Download and Install Code Signing Certificates (Rutoken)

Prerequisites

• Downloaded and installed GlobalSign Code Signing Certificate

• Windows Software Development Kit (SDK) for Windows 8.1↗

• SHA-256 orders may additionally require GlobalSign Code Signing Root R45 (R3 cross)

IMPORTANT: The Code Signing Root R45 (R3 cross) will need to be installed on the signing computer but not specified as an additional certificate during the signing procedure.

Important SignTool Options

1. /ac - Specify an additional certificate.

2. /a - Automatically selects the best certificate to sign the file from your Windows Certificate Store.

3. /n - "Certificate Common Name" specifies the certificate to sign the file from your Windows Certificate Store using the certificate common name.

4. /fd SHA256 - Specify the file digest algorithm used in creating file signatures.

5. /t - Specify a Microsoft Authenticode-compatible time stamp server.

6. /tr - (Recommended) Specify an RFC 3161 compliant trusted time stamp server.

7. /td SHA256 - (Recommended) Should be called after "/tr", this command specifies the TimeStamp digest algorithm.
   
   TimeStamp URL (SHA-2 based): http://timestamp.globalsign.com/tsa/r45standard

INFORMATION: Timestamping your Code is extremely important and is highly recommended for every piece of code that you sign. This timestamp will allow the file that you sign to remain valid long after the certificate itself has expired.

Rutoken version 4.17.0.0 and above

1. You can either sign files out of a working directory or you can place them in your Windows SDK\bin folder.

2. Open the Command Prompt (Windows 7: Start > Run > cmd, or, for Windows 8 - 10, press the Windows Key, then type cmd and press enter).

3. Navigate to the directory with signtool.exe.

4. Use the following command to sign your file:
   
   signtool sign /a /tr http://timestamp.globalsign.com/tsa/r45standard /td SHA256 /fd SHA256 c:/path/to/your/file.exe

5. Enter your Token Password. If the signing is successful, you will see a prompt informing you so.

6. To verify the successful signature, use the following commands:

   1. Authenticode: signtool verify /v /pa

   2. Kernel Driver Signing: signtool verify /v /kp

You may also verify the signature within the properties of the file, under the Digital Signatures tab.

Rutoken version 4.17.0.0 and below

1. Install the latest java. (jdk and jre). 
   NOTE: Required for keytool and signing a file.

2. Search where the file is located: "rtPKCS11ECP.dll", f.i.. C:\Windows\System32\rtPKCS11ECP.dll
   NOTE: You can get this from the SDK website↗. ​​​​

3. Download the latest release of jsign from this download link↗ and add the file to the library (java jdk bin folder).

4. Create a file called "eToken.cfg". Add the path to the library and the number of the slot into which the token is connected (if there is one on the machine, then most likely on the zero slot), as shown below, and add the file to the library (java jdk bin folder):

   name = OpenSC-PKCS11
   description = SunPKCS11 via OpenSC
   library = C:\Windows\System32\rtPKCS11ECP.dll
   slotListIndex = 0

5. Run the Command Prompt as Administrator and specify the path to the Java jdk bin folder.

6. Get a list of certificates on your token by using this command:

   keytool -list -v -keystore NONE -storetype PKCS11 -storepass 12345678 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg

   
   Where, "-storepass 12345678" is the password for your token.

    

7. You need a certificate field: "Alias name" (f.i.., Alias name: RSA)

8. Sign the file "File.exe":

   java -jar jsign-5.0.jar --keystore eToken.cfg --alias "RSA" --storetype PKCS11 --storepass 12345678 --alg SHA-256 --tsaurl
   http://timestamp.globalsign.com/tsa/r45standard --tsmode RFC3161 File.exe