• # Everything You Ever Wanted to Know About Authenticode Signing

• Posted By Brain

# Introduction

As part of releasing your game to the public, something which is often overlooked is code signing. Code signing is a cryptographic process whereby your game's executables and/or installer are marked as authentic, so that the person running the executable (or anyone else for that matter) can ensure that:
• The executable has not been changed since it was signed
• The executable was created on a specific date at a specific time
• The executable was signed by a known, trackable entity (company or individual) responsible for the code within These give some definite advantages (as well as introducing some disadvantages) as shown below:

• Signing your executables provides tracability of your code, allowing anyone to see who is responsible for the program
• Signing adds authenticity which makes your game and your company (if there is one) more reputable and trustworthy
• It will give positive weight to systems such as smartscreen filter and many anti-malware programs, which are more permissive of signed executables than unsigned.

• There is an up-front cost involved in aquiring a certificate for code signing
• If you do not have the required forms of identification or business documentation, obtaining a certificate can be hard to impossible
• There is a learning curve to understanding how certificates work (which this article hopes to address)

# The steps involved in signing your code

To properly sign your code, you must follow several steps, which must be completed in a strict order. These steps are:

## Select a certificate authority

Before you can sign your program code, you first need to select a certificate authority. The cost of object code signing has come down massively in price over the past few years. You will need to search for a certificate authority that will provide you with a type of certificate known as an "object code certificate" or "authenticode certificate". Here are some possible choices, this list is by no means exhaustive and I encourage you to search for additional sources of certificates before parting with any money:
• StartSSL - You will need to pay for "StartSSL Verified" at $59.90 per year. Certificates last two years after which they must be renewed. • Comodo - This costs$119.95 per year, however if you are a member of Tucows this can be reduced to $75 per year simply by purchasing through Tucows as a member. • Verisign/Symantec - Traditionally the most expensive choice but popular with big business. Starts at$795 per year. Remember to shop around as many different resellers of certificates offer their product at a much lower price through third parties, for example as a business user you can get brand name certificates at a much lower price via RapidSSL. Also remember that a lot of the time, you are paying for brand names. All certificates I have listed here are equally trusted by the Windows operating system, so there isn't much point in paying $795 per year for a certificate when one you pay$59.90 a year for will function identically.

Once the certificate authority has provided you with a link to download your certificate, you will then have in your possession one or more small encrypted files. You will either have (depending on the authority you selected) a seperate .crt and .key file, or a .pfx (or p7k) file, which is the .crt and .key files combined into one. You should make sure that these files are backed up securely, as if you lose them you may have to pay for re-issue of your certificate which can be costly. My advice is to move them immediately to a DVD-ROM and lock them away wherever you keep your paper driving license and home insurance, or whatever else holds value to you.

## Saving the certificate file

If your certificate authority has provided you with a .cer and .key file, I advise that before you continue, you convert it to a .pfx file as it is easier to work with on Windows. There are several ways to convert your files, and your certificate authority might provide you with an online tool or a simple download of your certificate in .pfx form. If they do, I suggest you use this feature as it will be more straightforward. If they do not provide such a facility, you can use the openssl toolkit to convert your .cer and .key file into .pfx using the command line below, for which you will need to install the openssl toolkit onto your PC, which is a free open source download: openssl pkcs12 -export -out yourcert.pfx -inkey yourkey.key -in yourcert.cer  The program will prompt you for a password, as part of the process I strongly recommend you enter a strong one as this will protect your certificate from misuse if it is obtained by any third party! Once you have the .pfx file, simply double click it and windows will prompt you to add it to your registry: You should mark the certificate as "not exportable" which will stop someone from simply extracting the certificate from your registry at a later date. Following through the wizard will prompt you for the password you set on the file, simply enter it, and continue clicking through the wizard accepting the defaults. Once complete, you will receive a message saying the certificate was successfully imported into your registry, which means you are now ready to sign executables! Please remember that the certificate you have purchased is valid for signing files until its expiry date so you only have to buy the certificate once every one or two years (or however long the certificate is valid for) and with this one purchase you can sign as many executables as you like, whenever you like. After this, the sky is literally the limit!

