Automating code signing with signtool.exe, but without storing the certificate or password
A solution I've used before is similar to @Mikko's answer, but it's split into two pieces:
A local non-controlled script that just sets an environment variable containing the password. This is the file you give to each developer.
@echo off set SIGNPASS=whateverA source-controlled script that calls the previous script and the does the actual signing.
@echo off setlocal call "C:\local\signing_password.bat" "C:\toolpath\signtool.exe" sign /f "c:\certpath\cert.p12" /p "%SIGNPASS%" "%1" endlocal
The setlocal/endlocal pair ensure that the password doesn't leak into the environment if the script is run manually.
The "%1" is the path to the executable passed as a script parameter in the Post Build step.
..
A different way is to import the certificate in each developers private certificate store and then use the thumbprint with signtool like this:
signtool ... /sha1 'hex thumbprint' ...
Then you only need the password during the initial import of the certificate and not during builds.
You could add a batch file in your Project directory, for example sign.bat.
@echo off
<path>\signtool.exe /f cert.p12 /p "password" "compiled.dll"
echo Signed with certificate
Add the file to your .gitignore but do not add it to Visual Studio project.
In your project's properties, call the batch as post-build event.
