How to sign the executable on Windows¶
Self-signed certificate¶
Note
Here is just a quick view. Read the official documentation.
Requirements:
Windows 10+
Powershell > 5 (ideally 7+)
the
signtool.exe
utility that can be installed along the Windows 10 SDK. Only the Windows SDK Signing Tools for Desktop Apps feature is required.
Create a self-signed certificate:
New-SelfSignedCertificate -Type Custom -Subject "CN=Oslandia, O=Oslandia, C=FR" -KeyUsage DigitalSignature -FriendlyName "QGIS Deployment Toolbelt" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
Save the thumbprint into a variable:
$thumbprint = (Get-ChildItem Cert:\CurrentUser\My -Recurse | Where-Object { $_.FriendlyName -like "QGIS Deployment*" }).Thumbprint
Create a password to encrypt the certificate:
$pass = Read-Host "Enter Password" -AsSecureString
Export it with a password:
Export-PfxCertificate -cert "Cert:\CurrentUser\My\$thumbprint" -FilePath ssc_oslandia_qdeploymenttoolbelt.pfx -Password $pass
Sign it:
Tip
Adapt the path to
signtool.exe
to your system (arch and SDK version) and the path to the executable.Try it with automatic mode:
& 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe' sign /a /fd SHA256 /td SHA256 /tr http://timestamp.comodoca.com/rfc3161 .\dist\QGISDeploymentToolbelt_0-1-0_Windows64bit_Python3-8.exe
You should see a message like:
Done Adding Additional Store Successfully signed: .\dist\QGISDeploymentToolbelt_0-1-0_Windows64bit_Python3-8.exe
If you see an error, you can try again specifying the certificate to use and the password:
& 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe' sign /a /fd SHA256 /f ssc_oslandia_qdeploymenttoolbelt.pfx /P $pass /td SHA256 /tr http://timestamp.comodoca.com/rfc3161
Opening the properties of the executable, the related tab should look like this: