Microsoft SignTool

Microsoft SignTool is a command-line tool included in the Windows Software Development Kit (SDK) that is used to digitally sign files such as executable EXE files and DLLs. This tool allows developers to secure their applications with a digital signature, increasing user confidence in the authenticity and integrity of the software.

Installing SignTool

• SignTool is part of the Microsoft Windows Software Development Kit (SDK). The installer can be downloaded from the page Windows SDK.
• Help from Microsoft is on the site learn.microsoft.com/.../seccrypto/signtool with a detailed explanation of syntax and parameters.

Basic commands

Command to sign custom EXE application using CODE Signing certificate. If we do not have a file path set, it must be specified.

signtool sign /debug /n "web security" /fd SHA256 MyApp.exe

Basic parameters

• /debug - prints debugging information
• /n SubjectName - selects a signature certificate by subject name; Only part of the name can be entered.
• /a - automatically selects the best signing certificate
• /t URL - timestamp server option
• /fd certHash - hashing algorithm specification, mandatory parameter (sha256, sha384)
• /d Desc - specification of signed code

Syntax examples

signtool sign /a /fd SHA256 MyApp.exe
signtool sign /t http://time.certum.pl /a /fd SHA256 MyApp.exe
signtool sign /t http://timestamp.digicert.com /a /fd SHA384 "C:\path\to\MyApp.exe"
signtool sign /t http://time.certum.pl /n "MyCompany cert" /fd SHA256 /d "test code" MyApp.exe

---

Where next?

• SimplySign [CA Certum]
• CODE - FAQ & Solutions to common problems
• OpenSSL for Windows and Mac