Reputation: 13690
How to sign executables for execution on WEC2013
For a WEC2013 platform with enabled security loader I have created a self-signed certificate. The cert has the attributes
Key Usage: Digital Signature (80)
Enhanced Key Usage: Code Signing (1.3.6.1.5.5.7.3.3)
The cert has been exported to a file ciroots.p7b and a PFX file. The ciroots.p7b has been added to the FILES folder of the WEC2013 platform as described here. The OS design built with the platform includes a copy of the file ciroots.p7b.
The PFX has been used to sign the file using the command
signtool -f /path/to/PFX -p ThePassword example.exe
This matches the description. The signtool command modified the .EXE. The resulting file is about 1kB larger then the original file.
After starting the OS design on the target and copying the signed .EXE to the target it should be possible to execute the program. But the start fails with the message:
Cannot execute example.EXE
What did I miss in the steps described in the WEC2013 documentation? How can I prepare executables to run on a OS design with LVMOD enabled?
Although there were no error messages during the sign process it might be possible that I missed some important attributes. What are requirements for a certificate to be used for code signing with the LVMOD?
Edit: Corresponding to Daniels comment I used signtool to verify the signed file. The certificate has been installed at the PC in the Trusted store (I was asked if I want to trust the cert). Running signtool as at Using SignTool to Verify a File Signature I got the results:
C:\Test>signtool verify example.exe
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of errors: 1
C:\Test>signtool verify /pa example.exe
Successfully verified: example.exe
C:\Test>
The first invocation fails, as the cited in the documentation for signtool:
If the preceding example fails, it could be that the signature used a code-signing certificate. SignTool defaults to the Windows driver policy for verification.
Upvotes: 6
Views: 280
Answers (0)
Related Questions
- Windows: How to sign exe using certificate issued by Certum?
- Signing a Windows EXE file
- Getting WinVerifyTrust to work with catalog signed files such as cmd.exe
- How to correctly sign an executable
- Visual Studio Signing executable with Certificate
- Signing Windows application on Linux-based distros
- How to sign .EXE File
- How do I sign exes and dlls with my code signing certificate
- Signing .EXE executables for free (CAcert)
- Sign executable within a clickonce application when publishing