i'm applying a digital signature to my executable. Using signtool
on Windows XP or Windows Vista:
>signtool.exe sign /f "avatar.pfx" MyApp.exe
automatically included the entire certification chain in the digital signature.
Starting with Windows 7 the entire certification chain is no longer included. You must manually include the certificate that:
- signed your key
- signed the certificate that signed your key
- ...
- ...until there are no more certificates to include
i am told that i have to do this using the /ac
switch with the signtool
utility.
From MSDN documentation of signtool
:
/ac FileName
Specifies a file that contains an additional certificate to add to the signature block.
How do i get the filename of the certificate that signed my certificate?
It's more confusing because i don't have any such file. i have my digitally signed executable with no embedded certification chain:
Stackoverflow user davidcl had the same question. In this self-answered answer he says that i need to
do the signing using a PFX file that contains the root certificate, intermediate certificate, developer certificate, and private key.
After creating the appropriate PFX file - which was an odyssey in itself...
But he doesn't give how he created the PFX that contains the entire certification chain.
>cert2spc.exe Avatar.cer Avatar.spc
b) combine spc and Private Key (pvk) into pfx:>pvk2pfx.exe -pvk Avatar.pvk -spc Avatar.spc -pfx Avatar.pfx
– Ian Boyd