koobas.hobune.stream
Code SIgning Certificate
When my windows build is run it gives a security warning so I wish to implement code signing.
Once I have purchased the code signing signature, how do I sign my unity build?
Also can anyone recommend where to get a code signing certificate for a single developer at a reasonable price?
It is something that I yet have to do myself, but by the information I collected so far, signing an executable is relatively simple:
Acquire a code signing certificate and import it into your Windows Certificate Store (Win+R, MMC, Ctrl+M, pick Certificates)
Build your Unity game as normal, ending up with an unsigned .exe
Use Microsoft SignTool as described here: Authenticode Code Signing with Microsoft SignTool
Take this with a grain of salt because I haven't gone through this process myself.
I can't make any good recommendations for cheap certificates as most currently offered at low prices are somehow associated with Comodo (they have been breached not too long ago, thus the price reductions).
Cygon4's answer is a little out-dated. To add some more info, Microsoft's up-to-date documentation on Signtool is here:
https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool
Windows SDK's have moved as well, to: "C:\Program Files (x86)\Windows Kits\10\bin".
You want to install an up-to-date version of the Windows 10 SDK and use Signtool from that, as Signtool has changed a bit over time.
For me, to use signtool it was simply:
Build Unity project
Setup signtool path in System Path Variable
From the command line: signtool sign "build.exe"
Do you need to sign the DLLs as well? Or is it sufficient to just sign the main executable?
Sorry can you explain step 2 "Setup signtool path in System Path Variable"?
This is not the place. Google "Adding folder paths to the Windows Path Variable". Add the sign tool folder to your path. This is so you can call sign tool from any folder, i.e. your build folder. Not a requirement, just makes it way easier.
The Answer Nick Tempe gives works perfectly if you are self signing the app. If you do end up purchasing Code Signing Certification (if you need to have one for clients or to avoid the Windows prompt of it being software from the internet that may not be safe) then you will want to add some aditional flags to the signtool command.
My company needed a EV Code Certificate and the command that we use is: signtool sign /fd sha256 /tr http://ts.ssl.com /a
The /tr flag is to timestamp so that the program can run in the future even after your certificate has expired. The link after the flag is SSL.com's timestamp utility, Digicert also has one at: http://timestamp.digicert.com/ Additional info about this can be found: How Do I sign a Windows Application
If you will have an installer for your app be sure to sign the installer as well. If you use Inno to create your installer you can set it up to run the signtool automatically when the installer has compiled more info about that here: Inno Sign Tool
