Signing Code Using PVK and SPC Files

I have a Windows Forms application that is ready for distribution. One of the last steps is getting code-signing working. We purchased a Code Signing certificate from Thawte. This resulted in a PVK (private key) and an SPC (certificate) file being delivered. Then the question arose of how to go about using them.

Referring to the documentation for SignTool.exe, there did not seem to be a way to sign the code using the PVK and SPC files via the command line. Though this was possible using the GUI program (accessible using the -signwizard command line option), in order to get this integrated with my build process, I needed a way to initiate the code signing fully from the command line.

The solution turned out to be the following:

1) Convert the PVK and SPC files to a PFX file (Personal Information Exchange file – this encapsulates the info found in the PVK and SPC files). This is done using the pvk2pfx.exe executable (which had been included as part of the .Net SDK, and was found in C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin on my computer). I used the following syntax to do this (Pass1 is the original password for the PVK file, Pass2 is the new password for the pfx file. Ref):

pvk2pfx.exe -pvk mykey.pvk -pi Pass1 -spc mycert.spc -pfx newpfxfile.pfx -po Pass2 -f

After this ran, I now had a PFX file called newpfxfile.pfx ready to be used.

2) Use SignTool and the PFX file to sign my code. Now that I had a PFX file, I was able to sign my code (and timestamp it) using the following command line syntax:

signtool.exe sign /f newpfxfile.pfx /p Pass2 /d "AppDescription" /du "AppURL" /t http://timestamp.verisign.com/scripts/timstamp.dll LocationOfCode

Seems simple, but it took quite a lot of research to get this process right. Hopefully the info can help save someone else some time.