How to Sign an EXE File Using Code Signing Certificate?
If you are wondering how to foster users’ trust in your apps or executable files, signing digitally an application or executable (exe) is the best way to ensure it.
When an executable or application is code-signed, a digital code signature is added to the file, which includes information about the publisher and the certificate used to sign the file. This digital signature is created using the private key of the code signing certificate, which is stored on the certificate holder’s secure device.
So let us discuss how to sign an EXE.
How to Digitally Sign a .EXE File?
Before you start signing an EXE or application, you will need the following:
- Code Signing Certificate: This digital certificate can be used to sign your software. You can obtain a code signing certificate from a commercial Certificate Authority (CA) or create your own using the makecert.exe tool.
- SignTool.exe: This is a command-line tool included in the Windows SDK and can be used to sign files using a code signing certificate. It’s essential to ensure you have the latest version of SignTool.exe installed on your device.
Here are some of the options available for SignTool:
/f: Specifies the location of the code signing certificate.
/p: Specifies the password for the code signing certificate.
/tr: Specifies the URL of the timestamp server.
/td: Specifies the hash algorithm used for the timestamp.
/t: Specifies the URL of the timestamp server for the signing operation.
/d: Specifies the description of the signed content.
/du: Specifies the URL for more information about the signed content.
/a: Automatically selects the best signing certificate from the user’s certificate store.
/v: Verifies the digital signature of the file.
/debug: Displays detailed information about the signing
process.
/n: Specifies the name of the subject of the code signing certificate.
/r: Specifies the name of the certificate store to search for the code signing certificate.
It’s important to note that the options available will depend on the version of SignTool.exe you are using, and some options may not be available in older versions.
You can find more information and examples of how to use SignTool on the Microsoft Developer Network website
- Windows Operating System: SignTool.exe is compatible with the Windows operating system.
- Administrator Access: Signing an executable or application requires administrator access.
- USB Token: If you have to code sign with an Extended Validation (EV) code signing certificate, it’s important to ensure that the USB token sent to you by the issuing certificate authority (CA) is inserted into your device before proceeding with the code signing process.
- Executable or Application: You will need the executable or application that you want to sign.
Once you have these items, you can start the signing process by opening a Command Prompt window as an administrator, navigating to the directory where the executable or application is located, and using the SignTool command to sign the file using your code signing certificate.
So now let’s get to how to sign exe. Follow the simple steps mentioned below.
Step-1: Obtain a code signing certificate from a commercial certificate authority (CA) or create your own using the makecert.exe tool.
Step-2: Opening a Command Prompt window as an administrator.
Step-3: Use the SignTool command to sign the EXE or Windows application with the obtained certificate,
signtool sign /f <path to your code signing certificate> /p <password for your code signing certificate> <path to the EXE or Windows application>
Step-4: Timestamp the executable using the /tr and /td options, an optional step. Still, it ensures that the signature on the executable will remain valid even if the code signing certificate expires.
signtool sign /f <path to your code signing certificate> /p <password for your code signing certificate> /tr <url of timestamp server> /td <hash algorithm> <path to the EXE or Windows application>
Note that the timestamp server may vary depending on the type of certificate used and the hash algorithm used.
Step-5: Verify the signature using the SignTool Verify command once the signing process is completed.
signtool verify /v <path to the signed EXE or Windows application>
You can complete your Windows Code Signing process by following the steps outlined. This will add an extra layer of security, prove their authenticity, and guarantee their integrity.
Now that your Windows Code Signing process is complete, it is time to ensure your EXE has been appropriately signed and your end-users won’t encounter any issues with it while installing. Let’s see how to do it.
How to Make Sure the EXE has been Signed Correctly?
The best way to make sure that your EXE has been signed correctly and that your customers won’t have any issues with the signature when installing it is to verify the digital signature using the SignTool Verify command.
To verify the digital signature of an EXE or application, you can use the following command in a Command Prompt window:
signtool verify /v <path to the signed EXE or application>
This command will display information about the digital signature, including the publisher, the certificate used to sign the file, and the date and time of the signature.
- You can also check the signature by right-clicking on the EXE or application, then selecting Properties and going to the Digital Signatures tab; you will find the publisher, the certificate used and the date and time of the signature. You can also check the certificate information by clicking on the Details button.
- You can test the software installation on various systems and configurations to ensure that the digital signature is recognized and the software can be installed without any issues.
- You can share the signed executable or application with a group of trusted testers and beta testers to get feedback and ensure everything is working correctly.
By verifying the digital signature using SignTool and testing the installation of the software, you can ensure that your EXE has been signed correctly and that your customers won’t have any issues with the signature when installing it.
Code Sign EXE!
Windows Code Signing is not rocket science, so you must do it on all your EXE. Even one unsigned executable or application can cause a widespread security incident.
Unsigned software can be easily tampered with by malicious actors, which can result in the distribution of malware or other malicious software. This can lead to widespread security incidents and damage to the reputation of the publisher.
Using code signatures on your executables and applications, you can help protect your customers from these security incidents and demonstrate your commitment to providing a safe and secure experience.
So now that you have become a code signing pro, let’s get started and don’t give cybercriminals any chance to manipulate you.