(2 votes, average: 4.50 out of 5)
If you are wondering how to foster users’ trust in your apps or executable file, signing digitally an application or executable (exe) is the best way to ensure it.
When an executable or application is code signed, a digital code signature is added to the file, which includes information about the publisher and the certificate used to sign the file. This digital signature is created using the private key of the code signing certificate, which is stored on the certificate holder’s secure device.
So let us discuss how to sign an EXE.
Before you start signing an EXE or application, you will need the following:
Here are some of the options available for SignTool:
/f: Specifies the location of the code signing certificate.
/p: Specifies the password for the code signing certificate.
/tr: Specifies the URL of the timestamp server.
/td: Specifies the hash algorithm used for the timestamp.
/t: Specifies the URL of the timestamp server to use for the signing operation.
/d: Specifies the description of the signed content.
/du: Specifies the URL for more information about the signed content.
/a: Automatically selects the best signing certificate from the user’s certificate store.
/v: Verifies the digital signature of the file.
/debug: Displays detailed information about the signing
/n: Specifies the name of the subject of the code signing certificate.
/r: Specifies the name of the certificate store to search for the code signing certificate.
It’s important to note that the options available will depend on the version of SignTool.exe you are using, and some options may not be available in older versions. You can find more information and examples of how to use SignTool on the Microsoft Developer Network website
Once you have these items, you can start the signing process by opening a Command Prompt window as an administrator, navigating to the directory where the executable or application is located, and using the SignTool command to sign the file using your code signing certificate.
So now let’s get to how to sign exe. Follow the simple steps mentioned below.
Step-1: Obtain a code signing certificate from a commercial certificate authority (CA) or create your own using the makecert.exe tool.
Step-2: Opening a Command Prompt window as an administrator.
Step-3: Use the SignTool command to sign the EXE or Windows application with the obtained certificate,
signtool sign /f <path to your code signing certificate> /p <password for your code signing certificate> <path to the EXE or Windows application>
Step-4: Timestamp the executable using the /tr and /td options, which is an optional step, but it ensures that the signature on the executable will remain valid even if the code signing certificate expires.
signtool sign /f <path to your code signing certificate> /p <password for your code signing certificate> /tr <url of timestamp server> /td <hash algorithm> <path to the EXE or Windows application>
Note that the timestamp server may vary depending on the type of certificate used and the hash algorithm used.
Step-5: Once the signing process is completed, verify the signature using the SignTool Verify command.
signtool verify /v <path to the signed EXE or Windows application>
By following the steps outlined, you can complete your Windows Code Signing process. This will add an extra layer of security, prove their authenticity, and guarantee their integrity.
Now that your Windows Code Signing process is complete, it is time to make sure your EXE has been signed properly, and your end-users won’t encounter any issues with it while installing. Let’s see how to do it.
The best way to make sure that your EXE has been signed correctly and that your customers won’t have any issues with the signature when installing it is to verify the digital signature using the SignTool Verify command.
To verify the digital signature of an EXE or application, you can use the following command in a Command Prompt window:
signtool verify /v <path to the signed EXE or application>
This command will display information about the digital signature, including the publisher, the certificate used to sign the file, and the date and time of the signature.
By verifying the digital signature using SignTool and testing the installation of the software, you can ensure that your EXE has been signed correctly and that your customers won’t have any issues with the signature when installing it.
Windows Code Signing is not rocket science which is why you must do it on all your EXE. Even one unsigned executable or application can cause a widespread security incident. Unsigned software can be easily tampered with by malicious actors, which can result in the distribution of malware or other malicious software. This can lead to widespread security incidents and damage to the reputation of the publisher.
By using code signatures on your executables and applications, you can help protect your customers from these types of security incidents and demonstrate your commitment to providing a safe and secure experience for your customers. So now that you have become a code signing pro, let’s get started and don’t give cybercriminals any chance to manipulate you.