Code Signing for Windows

Windows Software Development Kit (SDK) contains headers, libraries, and tools you can use when you create apps that run on Windows operating systems.

To download the Windows Software Development Kit (SDK) click here.

Important SignTool Options:

  • /ac - Specify an Additional Certificate.
  • /a - Automatically selects the best certificate to sign the file from your Windows Certificate Store.
  • /fd SHA256 - Specify the file digest algorithm used in creating file signatures.(Windows Vista and earlier: This flag is not supported).
  • /t - Specifies the URL of the time stamp server.
  • /td SHA256 - Must be called after '/tr', this command specifies the TimeStamp digest Algorithm. *Recommended*
  • /sha1 Hash - Used to select the signing certificate by the SHA-1 Hash
  • /csp CSPName - Specifies the cryptographic service provider (CSP) that contains the private key container.

The following command signs the file using a certificate stored in a password-protected PFX file:

SignTool sign /f MyCert.pfx /p MyPassword MyControl.exe

The following command signs and time stamps the file:

SignTool sign /f MyCert.pfx /t MyControl.exe

To Dual Sign your application, please run the following codes one after another:

signtool.exe sign /f MyCert.pfx /p <PFX password> /t /v foo.exe

signtool.exe sign /f MyCert.pfx /p <PFX password> /fd sha256 /tr /td sha256 /as /v foo.exe

To verify the successful signature use the following commands:

Authenticode: signtool verify /v /pa
Kernel Driver Signing: signtool verify /v /kp