1. Home
2. Help
3. Code Signing certificates
4. How to Sign Applications on Windows (SDK)

How to Sign Applications on Windows (SDK)

Let's take a look at how to sign an application on Windows using Windows SDK (signtool tool) and a Code Signing certificate. The guide assumes you have a prepared Code Signing certificate in PFX format and a development environment with Windows SDK installed on a Windows operating system. Download the SDK from Microsoft's website for your Windows version, such as the Windows Software Development Kit (SDK) for Windows 10.

Using Signtool

Signtool.exe is a program that signs applications with a Code Signing certificate. After installing Windows SDK, use it from the command line. To sign applications, you need to know the basic parameters to correctly call the application signing with the appropriate certificate and settings.

Signing is actually done via the command line, and you just need to have the certificate available on the given computer (it does not get installed).

The basic parameters (commands) for signing are as follows:

signtool command /parameter

From the commands, you will use Sign to sign and Verify to verify a file's signature. Timestamp is a command to add a timestamp, but you can do this right at the time of signing the file.

Useful parameters:

• /f SignCertFile – if using a PFX file for signing, this command points to its location. Getting a Code Signing certificate in PFX is no longer possible.
• /s StoreName – if using a certificate store (e.g., on a token), specifies which to use. Default is My.
• /t URL – adds a timestamp and reference to it. You can find the URL of timestamp servers below.
• /td - hash algorithm in the timestamp. Choose at least the sha256 parameter or higher.
• /fd - hash algorithm. Choose at least the sha256 parameter or higher.

The complete documentation can be found on Microsoft's website or by entering the command "signtool sign /?".

The full command for signing a file could look like this:

Always use a timestamp. This ensures the signed application remains trusted even after the certificate expires that was used for signing. This is very important because you will not need to re-sign older applications retrospectively (typically after two years of Code Signing certificate expiration) to prevent them from being untrusted. If you use a timestamp at the time of signing and the certificate is valid, the application will also be valid in the future.

There are several servers providing timestamps; we recommend using the DigiCert timestamp server: http://timestamp.digicert.com/

This server has no website on port 80, so visiting it with a browser is unnecessary (you will see nothing).

Certificate Stores

A certificate can be stored in multiple places (in multiple stores) and you can "call" it in multiple ways. Previously, it was possible to store the certificate as a PFX file, but this is no longer possible. A PFX file can be stolen by anyone and, even though it is password-protected, it poses a significant security risk (passwords often tend to be very weak). PFX is mostly suitable for S/MIME certificate backups or for the web.

The common way of storing a Code signing certificate is storing it on a token and subsequently calling it according to the subject in the certificate. This method is safe and practically the same as the previous PFX signing. Without the private key, which cannot be exported from the token, the certificate is worthless, and misuse is not possible; the token is locked after five incorrect password attempts.

Signing using a store then requires the parameter /n SubjectName:

Or you can choose the default store My and the signing software will automatically find the certificate:

Automating Code Signing with Cloud HSM

Code signing automation is highly demanded, however, with a certificate on a token, you cannot sign automatically; you cannot use it on a server either. Fortunately, services are available that are suitable for signing automation. DigiCert offers a service called KeyLocker, and the Software Trust Manager. Signing keys can also be stored in a cloud HSM in Azure or Google Cloud.

More information about code signing automation options can be found in the article Code Signing Center.

Checking the Signature

You now know how to sign and have given your application its first trusted signature. You're probably curious about how to verify the signature now.
The check can be done either using the signtool:

More simply, the check can be performed by displaying the file's properties in Windows Explorer. You can "dissect" the signature detail down to the actual certificate used.