March 30, 2023
Sign a Windows Executable on MacOS with a Self-signed Certificate
I needed to create a self-signed certificate on my MacBook to test sign a Windows .exe created by Godot using osslsigncode. I found that the openssl which comes with macOS is incompatiable with osslsigncode's openssl library version. Thus, we need to use the version installed by Homebrew.
The first step was to install Homebrew:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Install osslsigncode as it is needed to sign Windows applications on MacOS, openssl is installed as a dependency:
brew install osslsigncode
I created an openssl config file local to creating my certificates (openssl.cnf):
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = <Country>
ST = <State>
L = <City>
O = <Company Name>
OU = <Organizational Unit>
CN = www.example.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = example.com
Use openssl installed by homebrew:
/opt/homebrew/opt/openssl/bin/openssl
Generate a private key for the CA:
openssl genrsa -out ca.key 4096
Generate the CA certificate:
openssl req -config openssl.cnf -new -x509 -days 1826 -key ca.key -out ca.crt
Generate a private key for code signing:
openssl genrsa -out codesign.key 4096
Generate a new certificate request (csr):
openssl req -config openssl.cnf -sha256 -new -key codesign.key -extensions v3_req -out codesign.csr
Create certificates based on the csr:
openssl x509 -req -days 1826 -in codesign.csr -CA ca.crt -CAkey ca.key -extfile openssl.cnf -set_serial 01 -out codesign.crt
Export certificates based on the csr:
openssl pkcs12 -export -out codesign.pfx -inkey codesign.key -in codesign.crt -passout pass:<passsword>
Verify the password:
openssl pkcs12 -in codesign.pfx -noout
You can now sign your windows executable:
osslsigncode sign -pkcs12 codesign.pfx -pass "<password>" -t http://timestamp.digicert.com -in example.exe -out signed_example.exe