# Signing your executables, and timestamping

We now finally have the correct configuration and the correct files to be able to sign our executables. It is important to note however that there is one important difference between signing an executable, and putting an SSL certificate onto a website or most other uses of security certificates. Binary code may be timestamped. What this means, in simple terms, is that the signed executable can still be considered valid even if your certificate has expired, you just wouldn't be able to sign any new files with an expired certificate. To prove my point find any signed executable on your disk which is over three years old. The chances are, by now the certificate which was used to sign this file has expired (you can see this by right clicking on the file and choosing properties, then the 'security' tab) however if the file is timestamped, when you double click the file it will still be considered valid. Timestamping is a process done automatically when you sign your file. It involves contacting a third party server which counter-signs your file with a special value which references back to the certificate issuer's servers. This value can then be used to verify that the certificate was valid at the time of signing the file rather than right now. Because of this, you should always use your certificate authorities own timestamp server which you can easily find on Google. Armed with this information, signing your code is quite straightforward: "C:\Program Files (x86)\Windows Kits\8.0\bin\x64\signtool.exe" sign /d "Your games name" /tr http://www.startssl.com/timestamp /a path\to\your\executable.exe  In the command above we are using the signtool.exe binary, which comes with the Windows 8 development kit. There will likely be several copies of this executable on your disk and any one of them will do fine for this task. We specify the "friendly name" of our program using the /d parameter, as shown above, and the /tr parameter specifies the timestamp server as we discussed above. The command above can be used not only to sign executables, but also DLL files and OCX files, driver files, CLR bytecode, and just about any other type of windows executable you can imagine. Specifying the /a parameter to the signtool command simply tells it to use the first valid code signing certificate held within your registry to sign the file. If you followed this article to the letter this is where your code signing certificate and key will currently reside. I store my code signing certificate here as it is generally a secure place to put it, where you don't risk accidentally putting it into your code repository or into your network drives, encrypted or decrypted. Now you have finished the process, you can test your executable by double clicking it, and if your executable requires elevation (which most install packages etc do) then you will be presented with the friendly blue prompt:

# Summary

## Article Update Log

21 Apr 2015: Started work on article 7 May 2015: Initial release

Report Article

## User Feedback

Thank you for the step by step instructions.  Looks very easy to follow.  I'm off looking for CA now.

##### Share on other sites
You're welcome :) please let me know if anything is unclear so I can update the article. This is a pretty niche subject I think, but I'm hoping there are others who might suggest improvements :)

##### Share on other sites

Thanks, very good and detailed description. I am also pure hobbyist game developer, and was interested in this step.

The price tag however makes it a no go for me unfortunately, as I give my games away for free.

Out of curiousity, do you intend to do something similar for web certificates? (https). As much as I could figure out you wouldn't have to have a fully verified certificate in that case.

##### Share on other sites
@Endurion, If you go to startssl.com you can register for free and get fully recognised server certificates and email certificates. I used these for years until I also needed to do code signing which is where you start paying. You can find lots of tutorials on the Web about how to install that free certificate. Stay away from cacert though as their certificates although free are not properly recognised by windows. Have fun!

Thanks! :)

##### Share on other sites

Very nice article. Thanks for the hard work. :)

- Eck

##### Share on other sites

Thank you. This was very informative and I learned a lot from it.

## Create an account

Register a new account

• ### GameDev.net and Intel Contest

GameDev.net and Intel® have partnered up to bring GameDev.net members a gamedev contest running until December 21, 2018 - Submit your game for Intel® Certification and you could win big!

• 0
• 2
• 0
• 1
• 0

• 9
• 11
• 11
• 23
• 10
• ### Similar Content

• Hi there, my name is René, and Im a pixel artist, this is my first post here and Im kind of exploring my own freelancing possibilities in the field.
Please excuse my english, Im from the chaotic Venezuela, I'm currently living in Colombia, and looking forward to know another beautiful country and culture.
I have years of experience working professionally on 2d and 3d animated pieces for a wide variety of cases, but I'm a bit tired of rendering times, illumination artifacts, rigging and binding stuff here and there, processor slowness, plugins mismatch, plugin bugs, plugins outdated, licensing updates, corporative projects, that's a good reason, and found a lovely branch on the field that embraced my like a cotton cloud on a shiny day, Pixel Art.
Then I begun a surprisingly productive journey on Fiverr a few months ago, until a guy got my attention with a interesting project that I'm about to begin. So I had to put my Fiverr status on standby for a while.
While we take our time to start that project, my mind and hart asks for a taste of the Patreon experience, and so I've been thinking for a while of doing something related to the Cyberpunk dystopia, but as I have no time to do another project, I thought releasing graphic assets packs in some way, so I've been relating this and that and figuring maybe in some developers community I could let know this to begin with.
There are so many styles and mechanics on the gaming possibilities that I want to release a wide range of assets for general purposes, but inside a unique world theme, so I made my mind over this Cyberpunk topic now, but if things go well, I would need to ask to the audience for a new Theme.
This is my on my avatar hehe by the way, just a pic to express a bit of my animation skills.
I established my corner on Patreon already, but I have little knowledge of the platform, so any suggestions are welcome, and you are welcome as well to visit and comment any inquiry related to the topic.
Check it here: My Patreon
Thanks for reading. Have a nice day!
René.

