I’m guessing you guys have all done code signing at some point or another in your professional lives. Well, if you have not, it is a pain in the butt and you have been lucky to have avoided it thus far. Here is what I needed to do in order to setup automated code signing for Indigo Rose MSI Factory.

ADMINISTRATIVE STEPS
1. Shell out $400 US to Thawte for a two year digital signature. Ah – wait my friend, you don’t get it just yet. That only get’s you an immediate private key (PVK) at the end of the operation and a bunch of ugly paperwork. The PVK creation process is interactive on the Thawte web site and you must keep record of the password you used or you will be SOL. Thawte does not keep record of this password for you.
2. Notarize company letter head with a message stating that you have a pulse and breath oxygen –short trip to the local bank to find someone who was certified-to-certify.
3. FAX paperwork to Thawte
4. Wait a few days for someone to confirm that you have a pulse and breath oxygen.
5. Receive an email with download instructions for: Microsoft Authenticode (SPC), Netscape, PKCS, and a standard certificate – OK, we are getting somewhere. Total elapsed time is about four business days.
6. The two important things from this process are the PVK and SPC. Everything else was just busy work.

TECHNICAL PREP WORK STEPS
Acknowledgement: http://blogs.conchango.com/stuartpreston/archive/2007/02/19/Automating-signtool.exe-_2800_or-how-to-make-a-PFX-file-from-a-PVK-and-SPC-file_21002900_.aspx

1. OK, clearly this is going to be a pain so let’s make a good working directory. Make a directory called “c:\sign”. This will make it easy to find later. Save all your other email correspondence and original certs in another location – in face put them in multiple secure locations.
2. Copy your PVK and SPC files into “c:\sign”
3. Copy your “C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool.exe” into “c:\sign”. You do have Visual Studio installed – right? If not, rumor has it you can install it as part of this Platform SDK found here: http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en
4. You need to (should) create a PFX file. This is a heck of a lot easier to work with – trust me. Download the PVKIMPRT.exe tool from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=EN and put it in your “c:\sign” directory.
5. The super geniuses who made the PVKIMPRT download embedded the installer with the same name – good grief. Rename “pvkimprt.exe” to “pvkimprt_zip_source.exe”. Double click on the exe and direct it to decompress the file to “c:\sign”.
6. Again, the super geniuses who made the PVKIMPRT setup used the same name as the utility. What gives with these guys. Rename the new “pvkimprt.exe” to “pvkimprt_setup.exe”. Now, double click on this exe to run the setup program – finally. Yep, have it place the output to “c:\sign”.
7. You now have a shiny new PVKIMPRT utility. Open a command prompt and change to “c:\setup”. Type “pvkimprt.exe –pfx mycert.spc mykey.pvk”.
8. It will ask for the password you used in ADMINISTRATIVE STEPS #1 before it even attempts to run the full utility
9. Click Next on the welcome screen
10. Click “Yes, export the private key” and then click Next
11. For format, leave at the default of “Personal Information Exchange” with only the “Enable strong protection” checkbox left checked. The other checkboxes are not checked. Click Next.
12. Enter the password you used in step #8 and click Next
13. Supply a new name for you the PFX such as “c:\setup\mycert.pfx” and click Next.
14. Click Finish and then the utility should respond back saying “Export Successful”.
15. Verify your “c:\setup\mycert.pfx” file exists. If so, Yahooo!

INDIGO ROSE MSI FACTORY CONFIGURATION
1. Open your MSI project and Click on Build->Settings from the pull down menus
2. Click on “Code Signing” Tab
3. Put a check in the “Code sign setups” checkbox
4. Set the “Code signing tool” to “SignTool.exe” from the listbox
5. Set the “Tool location” to “c:\sign\signtool.exe”
6. Leave ALL other fields to blank and head on over to the last field
7. In “Other Arguments”, type “/f c:\sign\mycert.pfx /p <mysupersecretpassword>”. Be sure to replace <mysupersecretpassword> with your password from above.
8. Test your build. MSI Factory will show you the play by play and alert you if the signing process failed. It is very good about being verbose.
9. It should work like a champ. The end. Pat yourself on the back and go get a beer.
10. Wait, save your MSI Factory project file so that you never have the need to plug these parameter in again each time you build a setup. You can also set the values as default for new projects under Edit->Preferences.

TROUBLESHOOTING
If the above did not work, you can try and run SignTool using the embedded wizard. It is very good. To do that:
1. Run “c:\sign\signtool.exe signwizard” from a command prompt.
2. Be sure to select “custom” or you will not be able to select a certificate from a file
3. Set CSP to “Microsoft Strong Cryptographic Provider” with a provider type of “RSA FULL”
4. Set algorithm to “sha1”
5. Muddle your way thru the rest of the screens and you should end up with a “Successfully Completed” message
6. If that did not work, then it was either driver/user error on your part or some fundamental problem with your PC, as this process the Wizard is crazy easy to use.

Enjoy. I hope this saves you some hassle in the future.

Thanks for taking the time to explain that process.

:yes

Hey DesertKoala, thanks for posting this. Great read. I've just completed my MSI code signing. What an ordeal!

Ready for that beer now. What do you suggest? Little Creatures Pale Ale?

Best regards,
Rod

Best explanation I've seen so far! Now if I only had a computer that ran XP...

Our problem is that all of our computers are running Vista and therefore I can't get the PVK file. All I get is the SPC file from thawte. After calling support at thawte I end up talking to someone (at thawte) who tells me that if I give him my cert name and password he will reissue the certificate, download it to his XP machine and then email me the files. I have a few reservations about that but don't see that I have much of a choice.

To make a long horrible story short(er)... I haven't received diddly squat from our hero at thawte and now have a code signing certificate that I can't use.

Has anyone been able to sign applications using Vista and if so could you help a brother out and let me know how you were able to perform this miracle?

Thanks in advance.

Here is also what thwate has on their website regarding Vista.


Effective Date
2007-06-13 07:00:00 Etc/GMT
Advisory

When using a Windows Vista operating system to request a MS Authenticode Code Signing certificate, the private key cannot be manually saved to a specified location because of Vista's security settings. Instead Vista will save the private key into the registry. During enrollment, the box labeled “private key storage” under “certificate private key generation” on the enrollment page which would allow you to select the directory for storing the private key does not appear. This option does show up using XP.

After receiving the certificate (.spc), right clicking on the .spc file and choosing to install the certificate will tie the private key and certificate into the registry.

You can now sign and timestamp your code(timestamping is optional): signcode -cn "My Organisation" mycab.cab -t http://timestamp.verisign.com/scripts/timstamp.dll

Please note: when using Vista the private key is not exportable. Therefore, code signing can only be done using the machine that was used to request the certificate

Not sure what that means but all attempts to get this to work have been fruitless thus far.