





Code Signing Certificate has become a prominent security solution for every software publisher and developer. And after purchasing it, there are still a lot of queries that arise before tamper-proofing the source code.
And then a big question also comes, How to sign executable files using Code Signing Certificate? The simple yet most accurate answer to it is Microsoft SignTool. Whether you have an IV, Standard, or EV Code Signing Certificate, you can use SignTool to unleash the potential of any digital certificate.
A lot of developers need help using SignTool. But, with this step-by-step guide, you will learn digital signing and timestamping of an executable file in just a few steps. Let’s get started.
SignTool is a program available for the Microsoft Windows operating system. It’s a tool you can access through a command-line interface for signing and timestamping applications, software packages, and other executable files.
It is, by default, available in the Windows Software Development Kit. And you can effortlessly find it in the Bin folder inside the Windows SDK folder, stored in C:\ drive. However, if you are utilizing Visual Studio for code development. Then, you can access SignTool from within the app, as it comes in the Visual Studio installation package.
Signing an executable file is a smooth five-step procedure. You can complete it within minutes by following the below instructions.
To utilize the SignTool, you must open the Command Prompt in Administrator mode. You must open the startup menu and search for Command Prompt or cmd. Further, you have to:
Once the system runs, you will get a dialog box to provide permission. After selecting the appropriate response, Command Prompt with administrator controls will get opened.
Sometimes, you have to log in using default system credentials to access the administrator controls. And once the system verifies it, a new window will get displayed as below.
To complete step 3, you must know the exact location of SignTool in your system. Primarily, it is available in the C drive by default. If you have saved it in a different file, you must use the path to that particular location in the command.
You have to run the following command:
cd C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86
The ‘cd’ command gets used to change the current directory. It will help you to access and utilize files present inside the SignTool directory.
After writing the above command and hitting enter, you will see a command prompt similar to the one below. Now you are in the SignTool directory, enabling access and utilizing its resources.
To sign the file, you must run the following command per your requirements.
Signtool sign /f MyCodeCert.pfx /t http://timestamp.comodoca.com MyFile.exe
For timestamping purposes, you must write down the address to a timestamping server of your Certificate Authority. The above command illustrates the address to Comodo Timestamping Server. You can replace it with your CA’s address, and your software will get a timestamp and a digital sign.
Above all, commands are specific to Individual Code Signing Certificate and Organization Validation Code Signing Certificate.
Signtool sign /n "MyEVCertificate" MyFile.exe
To execute the command, you must first install the EV Code Signing Certificate and plug in the hardware token. The system will display an error if you cannot fulfill any of the requirements.
Recommended: Sign Executable Files Using EV Code Signing Certificate
In addition, you will see a confirmation message when your file gets digitally signed.
Signtool sign /fd SHA256 /a /f signingCert.pfx /p password file path.appx
To secure an app package using a code signing certificate, you have to define the hashing algorithm, path to the file, and password in the command.
Signtool sign /fd hashAlgorithm /a /f signingCert.pfx /p password /tr timestampServerUrl filepath.appx
You have to replace the hashAlgorithm with the SHA256 or any other algorithm you want to use. Also, you have to replace timestampServerUrl with the address of the timestamp server of the CA.
After running the appropriate command to sign the software, it is crucial to validate it. And for it, you have to run the below command:
signtool verify /pa /v “c:\filepath\example_software.exe”
You have to define the path to the signed executable file to execute the command. And, if it gets signed, you will get an output.
Furthermore, let’s understand the different commands getting used for signing purposes:
Command Option/Extension | Description |
/f | The /f command option is getting used to define the file, storing the Code Signing Certificate. Its primary purpose is to aim toward the file with the .pfx extension. Such files are also known as files in the Personal Information Exchange Format. |
/t | The main purpose of using the /t command option is to define the URL to the timestamp server of the CA. You have to write /t and then the server’s web address. It will help the system to fetch the required details and perform timestamping on the executable file. |
/n | The /n option gets used to tell the system the name of the Code Signing Certificate file. You first write the /n and then the subject of the file containing the digital certificate. |
/p | /p command option stands for password. When you utilize a .pfx file protected with a password, it is essential to use /p to write the password in the command. It enables the system to access the certificate and perform further functionalities to sign and timestamp the software. |
/a | The function of /a command option is to analyze the currently available valid certificates and select the most appropriate one to digitally sign the specified executable file. It entirely depends upon whether the publishers want to utilize it or not. |
/fd | Using /fd command option is necessary when defining a particular hash algorithm. It is mandatory to use in such cases for digitally signing the software and to maintain the integrity of the source code. |
/pa | The /pa option is to set the Authenticode Verification Policy for validating the sign of the executable file. Furthermore, if you don’t utilize /pa in the command, the system uses the Driver Verification mechanism, which is inappropriate in such cases. |
/v | The /v is for verifying the command status. It tells the user whether the command gets executed successfully or not by showcasing a warning message in case of failure. |
.pfx | The .pfx extension is for Code Signing Certificate files in PKCS#12 format. All these files contain the information of public and private keys associated with that particular certificate. |
.exe | The files with .exe extension contain a code or script that the system can run. Such files’ data get encrypted with the help of Code Signing Certificates. |
.appx | The .appx extension represents a complete application package containing every essential file required to install and run an app on the end-user’s device. Such files are ready for deployment and installation across compatible systems. |
Sign | The sign command initiates the digital signing of an executable file and application package. It leads the Code Signing Certificate to hash and encrypts the source code to protect it from unauthorized modification and breach. |
Numerous software developers need clarification about whether their Code Signing Certificate will be compatible with SignTool or not. And the most accurate answer for such a query is YES; you can use any Code Signing Certificate with SignTool.
Whether you have Sectigo Code Signing Certificate, Certera Code Signing Certificate, or Comodo Code Signing Certificate or DigiCert Code Signing all get configured appropriately.
You only have to define the subject name of the certificate file, password (if any), and executable file in the command to digitally sign. Besides, if you want to timestamp your software, defining the URL to CA’s timestamp server is an additional requirement.
Hence, you can use any Code Signing Certificate with Microsoft SignTool.
When you timestamp and sign an executable file, you get the following leverages:
Microsoft SignTool is the primary solution used by software publishers to sign their software, application package, and executable files.
It comes in handy with Windows SDK and Visual Studio. You only have to install the Code Signing Certificate and hardware token for signing. Then, you have to open the Command Prompt and run the command as mentioned above according to your requirements.
Furthermore, you can also verify whether your executable file gets signed or not. If you are a software developer, you must know about SignTool and its fundamental commands. It will help you solidify code security, optimize brand reputation and enhance user trust.