Code Signing in Visual Studio Solution with a Setup Project

by Gong Liu May 12, 2010 15:22

One of my recent tasks involves applying for a "Compatible with Windows 7" logo from Microsoft for one of our software products via The Windows 7 Software Logo program. One of the requirements of the program is that we need to code sign all executable files (exe, dll, ocx, sys, drv, src, msi) in an application with an authenticode or code signing certificate. The reason for this is that a user of our application can then be sure that the executables are indeed published by us and they are not altered in any way after publication. In addition, if we code sign a Windows installer package (.msi), Windows User Account Control (UAC) will be able to show our signature to the user before it gets installed. This gives him certain level of confidence in our product. This blog post by Jeff Wilcox shows detailed information about how to purchase a code signing certificate from a CA (certificate authority) and how to sign an executable with the certificate using the utility program signtool.exe. Now let's say we will develop our Windows application with Visual Studio, our application will consist of more than one executable, e.g. typically an exe and one or more dlls, and we would like to distribute our application via a Windows installer package. It is under this context that I will discuss how to digitally sign all executables in a Visual Studio solution that includes a Setup project.  

Before I go over the details, here are some related notes:

  • If your intent is to get "Compatible with Windows 7" logo for your application like I do, you must get a code signing certificate from VeriSign because that's the only brand recognized when you submit your self-test result to Microsoft. Unfortunately, this means you are likely to pay more than getting it from other vendors, such as K Software or Comodo mentioned in Jeff's post.     
  • The Signing tab under a Visual Studio project's Properties page allows you to sign ClickOnce manifests, as well as to perform strong-name signing on assemblies. However, it has nothing to do with signing the executables of an application.
  • When you purchase a code signing certificate from a CA, the certificate will be delivered directly to the certificate store on your machine. You can view or manage all certificates in the certificate store by clicking the Start button and typing certmgr.msc. The following screenshot shows the certificates I have on my Vista machine.

    You can view a certificate's details by double clicking a certificate in the right pane (above). The Certificate dialog box will be shown (such as below). 

  • You can check if an executable is digitally signed or not by right clicking it and selecting Properties. If it is digitally signed, you should see a Digital Signatures tab, as shown below.   


Sample VS Solution

The discussion in the rest of the post is based on the following Visual Studio sample solution:


The sample solution consists of three projects, a main Windows application TestCodeSign, a class library TestCodeSignDll and a Setup project TestCodeSignSetup. The Setup project consists of the primary output from the main application, which references the class library. Note that we have set proper values for the following properties of the Setup project: Author, Manufacturer, ProductName and Title. When we build the sample solution, we get TestCodeSign.exe and TestCodeSignDll.dll. When we build the Setup project, we get setup.exe (bootstrapper) and TestCodeSignSetup.msi. These four executables are what we are interested in signing digitally with a code signing certificate. 

Signing the Executables 

Here are the steps: 

  1. Build the solution in either Debug or Release mode (assume Debug mode in this example).
  2. Open a Visual Studio Command Prompt.
  3. Launch Digital Signature Wizard by typing this command: signtool.exe signwizard
  4. Select an executable to sign, e.g. TestCodeSign.exe from the TestCodeSign project's obj folder instead of the bin folder (see the folder structure below). This is because when you build the Setup project later on, the executable in the obj folder is copied to the bin folder and grabbed from the bin folder to the installer package. 


  5. Select the code signing certificate to use from the certificate store.
  6. Provide a description for the executable.
  7. Specify timestamp service URL. For VeriSign certificate the URL is
  8. Complete the Digital Signature Wizard.
  9. Repeat steps 3 - 8 for TestCodeSignDll.dll.
  10. Now Build the Setup project to generate setup.exe and TestCodeSignSetup.msi (see the screenshot below for their location). Note: DO NOT Rebuild, or the exe and dll you have just signed will be overwritten.

  11. Repeat steps 3 - 8 to sign setup.exe.
  12. Repeat steps 3 - 8 to sign TestCodeSignSetup.msi.

Test It Out

Now that we have signed all the executables in our application, it's time to test it out. Double click setup.exe or TestCodeSignSetup.msi to launch the Installation Wizard. The wizard will go through these steps: Select Installation Folder -> Confirm Installation -> Installing TestCodeSign -> Installation Complete. Between Confirm Installtion and Installing TestCodeSign UAC will show the following message with our signature: 

This proves that the signing of the installer package is working.

