Breadcrumbs

Code Signing

Once the code signing certificate has been installed in the local personal Windows certificate store, it is possible to sign your executables, dynamic link libraries or cabinet files. Depending on how you have installed signtool you might have to open a developer console in order to include signtool in your local Windows search path.

Use the following basic command to sign your executable. Replace "YourCompany Code Signing" with the common name ("CN" field) of your certificate. You can also add the /fd sha256 parameter to use the more secure SHA256 digest algorithm.

›_ Console

C:\Autheticode>signtool sign /v /n "YourCompany Code Signing" sample.exe

The following certificate was selected:

Issued to: YourCompany Code Signing Issued by: Utimaco-RootCA

Expires: Sat Mar 25 08:31:30 2023

SHA1 hash: F61F71E40BCB5D14452D7EDD2A034D22801FB547

Done Adding Additional Store

Successfully signed: sample.exe

Number of files successfully Signed: 1

Number of warnings: 0 Number of errors: 0

If you are using Smartcard Authentication, the prompt will go on the PIN Pad device to insert Smartcard and enter the pin. Then press OK button on the PIN Pad.

It is advisable to also include a time stamp in your code signature. With a time stamp, the signature usually stays valid even after the expiry date of the code signing certificate. Add a timestamping authority like Verisign (http://timestamp.verisign.com/scripts/timstamp.dll) as extra parameter to signtool as shown next.

›_ Console

C:\Autheticode>signtool sign /v /n "YourCompany Code Signing"

/t http://timestamp.verisign.com/scripts/timstamp.dll sample.exe

The following certificate was selected:

Issued to: YourCompany Code Signing Issued by: Utimaco-RootCA

Expires: Sat Mar 25 08:31:30 2023

SHA1 hash: F61F71E40BCB5D14452D7EDD2A034D22801FB547

Done Adding Additional Store

Successfully signed: sample.exe

Number of files successfully Signed: 1

Number of warnings: 0 Number of errors: 0