Timely. Just two days ago I had my first ever request to code sign a project.
I haven’t looked into how to do it yet but from the sounds of your post there might be a lot of outdated information out there on this topic. Do you have any up to date references you’d recommend as a first step?
Hi Lachlan
The main bit that is outdated is that you can no longer get a certificate as a file - certificates are only issued on usb tokens or by cloud services. The reason that is a big deal is the tokens require authentication - which makes automation complicated.
FWIW, when you google ‘code signing’ the first few pages are dominated by companies selling certificates or cloud signing services (and they of course steer you that way).
Code signing is usually done using microsoft’s signtool.exe - point it at your exe, tell it where the certificate is and let it do it’s thing.
You can use signtool.exe with tokens, but you have to jump through some hoops - I blogged about that a couple of years ago. If you use virtual machines, that complicates things further.
Our solution get’s rid of the authentication issues and allows you to use your certificate/usb token from multple machines.
Here is how we use it :
Our token is plugged into a linux server in my home(*). That server runs virtualhere and a virtual machine in Sydney runs the virtualhere client - that exposes the token as though it was plugged directly into the vm. That vm has the Safenet client software installed - and as far as it is concerned the usb token is local.
On that same vm, we run Signotaur - and we configured it to use the certificate on the usb token (using the safenet pkcs#11 driver).
On our build agent vm’s (we have multiple) (and occasionally on dev machines) we use the Signotaur client to do the signing. The client has a very similar command line to signtool.
Without Signotaur, the token/certificate was only usable on the machine it is plugged into (directly or virtually) - so we were copying files to that vm to get signed and then copying them back to continue with the rest of the build (slow). We also had issues with authentication - you cannot use rdp to interact with the safenet client so we had to install another remote desktop solution that wasn’t detected by the client (ie vnc).
If you don’t already have a token, get started on the process asap - it can take a few days to a few weeks. Make sure your company DUN’s details are up to date as they use them for identity verification.
* The token has a bright blue light the screams ‘take me’ - our company servers are in a shared rack in Sydney so I didn’t want my $1000 token to get taken by some tech wandering by.
OK so my next step is to buy a certificate which will be supplied as a USB token. Any recommendations on where to purchase it from?
The customer project I need it for is a suite of internal business applications so there are multiple executables. Can you use one certificate for multiple EXEs?
Also who is the most suitable entity to purchase the certificate, the customer or myself? They will never distribute the software publicly and I suppose now that I’ve been asked by one customer for code signing, it’s only a matter of time before another customer asks for it too.
I have used KSoftware successfully for the last few years.
https://www.ksoftware.net/code-signing-certificates/
Switched from OV (file) to EV (USB token) 3 years ago.
Getting approved by Sectigo took a while however.
Lex
There a bunch of places - I got mine from GoGetSSL - they were cheaper than other places. They basically take the order and the hand it off to Digicert. Apart from the verification issues with digicert (my duns details were out of date) it was pretty smooth.
As many as you like 
I would suggest you get your own - I am surprised you have gotten away with delivering unsigned executables for as long as you have.
This customer has grown big enough to put in some enterprise level security systems which is what has prompted the request. Before reaching that point though there really isn’t anything that steers customers towards wanting their internal software code signed. I’m sure it’s a different story for a product vendor like yourself.
Sometimes it is forced on you by the version of Windows your software is running on. I had to get it when a customer was using Windows Enterprise. It was also needed for later versions of Windows Server.