How to Sign Executable Files Using EV Code Signing Certificate

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 4.20 out of 5)
Sign Executable Files

According to the latest industry regulations and policies, digitally signing executable files is mandatory for developers and organizations. It helps enterprises and users to provide and utilize authentic software, respectively.

In addition, the majority of organizations prefer to utilize EV Code Signing Certificates for such purposes to prevent Warning messages during installation.

Moreover, using an EV Code Signing Certificate to sign executable files is an intense task. Therefore, you can use the following methods to complete the operation impeccably.

Let’s move further to get an answer for “How to sign an executable file.”

Understanding Executable Files

Executable Files are computer programs an end-user runs on the system for a particular operation. And that different processes can be installing software, updating a driver, or executing a script written in programming and scripting language.

You must have seen files with different extensions on a computer system. Among them, files with .EXE, .BIN, .BAT, .DMG, .APP and .COM are the executable files.

The operating system checks its Code Signing Certificate whenever any executable gets opened. If the executable file successfully undergoes the Validation, it gets executed. Otherwise, an Unknown Publisher Warning gets displayed on the screen.

Therefore, whenever any developer or organization creates an application, they digitally sign their code using a Code Signing Certificate. Moreover, an EV Code Signing Certificate gets used to optimize the code authenticity due to its enormous security features.

Mechanisms to Digitally Signing Exe Files: Answer to How to Sign an EXE file

To ensure an impeccable experience for all your users, you must integrate an EV Code Signing Certificate with your code. Moreover, it will also help to prevent Defender SmartScreen Warnings.

However, before signing the code, you must check the following requirements:

  • You have completed the Validation Procedure
  • You have your Microsoft Authenticode Code Signing Certificate
  • You are using a minimum of Windows Operating System version 7
  • You have the Code Signing Certificate available on your system in the PFX file format

Once you verify all the details, you can follow the below methods to enhance user satisfaction and trust:

Method 1: Signing using Command Prompt

Under this method, you must run instructions on the command prompt, and your executable file will get signed.

Step 1: Click on the Windows icon, and search for Command Prompt.

Step 2: Run Command Prompt on the machine containing the Code Signing Certificate file.

Step 3: You must run the command according to your requirement. You must run the following command if your PFX file has a password.

SignTool sign /f YourCertFile.pfx /p
AddYourPasswordHere YourSoftware.exe

It will digitally sign your code. You have to change the values in the command as per your project. For instance, you must write your executable file name instead of YourSoftware.exe. Likewise, you have to write your custom password instead of AddYourPasswordHere.

Further, if your PFX file is not password protected, you must run the below-provided command.

SignTool sign /f YourCertFile.pfx /p

Step 4: After running the command, your executable file will get an additional security layer of the Code Signing Certificate.

Method 2: Signing along with Time Stamping

Time Stamping aids the user in knowing when the software got digitally signed by the publisher. It improves the code authenticity and reduces the probability of Defender SmartScreen warning messages.

You must open the Command Prompt and run the following command to execute it.

SignTool Sign /f YourCertFile.pfx /t YourSoftware.exe

The primary advantage of timestamping is to strengthen code security. Through it, users will get to know whether the code gets tampered with or not. Additionally, the publisher doesn’t have to re-sign the code, as the timestamp will make it valid for a more extended period.

Method 3: Utilizing a Secure Token

In this method, you must install a secure token, its driver, and associated hardware on your machine. In addition, you will also need to save the EV Code Signing Certificate on FIPS 140-2 Level 2 Token and install it.

Further, you have to select whether you want to sign executable files through automatic or manual procedures.

In the Automatic Procedure, you have to perform the following steps.

Step 1: Go to the startup menu and run the Command Prompt.

Step 2: If you want to sign code using SHA 256-Bit encryption, run the below command, defining the path to the file you want to sign.

signtool sign /tr /td sha256 /fd sha256 /a
"c: \path\to\file_for_signing.exe"

Step 3: To utilize the SHA1 Code Signing Certificate, you must run the command.

signtool sign /t /a "c: \path\to\file_for_signing.exe"

Further, if you need to utilize the Manual Method, you can follow the below-listed steps.

Step 1: Copy the Name of your Code Signing Certificate by opening the Certificate Manager. Go to the Startup menu, search for certmgr and run it.

Step 2: Under the Personal Folder on Left Panel, Open the Certificates, and you will find all Certificates on the local machine.

Step 3: For Signing the Code with 256-Bit SHA Encryption, you must use the following command.

signtool sign /tr /td sha256 /fd sha256 /n "subject name"  

Moreover, you have to define the subject name and path of the file to secure it on your own.

Step 4: To use the SHA1 Encryption Certificate, you can run the below command.

signtool sign /t /n "subject name" "C:\path\to\fileForSign.exe"

Why you should Sign Executable Files?

Signing Executable Files provides immense advantages, such as:

  • It makes the code authentic and improves its integrity.
  • Prevents the users from Unknown Publisher Warning or Defender SmartScreen messages.
  • Enhances the user’s trust in the organization.
  • Makes the code Tamper Proof and prevents hackers and crackers from performing malicious activities.
  • Enhances company revenue, as more users prefer to utilize reliable software.
  • Enable stakeholders to run the software and integrate it with other systems effortlessly.

Concluding Up: What, How, and Why to Sign Exe Files

With the rapid release of multiple executable files, it is mandatory to sign them digitally. It helps to prevent code tampering and optimize the organization’s reputation and revenue. An EV Code Signing Certificate is a high-level Certificate getting considered by experts to provide an effortless experience to end-users.

Furthermore, signing an executable file with an EV Code Signing Certificate is a high-priority task, requiring complete focus. Although, there is various method to follow for completing it accurately. You can use an external hardware token or run quick commands using the Command Prompt on the Windows system.

As a result, you will be able to provide a secure executable file to your stakeholders.

Digitally Sign your Software or Application using EV Code Signing Certificate at the lowest price. EV Code Signing Certificates starts from just $149.99/year at SignMyCode.

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.