Search code examples
c#verisign

Signing .Net Code with Verisign


I'm not sure why they can't simplify the process of signing code. It seems that every time a release comes out, it takes a day or more to figure out. We use Verisign and have a current pfx file.

I have an application that runs as administrator, so I need to sign both the application as well as the installer. I managed to accomplish this once several months ago, and release. This release, I decided to simplify the process, and set up Visual Studios to automatically sign the required files, using Properties -> Signing for each project. Then I ran my script while building the installer as a PostBuildEvent to sign that.

I thought everything was going good, as the installer gave the company name. However, when I ran the application, "Unknown" was displayed in the UAC. I decided to go back to the way I was doing it before, building, signing the files, building the installer, and finally signing it. This had worked three months ago, but now I am still getting the "Unknown" issue in the UAC popup.

I did not add any new classes to the solution, so my signing scripts should still be valid. I cannot figure out what I may be doing wrong. Is there any good documentation on how to sign with Verisign or simple rules that should be followed? It seems like calling signtool.exe sign /f "Verisign.2012.pfx" /p myPassword "C:\...\Installer.msi" on all .exe and .dll files after building, then creating the installer and calling the same on the .exe and .msi file should ensure that everything is signed and I shouldn't be seeing "Unknown."

Is there anyone out there with more experience than I (I am sure several) who may see the gaping hole in my understanding, and set me on the correct path? Thank you.


Solution

  • I determined what I had been doing wrong. I was building the project and then signing it. After that, I was building the installer and signing that. However, with some testing I discovered that building the installer was stripping the digital signature from my files.

    The correct way to sign with VeriSign on a VS project is not to create an installer that uses project output. Instead, manually select and add the files to your installer. After that, you will need to add a post-build event (properties -> Build Events -> Post-build event command line) that signs each projects output.

    Thank you to those who suggested solutions.