Based on a recent inquiry, I have compiled the following, simple How-To on digitally signing Vista Sidebar gadgets. Much of the information can be found on the two, following URLs:
Thanks a lot to the original authors!
Running an unsigned “.gadget” file will result in the following warning:
Installing a Sidebar Gadget that is digitally signed results in a similar dialog, that shows the publisher and the certificate to the user:
Clicking the “Name” hyperlink shows the website of the publisher (part of the digital signature) and clicking “Publisher” hyperlink shows the certificate itself:
Gadgets must be created using CAB compression if you want to code-sign them. Zip files renamed to .gadget cannot be code-signed - therefore gadgets created in this way for distribution will always show up as "untrusted publisher" if a user clicks on them.
cabarc -r -p n DemoGadget.gadget "*.*"
Now, if you have no valid certificate to sign code at hand, you may want to create your own PFX file with your personal information. You can do this by completing these two steps:
makecert.exe -sv TestKey.pvk -n "CN=Your Name Here" TestKey.cer
pvk2pfx.exe -pvk TestKey.pvk -spc TestKey.cer -pfx TestPFX.pfx -po secure_password
signtool.exe "sign" /f "TestPFX.pfx" /p "secure_password" /d "Test’s Demo Gadget" /du "http://www.test.com" /t "http://www.mycertprovider/timestampurl" "DemoGadget.gadget"
One perhaps useful bit of information about this - unlike webserver SSL certificates where the certificate expires and you get warnings in a web browser, if you code-sign with a public certificate and timestamp as in the example above (most public certificate providers provide this URL) - you'll find that Windows will trust the file forever, even when the certificate has expired.
The resulting installation looks as follows: