Microsoft SignTool - our favorite Windows code signing tool
Code signing is one of the most reliable ways to secure and authentify that our code is trustworthy. It is achieved by signing executables and scripts using a digital certificate with a unique cryptographic hash to connect the identity of the publisher to the software. This code signed certificate includes all the information required to fully identify the publisher.
In simple words, software code signing is an extra layer of security added to the installation process of your software. It helps to prove that the signed software is legitimate and has not been tampered with or altered in any way by a third party.
Further along in our guide, you will see how a code signing tool for Windows applications, like SignTool, helps.
For more information about code signing, cryptographic APIs and the file formats which support code signing, you can check out Cryptography Tools - Win32 apps | Microsoft Docs.
How do I get a code signing certificate?
There are multiple ways to get a digital certificate to sign your software. But when it comes to enterprise environments, these are the two main possibilities:
- Creating their own self-signed certificate. (with Microsoft SignTool, for instance).
- Purchasing a digital certificate from a trusted CA (Certificate Authority).
These two options have their pros and cons and it is important to know them to make an informed decision when choosing one above the other.
One of the main factors to consider is whether you will distribute your software outside your organization or not.
Why?
Because that will dictate which type of code signing process is more suitable. For instance, if you don’t expect to distribute your software outside your organization, then you can use a self-signed certificate. Otherwise, you may need to purchase a certificate from a trusted CA (Certificate Authority).
If you want to find out more about Code Signing Certificates from both a developer and IT Pro perspective, you can check out Tim Mangan’s articles: MSIX and Code Signing Certificates: What Developers Must Know (advancedinstaller.com) and MSIX Code Signing Certificates Part 2 – For IT Pros – Confessions of a Guru (tmurgent.com).
How to sign your product with a certificate?
Let's assume you went for the code signing certificate, how can you code sign your product?
We think SignTool is your best bet. It is a code signing utility tool developed by Microsoft to help digitally sign and timestamp files and verify signatures in files.
To use SignTool, we will have to go through the following steps:
- Installing SignTool,
- Using command line actions and,
- Verifying the digital signature.
Let's go through them!
How to install SignTool on Windows 10
Authoring tools like Advanced Installer have SignTool built-in within them, you can code sign your application straight from its easy-to-use GUI.
In Advanced Installer, all you need to do is: Navigate to the Digital Signature page and “Enable Signing”.
If you don’t want to use the built-in version of SignTool, you can point to Advanced Installer and use any other version by browsing to the location of SignTool and selecting the signtool.exe executable.
When you use a tool that does not have a built-in SignTool version within it, you can download the Windows SDK and install it by selecting the “Windows SDK Signing Tools for Desktop Apps” feature.
Once installed, the SignTool.exe can be found within the C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64 folder.
Alternatively, you can extract the Windows SDK Signing Tools-x86_en-us.msi by unpacking the Windows SDK ISO file that was downloaded and installing the Sign Tool using the above mentioned MSI.
Please be aware that the MSI has external CAB files which are also needed for its standalone installation:
- 4c3ef4b2b1dc72149f979f4243d2accf.cab
- 685f3d4691f444bc382762d603a99afc.cab
- e5c4b31ff9997ac5603f4f28cd7df602.cab
- e98fa5eb5fee6ce17a7a69d585870b7c.cab
SignTool is a portable tool, which means the executable (SignTool.exe) can be placed (copied) anywhere on your local computer, a USB flash drive, or any other removable device and launched straight away from there.
SignTool.exe command line options
If the code signing certificate comes in PFX (Personal Information Exchange) format, then you can use the following command to sign your product:
signtool sign /f MyCert.pfx /p MyPassword /fd SHA256 MyFile.exe
This command line is applicable to both self-signed certificates and the ones issued by a trusted CA.
In addition to self-signed certificates, the trusted CA certificates come with timestamping.
The following command digitally signs and timestamps your product:
signtool sign /f MyCert.pfx /t http://timestamp.digicert.com /fd SHA256 MyFile.exe
Also, there are cases where you don’t have access to the PFX file, but the certificate is installed on the machine that you use to code sign your software. In these cases, you can use the following command line:
Signtool sign /n "MyCert_SubjectName" /fd SHA256 /v MyFile.exe
If you're using the SHA26 hash algorithm for signing, it is important to use a version of SignTool that is 6.3 or higher to avoid any errors.
How to verify the digital signature?
You can verify that your product is signed by following the steps below:
- Right click on the file in question.
- Click Properties.
- Go to the Digital Signature tab.
There, you can view the “Signature list”. If you need more details about Digital Signature, you can click on the “Details” button.
Or, you can use the verify command. For instance, the following command verifies a file and it displays the signer certificate details:
SignTool verify /v MyFile.exe
Conclusion
You can automate your code signing process, either using Advanced Installer's built-in SignTool feature – or SignTool itself. This is very useful and saves a lot of time if you need to code sign multiple products at once.
If you're new to code signing, you may find it a bit difficult in the beginning, but you will see that once you grasp the process, it becomes simpler.
Keep in mind that you can code-sign your product straight from the dedicated GUI in Advanced Installer, without the need to know all the command lines that run in the background.
Get Advanced Installer Full Feature Free Trial and give code signing a shot.
Subscribe to Our Newsletter
Sign up for free and be the first to receive the latest news, videos, exclusive How-Tos, and guides from Advanced Installer.