The Windows application signing process involves embedding a digital signature in the .exe executable files that can be verified for code authenticity. Similarly, you can get this code signing certificate from a trusted certificate authority like Certera<\/a>, Sectigo<\/a>, Comodo<\/a> and DigiCert<\/a>.<\/p>\n\n\n\n In addition, the OS will also check whether the issuing authority mentioned in the certificate is the same one that has issued the certificate and if the certificate is still valid or not. If such checks pass through, your .exe executables will run without any warnings.<\/p>\n\n\n\n For instance, if you don\u2019t sign your executable, Windows will throw an unknown publisher error:<\/strong><\/p>\n\n\n\n But if you sign an EXE or application with a code signing certificate<\/strong>, Windows will display a verified publisher message as shown below:<\/p>\n\n\n\n Now, let\u2019s explore why signing a Windows EXE file is important:<\/p>\n\n\n\n Windows application signing helps prove to your users that your software is authentic and trustworthy. As seen above, the operating system will show that the code-signed software is from a verified publisher. This boosts trust and confidence in your users and reduces the software abandonment rate.<\/p>\n\n\n\n A genuine certificate from trusted code signing certificate providers<\/a> is also <\/span>necessary <\/span>for enhanced security. Here, the issuing authority guarantees that the software is free from malicious code or vulnerability.<\/p>\n\n\n\n This further increases users’ trust in your Windows application and improves the installation ratio.<\/p>\n\n\n\n Thus, application signing is necessary to state your EXE apps are safe for people to download, install, and use.<\/p>\n\n\n\n Once your application is ready for distribution, you must obtain a code signing certificate from a certificate authority.<\/p>\n\n\n\n Since there were specific steps that need to be followed for both the code signing certificates, now we have common steps applicable for both OV and EV code signing.<\/p>\n\n\n\n As of June 1, 2023<\/a>, there is a new requirement for OV (Organization Validated) Code Signing Certificates. The condition states that the private key associated with the OV Code Signing Certificate must be stored in a Hardware Security Module (HSM) compliant with FIPS 140 Level 2, Common Criteria EAL 4+, or an equivalent security standard. <\/mark><\/em><\/strong><\/p>\n\n\n\n To begin signing an EXE or application, specific requirements need to be met to ensure validity, just like when signing an official document in the presence of an authority.<\/p>\n\n\n\n While Mac applications require an Apple Developer ID certificate, this section focuses on the signing process for Windows EXE and applications. Similar to macOS, there are specific prerequisites that need to be fulfilled. <\/p>\n\n\n\n These prerequisites include:<\/strong><\/p>\n\n\n\n You will need a computer or device running the Windows operating system to sign.<\/p>\n\n\n\n Obtaining a valid code signing certificate<\/a> from a trusted certificate authority is essential.<\/p>\n\n\n\n Microsoft SignTool is a command-line tool tied to the Windows Software Development Kit (SDK). SignTool is used to digitally sign executable files, libraries, and other types of code. You must have SignTool installed on your Windows device to proceed with the signing process.<\/p>\n\n\n\n Recommended:<\/strong> How to Create & Verify a Windows Authenticode Signature Using SignTool?<\/a><\/p>\n\n\n\n If your specific requirements demand compliance with FIPS 140 Level 2 for enhanced cryptographic security, you should use a FIPS 140 Level 2 approved device such as SafeNet. SafeNet is a hardware security module (HSM) that provides the necessary security for cryptographic operations during code signing.<\/p>\n\n\n\n Recommended: <\/strong>What are SafeNet Luna Network HSM 7 and Thales Luna Network HSM 7?<\/a><\/p>\n\n\n\n Now, you can be equipped with the necessary prerequisites to initiate the signing of EXE or application files on the Windows platform.<\/a> You are ensuring a Windows device, a valid EV code signing certificate, Microsoft SignTool, and a SafeNet or FIPS 140 Level 2 approved device (if required).<\/p>\n\n\n\n Detailed instructions and specific steps may vary depending on your development environment. So, it is recommended to consult the documentation provided by your certificate authority and Microsoft for accurate guidance on utilizing your EV code signing certificate<\/a>. It also includes SignTool for Windows application signing.