Code SIgning Certificate

Questions & Answers
1

When my windows build is run it gives a security warning so I wish to implement code signing.

Once I have purchased the code signing signature, how do I sign my unity build?

Also can anyone recommend where to get a code signing certificate for a single developer at a reasonable price?

3

Cygon4’s answer is a little out-dated. To add some more info, Microsoft’s up-to-date documentation on Signtool is here:

Windows SDK’s have moved as well, to: “C:\Program Files (x86)\Windows Kits\10\bin”.

You want to install an up-to-date version of the Windows 10 SDK and use Signtool from that, as Signtool has changed a bit over time.

For me, to use signtool it was simply:

  1. Build Unity project
  2. Setup signtool
    path in System Path Variable
  3. From the command line: signtool sign “build.exe”
2

It is something that I yet have to do myself, but by the information I collected so far, signing an executable is relatively simple:

  1. Acquire a code signing certificate and import it into your Windows Certificate Store (Win+R, MMC, Ctrl+M, pick Certificates)
  2. Build your Unity game as normal, ending up with an unsigned .exe
  3. Use Microsoft SignTool as described here: Authenticode Code Signing with Microsoft SignTool

Take this with a grain of salt because I haven’t gone through this process myself.

I can’t make any good recommendations for cheap certificates as most currently offered at low prices are somehow associated with Comodo (they have been breached not too long ago, thus the price reductions).

4

The Answer Nick Tempe gives works perfectly if you are self signing the app.
If you do end up purchasing Code Signing Certification (if you need to have one for clients or to avoid the Windows prompt of it being software from the internet that may not be safe) then you will want to add some aditional flags to the signtool command.

My company needed a EV Code Certificate and the command that we use is:
signtool sign /fd sha256 /tr http://ts.ssl.com /a

The /tr flag is to timestamp so that the program can run in the future even after your certificate has expired. The link after the flag is SSL.com’s timestamp utility, Digicert also has one at: http://timestamp.digicert.com/
Additional info about this can be found: How Do I sign a Windows Application

If you will have an installer for your app be sure to sign the installer as well. If you use Inno to create your installer you can set it up to run the signtool automatically when the installer has compiled more info about that here: Inno Sign Tool

5

Being a single solo developer, all you require is Individual Code Signing Certificate which is highly suitable for solo developer code security requirements and software validation purposes to users.

You can get an affordable Comodo or Sectigo Individual Code Signing Certificate from any trusted reseller rather than CA like I usually obtain an Individual Signing Certificate from SignMyCode at a very affordable pricing of just $210.99/year!