I would also advise you to decouple signing from timestamping. an env var or something else that can be decoupled from your source code.Īlso, don't forget to timestamp the signed files so that the validity of the signature can be guaranteed.
I would advise against storing the hash in source control in case you have to go back and build an old version - it should be part of your environmental configuration, e.g. We have to regularly update our certificates so we have additional steps in our build to re-import the certificate locally at the start of the build, and pull in the certificate hash.
Once it's installed into the local certificate store you just reference it using the SHA thumbprint, which you can find on the certificate properties or by just listing the cert in certmgr.exe.
You will need to install your Software Publishing certificate onto the machine using certmgr.exe or the certificates mmc snapin. If you want to embed signing into your unattended build process, you can just use the MSBuild SignFile task, which wraps the authenticode signing APIs Īlternatively just use a call to SignTool.exe.