• Hey there,
first of all, I want to calm you... No, I am not trying to make nextgen MMO. I am just trying to make some simple game, using geolocation services. (and no, I dont believe i will be rich in one year, and will create another * GO title with millions of downloads).
So, it's for a mobile, using Unity engine. Everything is good in a "singleplayer" mode, but now comes the real problem.
How many/much networking I need to cover ? Will my choose for a NoSQL DB, choosing mongoDB to handle data (locations, stats, variables) for each ingame object individually, and for account data using for example MySQL, be enough ? If I will be running DB server at home?
I am mainly confused about needing some kind of any other game server. Well, I will run app on my phone, get "world" from lets say openstreetmaps, getting all needed data from DB, spawning objects in this world covered by Unity (translating geolocation data to world, low poly objects - about 200m around GPS, maybe 60 objects at a time max), handling tasks on the app directly on the phone (crafting, killing, building), saving new data again to DB. As a beginner, I am thinking I got it all. And as a beginner, knowing it looks so easy now.
If I want to add some kind of chat, or some king of real-time progression in game (like matchmaking duels and so) , or tasks be happened on server so less security risks, less hacking and so on, I got it, I will need some kind of game server. Will there be a big difference, deciding to make some server-client things on my game, If I choose to like in the middle of development ? (I am still at start).
I am just so confused by the options on the web, like tenths of networking assets in unity, tenths networking services on web, all the possibilities. Its so many to learn, and I will get nowhere.
So, will my covering, adding DB to my game, having DB servers home, work? Or I am so bad at logic with this, that I should just delete my gamedev directory, and never create it again ?

Thanks for any helpfull informations, hopefully giving me some insight in this problematics.
• By Talvysh
Me
I've been designing and developing games since I was 9 when I was making my own card games or setting up rules with my cousins for pretending to be shopkeepers and selling each other toys and other things with monopoly money (epic).  Fast forward and I've been making random stuff, tinkering with things, and not really getting anywhere.
I'm currently working on my first solo project and taking it farther than I've ever taken a game on the PC.  It's pretty sick. \m/
My end goal is to have a team who can work together with varying ideas to make something memorable that gamers can come back to and appreciate.
At the end of the day creating games is my passion, it's the best form of story-telling and that's what I want our team to be known for.
Three of my Favorite Games
Halo 3 Warcraft 3 World of Warcraft What I'll Do
Game Design Management Writing Help make awesome games with you. oWo What I Can Help Do
Intermediate Programming (C#, Python, GML, JS, PHP, CSS, Java) Pixel Art (I can do traditional drawing, but I don't have anything for digital art.) What I can't do right now.
3D modeling or coding. Audio anything. Expert/Advanced level programming. Goals of Our Team
PC-Only, could change in the future. Genre Scope: Story-Heavy Horror RPG Survival Getting our feet wet, finding out who's who in our team, and making phat \$ at some point /s. Requirements
A mic and a Discord account to join our Discord server. Some previous work (doesn't have to be professional or with a team) for whatever position you're wanting with us. A couple hours at least 3 days a week to communicate and work with us. Great communication skills THREE of your FAVORITE games. >:D
• By Plotnus
Hello,

The current questionable design:
I have lava that kills the player when it hits it.
The logic to play the death explosion is in the object the player hits.
When I did this I was influenced by what I read about Sims object design.
By placing the logic in the object it's easy to add more objects with different logic.
The downside is that responses are distributed in all the objects.
The upside is that I don't have to write code for handling damage events and responses, and mapping damage types to death animations etc.
I do feel this would be inappropriate for things like projectiles, and enemy attacks.
However because the object it hits is Static I figured it'd be ok.

So, what are your thoughts and what would you consider a good design?

• This game is currently in alpha and all graphics are currently placeholder graphics. Any feedback is appreciated.
Trailer: https://streamable.com/st2rr