Microsoft SignTool: Signing Executable Files Through a Seamless Approach

Sign Executable Files using Microsoft SignTool

Code Signing Certificate has become a prominent security solution for every software publisher and developer. And after purchasing it, there are still a lot of queries that arise before tamper-proofing the source code.

And then a big question also comes, How to sign executable files using Code Signing Certificate? The simple yet most accurate answer to it is Microsoft SignTool. Whether you have an IV, Standard, or EV Code Signing Certificate, you can use SignTool to unleash the potential of any digital certificate.

A lot of developers need help using SignTool. But, with this step-by-step guide, you will learn digital signing and timestamping of an executable file in just a few steps. Let’s get started.

What is Microsoft SignTool and its Usage

SignTool is a program available for the Microsoft Windows operating system. It’s a tool you can access through a command-line interface for signing and timestamping applications, software packages, and other executable files.

It is, by default, available in the Windows Software Development Kit. And you can effortlessly find it in the Bin folder inside the Windows SDK folder, stored in C:\ drive. However, if you are utilizing Visual Studio for code development. Then, you can access SignTool from within the app, as it comes in the Visual Studio installation package.

Steps to follow to Digitally Sign an Executable File with SignTool

Signing an executable file is a smooth five-step procedure. You can complete it within minutes by following the below instructions.

Step 1: Accessing the Command Prompt to run SignTool Commands

To utilize the SignTool, you must open the Command Prompt in Administrator mode. You must open the startup menu and search for Command Prompt or cmd. Further, you have to:

  • Right-click on the Command Prompt icon.
  • Select “Run as Administrator
command prompt run as administrator

Once the system runs, you will get a dialog box to provide permission. After selecting the appropriate response, Command Prompt with administrator controls will get opened.

Step 2: Logging In as Administrator

Sometimes, you have to log in using default system credentials to access the administrator controls. And once the system verifies it, a new window will get displayed as below.

c windows system32

Step 3: Navigate to the SignTool directory.

To complete step 3, you must know the exact location of SignTool in your system. Primarily, it is available in the C drive by default. If you have saved it in a different file, you must use the path to that particular location in the command.

You have to run the following command:

cd C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86

The ‘cd’ command gets used to change the current directory. It will help you access and utilize files inside the SignTool directory.  

navigate to signtool directory

After writing the above command and hitting enter, you will see a command prompt similar to the one below. Now you are in the SignTool directory, enabling access and utilizing its resources.

you in into signtool directory

Step 4: Signing the Executable File using IV, OV, and EV Code Signing Certificates

You must run the following command to sign the file per your requirements.

To Timestamp and Digitally Sign an executable file simultaneously:

.\signtool sign /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 “c:\path_to_your_file\software.exe”

For timestamping purposes, you must write down the address to a timestamping server of your Certificate Authority. The above command illustrates the address to DigiCert Timestamping Server. You can replace it with your CA’s address, and your software will get a timestamp and a digital sign.

Recommended: Sign Executable Files Using EV Code Signing Certificate

In addition, you will see a confirmation message when your file gets digitally signed.

To Sign a complete Application Package:

signtool sign /tr http://CAtimestamp.server.com /td SHA256 /fd SHA256 /a "C:preserve the environment by providing coverage \filepath\Mydriver.dll.

To secure an app package using a code signing certificate, you have to define the hashing algorithm, path to the file, and password in the command.

Step 5: Verifying the Signature

After running the appropriate command to sign the software, it is crucial to validate it. And for it, you have to run the below command:

signtool verify /v /pa "C:\filepath_to_your_exe_file\software.exe"

To execute the command, you have to define the path to the signed executable file. And, if it gets signed, you will get an output.

Wrapping Up

Microsoft SignTool is the primary solution software publishers use to sign their software, application package, and executable files.

It comes in handy with Windows SDK and Visual Studio. You only have to install the Code Signing Certificate and hardware token to sign. Then, you have to open the Command Prompt and run the command as mentioned above according to your requirements.

Furthermore, you can also verify whether your executable file gets signed or not. If you are a software developer, you must know about SignTool and its fundamental commands. It will help you solidify code security, optimize brand reputation, and enhance user trust.

Code Signing Tutorials

Cheap Code Signing Certificates

Prevent Code Tampering and Authenticate Code Integrity by Digitally Sign your Code with Trusted Code Signing Certificates.

Starting at Just $215.99/Year
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.