Now with Windows Explorer browse to the application's installation folder C:\Program Files\Manufacturer\ProductName or C:\Program Files\Pharos\TestCodeSign in our case, and we will find the two executables installed, TestCodeSign.exe and TestCodeSignDll.dll (see below).


Check the Properties page of any of the two files and we will see the Digital Signatures tab.

Finally, if we try to uninstall the TestCodeSign application from the Control Panel -> Programs, we should see a UAC message with our signature asking us if it's ok to run the uninstaller. This works fine for Windows 7. However, it is not the case for Windows Vista and Windows Server 2008; we will get a message showing "unidentified publisher". This issue/bug has been confirmed by Microsoft and documented widely on the web such as in Aaron Stebner's WebLog

Using the Icon Editor in Visual Studio 2005

by Gong Liu February 13, 2009 20:04

The Icon Editor in Visual Studio 2003/2005 is somewhat under utilized and under-documented. Admittedly, the Icon Editor is awkward to use and has quite a few limitations, such as you cannot create an icon with more than 256 colors or a compressed icon as those used in Vista. However, if you are a developer who occasionally needs to create some icons, the Icon Editor in Visual Studio is a viable choice. Especially if you combine your favorite image editing tool, such as Photoshop, with the Icon Editor, you can get the job done fairly easily. And you don't have to buy any third-party icon tools or plug-ins.

In this post I'll show you how to create an icon that contains multiple image types (size and color depth) using the Icon Editor and Photoshop. Before we dive in, let's first take a look at the Windows standard icon sizes.

Size 16x16 32x32 48x48 96x96 256x256
XP List view/Details view/Windows title bar Icons view Tiles view Thumbnails view Does not support
Vista List view/Details view/Windows title bar Classic view Medium icons Large icons Extra large icons

When you create an icon for your Windows application (especially the one at the top-left corner of a Windows Form), you want to pack all these standard sized icon images into one .ico file. This way, depending on the view, the icon image with the best-fit size will be used for display. If you try to use one size to fit all, sometimes you will get a fuzzy or jagged image.

Now here are the steps to create an icon that contains multiple image types:

  1. Prepare some standard-sized images with Photoshop and save them as transparent .gif files. Don't use .png or other formats, as the Icon Editor can't handle an image with more than 256 colors. In our example I have these images.
    16x16 32x32 48x48 96x96 256x256

  2. Save the color palette for each image. In Photoshop, you click Image -> Mode -> Color Table to bring out the Color Table dialog box. Click Save button to bring out the Save dialog box. Specify a file name and the Microsoft Palette .PAL format, and then click Save button. Leave Photoshop open. We will need it in later steps.

  3. Launch Visual Studio 2005 and create a new Windows Application project with a project name, say IconTest.
  4. Right click IconTest project in Solution Explorer, and then click Add -> New Item.
  5. In the Add New Item dialog box, select Icon File, gave a name to the icon to be created, say GPS.ico, and click Add button.

  6. By default Icon Editor gives you two image types 16x16 16 colors and 32x32 16 colors. We need to delete the two default types and add 5 new types 16x16 256 colors, 32x32 256 colors, 48x48 256 colors, 96x96 256 colors and 256x256 256 colors. To add a new image type, click Image -> New Image Type, and from the New Icon Image Type dialog box select the type you want. To delete an image type, click Image -> Current Icon Image Type, select the type you want to delete, and then click Image -> Delete Image Type. After adding and deleting image types, we should have the 5 new image types under Current Icon Image Types submenu:

  7. Make one of the 5 image types the current type and load the corresponding palette saved in Step 2. To do this, click Image -> Load Palette, in the Load Palette dialog box, browse to the palette file and press Open button.
  8. Go to Photoshop, select the corresponding image, and copy it to clipboard.
  9. Go back to Icon Editor, right click any empty space, and select Paste.

  10. Repeat Steps 7 ~ 9 for all other image types.
  11. Click Save button on the tool bar. The icon GPS.ico is now successfully created.
  12. Now you can add the icon to a WinForm. Double click the WinForm, in the Properties panel select Icon and click . In the Open dialog box, browse to GPS.ico, and press Open button.

You can download the icon GPS.ico here (right click the link and select Save Target As).


A seasoned computer professional. A tofu culture evangelist...
more >>

Tag Cloud


<<  April 2017  >>

View posts in large calendar
Copyright © 2008-2011 Gong Liu. All rights reserved. | credits | contact me
The content on this site represents my own personal opinions, and does not reflect those of my employer in any way.