be at least one level deep so that you can add the root, or any intermediate certificate, to the Code Integrity certificate store for LVMOD, and you can use the leaf certificate for signing the binary. With this structure, you can use different leaf certificates to sign different classes of binaries and then chain them to the same root or intermediate certificate. Using different leaf certificates provides a simple way to revoke or block a certificate and the class of binaries that is signed with that certificate.

Depending upon whether you are using a certificate chain one level deep, sign the binary by using a PFX file. If you are using a certificate chain more than one level deep, sign the binary by using a certificate in the development computer’s certificate store.

Signing a Binary with a Certificate by Using a PFX File

If you are using a certificate chain one level deep, sign the binary by using a PFX file.

To sign a binary with a certificate by using a PFX file

  1. Create a PFX file with the signing certificate and its private key.

  2. Specify the path to this PFX file in the environment variable BUILDSIGN_CERTPATH:
    BUILDSIGN_CERTPATH=C:\Certificates\CodeSign\Trusted.pfx

  3. Call sign <path_to_binary> to sign the binary.
    Note that you cannot invoke signtool.exe from the Flat Release Directory.

Signing a Binary with a Certificate by Using the Certificate Store

If you are using a certificate chain more than one level deep, sign the binary by using a certificate in the development computer’s certificate store.

To sign a binary with a certificate by using the certificate store

  1. Import the signing certificate chain to the development computer’s certificate store.

  2. Specify the command line to use for signtool.exe using the environment variable BUILDSIGN_CMDLINE:
    set BUILDSIGN_CMDLINE=sign /n "<name_of_certificate>"

  3. Call sign <path_to_binary> to sign the binary.

See Also

Tasks

Adding Certificates to the Code Integrity Store
Using Test Certificates During Development

Other Resources

Security Loader