Windows Code-Signing process & alternative to MS signtool.exe?

Question

Using a non-Microsoft compiler, I have written small application for Windows that I\'d like to give away for free or sell for some trivial amount ($5 say). The program doesn

Answer 1

An alternative to signtool is Mono's signcode. Mozilla Developer Network has a very useful article on converting your certificate to SPC/PVK format and signing your EXE with Authenticode:

Convert PFX to SPC/PVK

openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc

Sign EXE

signcode \
 -spc authenticode.spc \
 -v authenticode.pvk \
 -a sha1 -$ commercial \
 -n My\ Application \
 -i http://www.example.com/ \
 -t http://timestamp.verisign.com/scripts/timstamp.dll \
 -tr 10 \
 MyApp.exe

Passphrases

Unlike signtool, which accepts the passphrase as a command-line argument, it seems like signcode must be given the passphrase on standard input. I was able to use signcode [arguments] < passphrase.txt.