Our VeriSign Code Signing Digital ID recently expired and upon receipt of the new private key (.pvk) and credential (.spc) files, I decided to review our code signing process. We came to the conclusion long ago that the best place to store certificates is in the private certificate store on our build server. You can browse the certificate store by running certmgr.msc from the start menu. We favour this approach because it provides a central storage location with access control.
The only question is: What's the best way to import the certificate?
I originally used pvk2pfx.exe to convert the private key and credential files into a single personal information exchange (.pfx) file. This approach works well and the pfx file is compatible with signtool.exe. Here is an example of the command syntax:
pvk2pfx.exe -pvk myPrivateKey.pvk -pi myPrivatePassword -spc myCredentials.spc -pfx myInformationExchange.pfx -f
You can then import the pfx file by running it from windows explorer.
However, there is a simpler approach that uses pvkimprt.exe. This tool is not part of the Windows SDK but can be downloaded from Microsoft. The advantage is that the pvk and spc files are imported directly into the certificate store without requiring a pfx.
Once you've imported the certificate, use the following syntax to sign your files:
signtool.exe sign /a /i "VeriSign" /d "Testing" /t http://timestamp.verisign.com/scripts/timstamp.dll /v test.exe