Signing Windows Programs with SignTool

Prepare Your Standard Code Signing Certificate

If you purchased a Microsoft Authenticode, code signing certificate and also want to use it to sign Windows drivers, there's some good news and bad news for you. First, the bad news: your current code signing certificate won't work for that. Now, the good news: you can reissue your Authenticode, code signing certificate to get a Driver Signing, code signing certificate.

Reissue Your Code Signing Certificate

  1. In your CertCentral account, in the left main menu, click Certificate > Orders.

  2. On the Manage Your Code Signing – Order # page, under Reissue Actions, click Re-Key Your Certificate link.

  3. On the Orders page, click the order number link for the Code Signing certificate you want to reissue.

  4. On the Order details page, in the Certificate Actions dropdown, select Reissue Certificate.

  5. Add Your CSR

    Upload or paste your CSR in the Add Your CSR box.

    The Sun Java Platform is the only platform that requires you to submit a CSR with your request; for all other platforms, submitting a CSR is optional.

  6. Signature Hash

    In the dropdown, select a signature hash for the certificate: SHA-256 or SHA-1.

  7. Server Platform

    Select Microsoft Kernel-Mode Code.

  8. Reason for Reissue

    Specify the reason for the certificate reissue.

  9. Click Request Reissue.

  10. If an approval for CS certificate reissue is required, the CS verified contact for the organization is sent an email informing them that they need to approve the certificate reissue request. Once we receive their approval, we'll reissue your Code Signing certificate.

  11. We will send a copy of the reissued CS certificate via email.

    The subject line of the email is Reissue Your DigiCert Code Signing Certificate (Order #). The email contains a link that lets you reissue and install your Code Signing Certificate.

    You can also download a copy of the reissued certificate from your CertCentral account on the CS certificate's Order details page.

Install Your Kernel-Mode Code Signing Certificate

After you purchase a standard code signing certificate, DigiCert validates your information and sends you an email that contains a link to install your kernel-mode certificate.

  1. On the computer you want to install the certificate to, open the installation link from your DigiCert email (subject line: Reissue Your DigiCert Code Signing Certificate (Order #)) in Internet Explorer or Safari*.

    When you open the link, the certificate is installed to the current user's personal certificate store for Windows and can be used by the WDK tools for signing drivers.

    Browser Note*: Currently, only Microsoft Internet Explorer and Apple Safari support CSR generation needed for code signing certificate installation. If company policy requires the use of Firefox, you can use Firefox ESR or a portable copy of Firefox. For more information, see our knowledge base article Keygen support to be dropped with Firefox 69.

  2. Next, download the DigiCert Code Signing Cross-Certificate.

Download the Code Signing Cross-Certificate

Before you can use Signtool to sign applications, you need to download the DigiCert Code Signing Cross-Certificate on the computer where you installed your Code Signing Certificate. You will need to specify this certificate in Signtool.

Click here to download the DigiCert Code Signing Cross-Certificate.

Prepare to Sign Code by Installing the Windows SDK

In order to use SignTool.exe to sign your application, you need to either install Microsoft Visual Studio 2005 (or later), or on the machine where you will be signing code, download and install one of the following versions of Microsoft Windows SDK:

If you have the Windows SDK 6.0 or lower on Windows Vista, you can use the SignTool Digital Signature Wizard GUI interface. All new versions of the Windows SDK (7 and newer) require you to use the command line instructions below.

Internet Explorer for Windows

When you use Internet Explorer on a Windows machine to install your code signing certificate, the certificate will be accessible in the Windows Certificate Store.

If you have multiple Code Signing Certificates in your Windows Certificate Store, the commands in this instruction will sign your application with "the best" one, which may not be the correct one. You can use the next signtool command to sign your program with a specific certificate or use some of the other options in the SignTool documentation.

If you only have one Code Signing Certificate on your machine, do one of the following options:

Option 1: How to Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

When using SHA2 for signing, make sure to use the latest version of signtool (6.3 or later) to avoid errors.

  1. In the Windows command prompt, enter the command below.

    signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "c:\path\to\file.exe"

  2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

    c:\Code>signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a Setup.exe
    Done Adding Additional Store
    Successfully signed and timestamped: Setup.exe

Option 2: How to Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp

  1. In the Windows command prompt, enter the command below.

    signtool sign /t http://timestamp.digicert.com /a "c:\path\to\file.exe"

  2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

    c:\Code>signtool sign /t http://timestamp.digicert.com /a Setup.exe
    Done Adding Additional Store
    Successfully signed and timestamped: Setup.exe

Firefox (or Another Browser) or Operating System

If you installed your Code Signing Certificate in Firefox (or another browser) or another operating system such as Mac OS X, do the following:

  1. Export the certificate as a .PKCS#12 (.pfx or .p12) file.

  2. Once you have the code signing certificate saved as a PKCS#12 on your machine, do one of the following options from a Windows operating system:

    1. Option 1: How to Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

      When using SHA2 for signing, make sure to use the latest version of signtool (6.3 or later) to avoid errors.

      1. Enter the following command:

        signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"

      2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

        c:\Code>signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f mycert.pfx /p test Setup.exe
        Done Adding Additional Store
        Successfully signed and timestamped: Setup.exe

    2. Option 2: How to Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp

      1. Enter the following command:

        signtool sign /t http://timestamp.digicert.com /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"

      2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

        c:\Code>signtool sign /t http://timestamp.digicert.com /td sha256 /fd sha256 /f mycert.pfx /p test Setup.exe
        Done Adding Additional Store
        Successfully signed and timestamped: Setup.exe

Verify the digital signature

You can verify that your application is now signed by right clicking on it and clicking Properties. On the Digital Signatures tab (if it exists), you can view the signing certificate and timestamp.

Additional Information

Using the hash value of a Code Signing Certificate is another way to let signtool know which Code Signing Certificate to use.

If you have multiple certificates installed in your Personal Certificate store, it may be better to use the /sha1 option to specify the hash value of the Code Signing Certificate instead of using /a or /f "c:\path\to\mycert.pfx" /p pfxpassword in the signing command.

In this case, you would be using the thumbprint value of your Code Signing Certificate. You must remove all spaces from the thumbprint value; if you do not, it won’t work. You can also use our DigiCert Utility to easily get the thumbprint.

  1. Option 1: How to Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp:

    Enter the following command:

    signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 [thumbprint] file.exe

  2. Option 2: How to Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp:

    Enter the following command:

    signtool sign /t http://timestamp.digicert.com /sha1 [thumbprint] file.exe

For more information on the different signtool.exe options, see Microsoft's SignTool Documentation.

If you need to dual sign your files, see Dual Signing with SHA256 and SHA1 Standard Code Signing Certificates or Dual Signing with SHA256 and SHA1 EV Code Signing Certificates.

Get code signing certificates for just $474/year

Buy Now