Signing Windows Programs with SignTool

Option to Reissue for a Driver Signing Certificate

If you have just purchased a Microsoft Authenticode code-signing certificate and would like to also sign Windows drivers with your certificate, there's some good news and bad news for you. First the bad news: your current Authenticode Application Signing Certificate won't work for that. Now the good news: you can reissue your Authenticode code-signing certificate to get a Driver Signing Certificate by doing the following:

  1. Login to your account, click the '+' to expand your certificate options and choose 'Re-Key your Certificate', and choose Microsoft Kernel-Mode Code for the platform.

  2. Follow the instructions on this page for Release Driver Signing for Microsoft Windows for steps on using the new certificate.

Prepare to Sign Code by Installing the Windows SDK

In order to use SignTool.exe to sign your application, you will need to either install Microsoft Visual Studio 2005 or later or the Microsoft Windows SDK onto the machine where you will be signing code.

If you have the Windows SDK 6.0 or lower on Windows Vista, you can use the SignTool Digital Signature Wizard GUI interface. All new versions of the Windows SDK (7 and higher) require you to use the command line instructions below.

Internet Explorer or Chrome on Windows

If you installed your code signing certificate in Internet Explorer or Chrome on a Windows machine, the certificate will be accessible in the Windows certificate store.

If you only have one code signing certificate on your machine, just enter the following command in a Windows command prompt (if you have multiple code signing certificates in your store, this will sign your application with "the best" one, which may not be the correct one. You can use the next signtool command to sign your program with a specific certificate or use some of the other options in the SignTool documentation):

signtool sign /t /a "c:\path\to\file.exe"

If the process was successful, you will see the following indicating that the program has been signed and timestamped:

Microsoft SignTool Best Certificate

Firefox or another browser

If you installed your code signing certificate in Firefox or another browser (or another operating system like Mac OS X), you'll first need to export the certificate as a .pfx file. Once you have the code signing certificate saved as a .pfx on your machine, just enter the following command:

signtool sign /t /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"

If successful, you will see the following:

Microsoft SignTool PFX File

How to verify the digital signature

You can verify that your application is now signed by right clicking on it and clicking Properties. On the Digital Signatures tab (if it exists), you can view the signing certificate and timestamp.

For more information on the different signtool.exe options, see Microsoft's SignTool Documentation.

Get code signing certificates for just $178/year

Buy Now