Partager via


Sign the Binary Files (Compact 2013)

3/26/2014

Binaries that you include in the Windows Embedded Compact OS run-time image do not have to be signed because they are automatically trusted by Security Loader. However, binaries that you do not include in the Security Loader-enabled run-time image must be signed with a known certificate before they can run.

Choose a signing certificate and a certificate chain that you can use to sign and validate the signatures. For information about certificate trust verification and certificate chains, see Certificate Trust Verification and Certificate Chains.

We recommend that your certificate chain have a trust hierarchy that is at least one level deep so that the root, or any intermediate certificate, can be added to the Code Integrity certificate store of your device, leaving the leaf certificate to be used for signing the binary. (The leaf certificate is the last certificate in the certificate chain and the farthest away from the root.) By using this structure, different leaf certificates can sign for different classes of binaries and then each can chain to the same root or an intermediate certificate. Having different leaf certificates provides a simpler way to revoke or block a certificate and the class of binaries that is signed with that certificate.

If you are using a certificate chain one level deep, sign the binary by using a personal information exchange (PFX) file. The PFX format is also known as the public-key cryptography standards (PKCS) #12 format.

To sign a binary with a certificate chain one level deep

  1. Create a PFX file that contains the signing certificate and its private key. For more information on creating PFX files with the Certificate Export Wizard, follow the instructions in this documentation topic.

  2. Specify the path of this PFX file in the environment variable BUILDSIGN_CERTPATH:

    set BUILDSIGN_CERTPATH=C:\Certificates\CodeSign\Trusted.pfx
    
  3. Call sign <path_to_binary> to sign the binary.

    Note

    You cannot invoke Signtool.exe from the Flat Release Directory.

If you are using a certificate chain more than one level deep, sign the binary by using a certificate in the development computer’s certificate store.

To sign a binary with a certificate chain more than one level deep

  1. Import the signing certificate chain to the development computer’s certificate store.

  2. Specify the command line to use for Signtool.exe using the environment variable BUILDSIGN_CMDLINE:

    set BUILDSIGN_CMDLINE=sign /n "<name_of_certificate>"
    
  3. Call sign <path_to_binary> to sign the binary.

See Also

Concepts

Deploy an Application on an OS with Security Loader