Signing Windows Programs with SignTool

Option to Reissue for a Driver Signing Certificate

If you have just purchased a Microsoft Authenticode code-signing certificate and would like to also sign Windows drivers with your certificate, there's some good news and bad news for you. First the bad news: your current Authenticode Application Signing Certificate won't work for that. Now the good news: you can reissue your Authenticode code-signing certificate to get a Driver Signing Certificate by doing the following:

  1. Log into your account, click the + symbol to expand your certificate options and select Re-Key your Certificate, and select Microsoft Kernel-Mode Code for the platform.

  2. Follow the instructions on the Installing a Kernel-Mode Code Signing Certificate page for information about Using Kernel-Mode Code Signing Certificates.

Prepare to Sign Code by Installing the Windows SDK

In order to use SignTool.exe to sign your application, you need to either install Microsoft Visual Studio 2005 (or later), or on the machine where you will be signing code, download and install one of the following versions of Microsoft Windows SDK:

If you have the Windows SDK 6.0 or lower on Windows Vista, you can use the SignTool Digital Signature Wizard GUI interface. All new versions of the Windows SDK (7 and newer) require you to use the command line instructions below.

Internet Explorer or Chrome for Windows

If you installed your code signing certificate in Internet Explorer or Chrome on a Windows machine, the certificate will be accessible in the Windows Certificate Store.

If you have multiple Code Signing Certificates in your Windows Certificate Store, the commands in this instruction will sign your application with "the best" one, which may not be the correct one. You can use the next signtool command to sign your program with a specific certificate or use some of the other options in the SignTool documentation.

If you only have one Code Signing Certificate on your machine, do one of the following options:

Option 1: How to Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

When using SHA2 for signing, make sure to use the latest version of signtool (6.3 or later) to avoid errors.

  1. In the Windows command prompt, enter the command below.

    signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "c:\path\to\file.exe"

  2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

    c:\Code>signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a Setup.exe
    Done Adding Additional Store
    Successfully signed and timestamped: Setup.exe

Option 2: How to Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp

  1. In the Windows command prompt, enter the command below.

    signtool sign /t http://timestamp.digicert.com /a "c:\path\to\file.exe"

  2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

    c:\Code>signtool sign /t http://timestamp.digicert.com /a Setup.exe
    Done Adding Additional Store
    Successfully signed and timestamped: Setup.exe

Firefox (or Another Browser) or Operating System

If you installed your Code Signing Certificate in Firefox (or another browser) or another operating system such as Mac OS X, do the following:

  1. Export the certificate as a .PKCS#12 (.pfx or .p12) file.

  2. Once you have the code signing certificate saved as a PKCS#12 on your machine, do one of the following options from a Windows operating system:

    1. Option 1: How to Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

      When using SHA2 for signing, make sure to use the latest version of signtool (6.3 or later) to avoid errors.

      1. Enter the following command:

        signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"

      2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

        c:\Code>signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f mycert.pfx /p test Setup.exe
        Done Adding Additional Store
        Successfully signed and timestamped: Setup.exe

    2. Option 2: How to Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp

      1. Enter the following command:

        signtool sign /t http://timestamp.digicert.com /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"

      2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

        c:\Code>signtool sign /t http://timestamp.digicert.com /td sha256 /fd sha256 /f mycert.pfx /p test Setup.exe
        Done Adding Additional Store
        Successfully signed and timestamped: Setup.exe

How to verify the digital signature

You can verify that your application is now signed by right clicking on it and clicking Properties. On the Digital Signatures tab (if it exists), you can view the signing certificate and timestamp.

Additional Information

Using the hash value of a Code Signing Certificate is another way to let signtool know which Code Signing Certificate to use.

If you have multiple certificates installed in your Personal Certificate store, it may be better to use the /sha1 option to specify the hash value of the Code Signing Certificate instead of using /a or /f "c:\path\to\mycert.pfx" /p pfxpassword in the signing command.

In this case, you would be using the thumbprint value of your Code Signing Certificate. You must remove all spaces from the thumbprint value; if you do not, it won’t work. You can also use our DigiCert Utility to easily get the thumbprint.

  1. Option 1: How to Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp:

    Enter the following command:

    signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 [thumbprint] file.exe

  2. Option 2: How to Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp:

    Enter the following command:

    signtool sign /t http://timestamp.digicert.com /sha1 [thumbprint] file.exe

For more information on the different signtool.exe options, see Microsoft's SignTool Documentation.

Get code signing certificates for just $178/year

Buy Now