To begin signing program objects, the code-signing certificate
you created must be selected as the signing tool.
The code-signing certificate exists.
- In Workbench, click , and click Code Signing
Options.
The
Code Signing Options property sheet
opens.
- From the Signing Cert drop-down list,
select your code-signing certificate.
The drop-down menu lists only certificates whose key usage is
designated as Code Signing. If there is only one
code-signing certificate in your User Key Store, this will be the only option.
- If desired, set the Tsa Url (Timestamp
authority) to a valid timestamp authority.
This property defaults to the
URL. Time stamping
a program object signature establishes trust even after a code-signing
certificate expires. If your program object signatures are not time-stamped,
they cannot be validated past the expiration date of the code-signing
certificate.
Note: In framework versions 4.2 and 4.3,
Tsa
Url defaults to the now unavailable Geotrust TSA. In version
4.4, support was added for SHA-256 timestamps and the default was
updated to the URL. If you are using versions 4.2 or 4.3, the recommended
setting for
Tsa Url is:
http://timestamp.digicert.com
If you leave the default TSA in 4.2 and 4.3 set to Geotrust
TSA, code signing will not work and you will run into errors due to
the Geotrust TSA going off line.
- To complete the configuration, click OK.
While this configuration procedure works if your code-signing
certificate is self-signed or signed by a trusted intermediate or
root CA certificate, using the latter is preferred. In fact, without
revisiting this configuration procedure, you could set up a self-signed
code-signing certificate, and sign it later. However, if you do this,
you must re-sign any code that you signed prior to getting your code-signing
certificate signed.