<\/p>\n\n\n\n Microsoft SignTool is a Windows Software Development Kit (SDK) command-line tool. It offers various functionalities for digital signing, timestamping, and verifying files, executables, scripts, and applications.<\/p>\n\n\n\n In terms of cryptographic device setup, it is recommended to use SafeNet or any other hardware security module (HSM) that is <\/b>compliant with the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standards (FIPS)<\/strong> 140 Level 2.<\/p>\n\n\n\n These devices adhere to the U.S. government’s computer security standard for validating cryptographic modules.<\/p>\n\n\n\n While SafeNet is mentioned as an example, there are alternative options available, such as:<\/strong><\/p>\n\n\n\n Exploring these options and selecting the most suitable device for your organization’s needs is advisable.<\/p>\n\n\n\n It is crucial to emphasize that installing SafeNet or a compatible alternative is necessary to utilize Extended Validation (EV) certificates.<\/p>\n\n\n\n Furthermore, starting on June 1st, 2023<\/a>, Organization Validation (OV) certificates will also be required. These certificates demand the added security and protection that an HSM provides to store the private key securely.<\/p>\n\n\n\n NOTE: <\/strong>Take the time to research and evaluate the available options, ensuring you choose the device that aligns with your organization’s requirements. This will enable effective management and safeguarding of your code signing certificates.<\/p>\n\n\n\n To sign an EXE using your OV or EV Code Signing Certificate with Microsoft SignTool, follow these five steps:<\/p>\n\n\n\n Take the hardware security token provided by the Certification Authority (CA) that contains your code signing certificate and private key. Plug it into your Windows device for secure access<\/strong>.<\/p>\n\n\n If you have chosen a different FIPS Level 2-approved device instead of SafeNet, open it and ensure it is appropriately set up as recommended in the previous section.<\/p>\n\n\n\n PowerShell is a command-line interface similar to the classic Windows Command Prompt. Open PowerShell as an administrator by following these steps:<\/strong><\/p>\n\n\n\n NOTE:<\/strong> If Linux or macOS are your preferred operating systems, you may sign your Windows EXE and applications using programs like Jsign <\/strong>or Osslsigncode<\/strong>.<\/p>\n\n\n\n Signing your code is essential, but remember to timestamp it to avoid issues with expired certificates. <\/p>\n\n\n\n Extend the validity of your signature by timestamping your code using the script below:<\/em><\/strong><\/p>\n\n\n\n Also, replace “c:\\path_to_your_file\\software”<\/strong> with the actual file path of the EXE or application you want to sign.<\/p>\n\n\n\n At this point, SafeNet (or the authentication tool you’re using) will open a window and prompt you to enter the password for the hardware token. <\/p>\n\n\n\n If this is your first time using a SafeNet token, you may need to install the authentication client software and initialize the token by following the instructions.<\/p>\n\n\n\n You will receive the package from CA, including the USB Token and the Letter<\/strong><\/p>\n\n\n\n All you need to do is download and open the suitable installer for the machine you will be using while signing in the software or applications such as SafeNet Authentication Client.<\/p>\n\n\n\n Step 1:<\/mark> <\/strong>In SafeNet Authentication Client Setup, the Welcome to SafeNet Authentication Client Installation Wizard page<\/strong> will look like this. You have to click on \u2018Next<\/strong>.\u2019<\/p>\n\n\n\n Step 2:<\/mark> <\/strong>On the Interface Language page, you will find the drop-down list. From there, pick the language<\/strong> you want for the interface and click \u2018Next<\/strong>.\u2019<\/p>\n\n\n\n Step 3:<\/mark> <\/strong>Read the license agreement on the License Agreement page. After reading, select \u201cI accept the license agreement<\/strong>\u201d and then \u2018Next<\/strong>.\u2019<\/p>\n\n\n\n Step 4: <\/mark>Select the location<\/strong> you want to install the SafeNet Authentication Client Software from the Destination Folder page and then click \u2018Next<\/strong>.\u2019<\/p>\n\n\n\n Step 5:<\/mark> <\/strong>The Setup Type page will look something like this. On this page, select \u2018Typical<\/strong>\u2019 for the installation type and then click \u2018Next<\/strong>.