How to sign applications on Windows (SDK)

Let's take a look at signing an application on Windows using the Windows SDK (signtool) and the Code Signing certificate. The manual assumes a prepared Code Signing certificate on token and an installed Windows SDK development environment on the Windows operating system. Download the SDK for the appropriate version of your Windows from the Microsoft website, such as the Windows Software Development Kit (SDK) for Windows 10.

Using Signtool

Signtool.exe is a program that signs applications using a Code Signing certificate. After installing the Windows SDK, use it via the command line. To sign applications, you need to know the basic parameters so that you can properly call the application signing with the correct certificate and settings.

Signing actually takes place via the command line and the certificate simply needs to be stored in a file on the given computer (it is not installed anywhere).

Demonstration of signing with signtool.exe
Example of signing with signtool.exe

The basic parameters (commands) for the signature are the following:

signtool command / parameter

From the commands, use Sign to sign and Verify to verify the file's signature. Timestamp is a command to insert a timestamp, but you can do it when signing the file.

Useful parameters:

  • /f SignCertFile – If you use a PFX file for signing, this command points to its location. It is no longer possible to get a Code Signing certificate in PFX.
  • /fd – Specifies the hash signature algorithm. The default is SHA-1, which will not be trusted, so you need to use SHA256, ie /fd SHA256.
  • /s StoreName – If you are using a certificate store, specify which one to use. The default is My.
  • /t URL – Adds a timestamp and a link to it. The URL of the timestamp servers can be found below.
  • /td - algorithm of hash (digest) in time stamp. Choose at least sha256 or higher.
  • /fd - algorithm of hash (digest). Choose at least sha256 or higher.

You can find the complete documentation on the Microsoft website or by entering the command „signtool sign /?“.

For example, the entire file signing command might look like this:

SignTool sign /n "My Company Certificate" /td sha256 /fd sha256 /t http://timestamp.digicert.com C:\test.exe

Always use a timestamp. It ensures the credibility of the signed application even after the expiration of the certificate used for the signature. This is very important because you will not have to re-sign older applications (typically after two years of Code Signing certificate expiration) so that they are not untrusted. If you use a timestamp at the time of signing and the certificate is valid, the application will be valid in the future.

There are more servers providing timestamps; we recommend using DigiCert's timestamp server: http://timestamp.digicert.com/

This server has no website on port 80, so it is pointless visiting it in a browser (you will not see anything).

Certificate storage

The certificate can be stored in several places (in multiple repositories) and you can "call" it in several ways. It used to be possible to save the certificate as a PFX file, but this is no longer possible. Anyone can steal your PFX file and even though PFX is password protected, it is a big security risk (passwords are often very weak). PFX is particularly suitable for S/MIME certificate backups or for the web.

A common way to store a Code signing certificate is to store it on a token and then call it based on the subject in the certificate. This method is secure and practically the same as earlier signing with PFX. Without the private key, which cannot be exported from the token, the certificate is useless and its misuse is therefore not possible; if the password is entered incorrectly five times, the token will be blocked.

A signature using the repository then requires the /n SubjectName parameter:

signtool sign /n "My Company Certificate" /td sha256 /fd sha256 /t http://timestamp.digicert.com C:\test.exe

Or you can choose the default repository My and the signing SW will automatically find the certificate itself:

signtool sign /s My /td sha256 /fd sha256 /t http://timestamp.digicert.com C:\test.exe

Signature verification

You can now sign your application and you have provided it with the first trusted signature. Now you are probably wondering how to check your signature.
One way to check is by using signtool:

signtool verify C:\test.exe

It is easier to check by viewing the properties of the file in Windows Explorer. You can "dissect" the signature detail down to the detail of the used certificate.

Application signature detail in Windows explorer
Detail of an application signature in Windows Explorer
Has this article been useful?