\u2019<\/p>\n\n\n\n Step 6:<\/mark> \u2018The wizard is ready to begin installation<\/strong>\u2019 page will appear where you have to click Install<\/strong>. It might take several minutes to process the installation process. <\/p>\n\n\n\n Step 7:<\/mark> <\/strong>Click on \u2018Finish<\/strong>\u2018 on the SafeNet Authentication Client to exit <\/strong>SafeNet Authentication Client Setup. Voila! You have now successfully installed the SafeNet Client Software.<\/p>\n\n\n\n After the successful installation of the installed software, let us now move to set up your OV or EV Code Signing Certificate.<\/p>\n\n\n\n After successfully receiving the token from your Code Signing Certificate Provider, You can follow the steps to activate the token:<\/strong><\/p>\n\n\n\n Step 1:<\/mark><\/strong> For the activation of your Code Signing Cert, plug in your Code Signing USB Token<\/strong> and run the SafeNet Authentication Client Software.<\/p>\n\n\n\n Step 2: <\/mark><\/strong>In the SafeNet Authentication Client Tools window, click on \u2018Change Token Password.<\/strong>\u2018 While this step isn\u2019t mandatory, we recommend you \u2018Change Token Password.\u2019 It will open the interface to change the password for the token. Input a distinct password.<\/p>\n\n\n\n Step 3<\/strong>:<\/mark> You will see the New Token Password and Confirm Password<\/strong> boxes. You can create and confirm your new token password that meets the security needs of SafeNet with the help of the password in the email format you received from the Certificate Authority. Now, click OK<\/strong>.<\/p>\n\n\n\n Once you enter the password, congratulations! You have successfully signed your EXE or application.<\/mark><\/em><\/strong><\/p>\n\n\n\n NOTE: <\/strong>You may use steps three and four above to sign your EXE using an OV code signing certificate instead. Starting June 1st, 2023, OV certificates will also be subject to the complete EV signing procedure outlined above.<\/p>\n\n\n\n Ensuring that your signed EXE has been executed correctly and that your customers will have a seamless experience during installation is crucial. To achieve this, you can follow these steps to test your signed EXE and verify its signature:<\/p>\n\n\n\n If your organization uses Confluence or a similar platform, create a test page and restrict its access to authorized individuals. Upload your signed EXE or application to this hidden URL. This will allow you to simulate the installation process and ensure everything functions as expected.<\/p>\n\n\n\n You should download the signed code onto a test machine for comprehensive testing. It’s advisable to involve multiple colleagues to participate in the testing process. <\/p>\n\n\n\n Ask them to access the designated URL and download the code onto their machines. Testing on different machines provides a broader perspective and helps identify potential issues across various environments.<\/p>\n\n\n\n After downloading the signed code, you can verify its signature to confirm its authenticity. Follow these steps:<\/strong><\/p>\n\n\n\n By conducting these tests, you can be confident that your signed EXE or application is functioning correctly and that the signature is valid. It helps you deliver a secure and trusted product to your customers, minimizing potential installation issues and enhancing their overall experience.<\/p>\n\n\n\n Suppose everything goes according to the process we outlined above. In that case, you and the other testers of the executable should be able to see the code signing certificate details (including time stamping) like the examples ahead.<\/p>\n\n\n\n Protecting your private keys and implementing robust code signing practices are crucial to maintaining the security and integrity of your organization’s IT environment. Here are some essential steps to follow:<\/p>\n\n\n\n Take stock of all the keys within your organization’s IT infrastructure. This comprehensive inventory will clearly understand the number and types of keys used.<\/p>\n\n\n\n Utilize certified hardware security modules (HSMs) to store your keys securely. Some trusted options include Thales Luna<\/strong>, Microsoft Azure Key Vault<\/strong>, Egnyte<\/strong>, SafeNet<\/strong><\/mark>. These HSMs offer advanced security measures to safeguard your private keys from unauthorized access.<\/p>\n\n\n\n Defines roles and responsibilities for individuals involved in the code signing process. Create separate roles for those authorized to submit code for signing and those authorized to approve signing requests. Ensures no single individual can perform both roles independently. <\/p>\n\n\n\n Regularly monitor and track the use of private keys and code signing certificates to identify suspicious activities and issues.<\/p>\n\n\n\n Formalize and integrate the code signing process into your software development lifecycle (SDLC)<\/a>. Doing so ensures that codes are signed only after undergoing necessary checks, such as quality assurance (QA), virus scanning, and penetration testing.<\/p>\n\n\n\n Integrating code signing with DevOps promotes a culture where security is prioritized throughout the software development process (devsecops).<\/p>\n\n\n\n By following these best practices, you enhance the overall security posture of your organization, mitigating the risk of unauthorized access and potential attacks. <\/p>\n\n\n\n![\"Unknown](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2022\/09\/unknown-publisher-message.png\")
<\/figure>\n\n\n\n![\"Windows](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2022\/09\/windows-10-upgrader.png\")
<\/figure>\n\n\n\nWhy Sign Your Windows Applications?<\/h2>\n\n\n\n
How to Sign an Application?<\/h2>\n\n\n\n
Prerequisites to Sign an EXE or Application<\/h2>\n\n\n\n
Windows Device:<\/h3>\n\n\n\n
Purchase a Valid Code Signing Certificate:<\/h3>\n\n\n\n
Microsoft SignTool: <\/h3>\n\n\n\n
SafeNet or FIPS 140 Level 2 Approved Device: <\/h3>\n\n\n\n
Use of Microsoft SignTool<\/h2>\n\n\n\n
\n
\n
\n
SafeNet for Additional Security<\/h2>\n\n\n\n
\n
The Process to Sign an EXE Using SignTool and Code Signing Certificate<\/h2>\n\n\n\n
Step 1: Insert Your Hardware Token<\/h3>\n\n\n\n
![\"\"](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/insert-usb-token.png\")
<\/figure>\n<\/div>\n\n\nStep 2: Open SafeNet (or other FIPS Level 2-approved device)<\/h3>\n\n\n\n
![\"SafeNet](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/safenet-client-jpg.webp\")
<\/figure>\n\n\n\nStep 3: Open PowerShell<\/h3>\n\n\n\n
\n
![\"open](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/launch-powershell-as-administrator.png\")
<\/figure>\n\n\n\n\n
![\"Powershell](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/powershell-command.png\")
<\/figure>\n\n\n\nStep 4: Enter the Signing and Time Stamping Command<\/h3>\n\n\n\n
.\\signtool sign \/tr http:\/\/timestamp.digicert.com \/td SHA256 \/fd SHA256 \u201cc:\\path_to_your_file\\software.exe\u201d<\/code><\/pre>\n\n\n\nStep 5: Enter Your SafeNet Password<\/h3>\n\n\n\n
Installation of SafeNet Authentication Client<\/h3>\n\n\n\n
![\"Install](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/install-safenet-client.png\")
<\/figure>\n\n\n\n![\"Safenet](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/install-safenet-language-selection.png\")
<\/figure>\n\n\n\n![\"Language](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/safenet-accept-licence.png\")
<\/figure>\n\n\n\n![\"SafeNet](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/install-safenet-driver-path-selection.png\")
<\/figure>\n\n\n\n![\"Typical](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/install-safenet-typical-selection.png\")
<\/figure>\n\n\n\n![\"SafeNet](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/install-safenet-driver-installation-wizard.png\")
<\/figure>\n\n\n\n![\"SafeNet](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/install-safenet-driver-complete.png\")
<\/figure>\n\n\n\nSetting up your Code Signing Certificate<\/h3>\n\n\n\n
![\"SafeNet](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/safenet-token-password-jpg.webp\")
<\/figure>\n\n\n\n![\"Change](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2023\/05\/activate-code-signing-cert-token.png\")
<\/figure>\n\n\n\nTesting Method for your Signed EXE<\/h2>\n\n\n\n
STEP 1: Upload the Signed EXE or Application to a Test URL<\/h3>\n\n\n\n
STEP 2: Download and Test the Signed EXE or Application<\/h3>\n\n\n\n
STEP 3: Verify the Signature by Right-Clicking on the Signed Code<\/h3>\n\n\n\n
\n
![\"View](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2022\/09\/view-digital-certificate-jpg.webp\")
<\/figure>\n<\/div>\n\n\n\n![\"Digital](\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2022\/09\/digital-certificate-code-sign-jpg.webp\")
<\/figure>\n<\/div>\n<\/div>\n\n\n\nSafeguarding Private Keys and Integrating Code Signing Practices<\/h2>\n\n\n\n
Conduct an inventory of your keys: <\/h3>\n\n\n\n
Store keys securely: <\/h3>\n\n\n\n
Role-based Access Control: <\/h3>\n\n\n\n
Integrate Code Signing with DevOps: <\/h3>\n\n\n\n