Close Window x

Frequently Asked Questions

Help Center Search

Sign Windows Code with Microsoft SignTool

Print this Article
Comment on this Article
Last Updated: November 14, 2008 8:45 AM

Our code signing certificates can be used to sign a variety of different Microsoft Windows code formats, including .exe., .ocx, .dll and .cab. The basic process is as follows:

  1. The software developer purchases a code signing certificate from us and installs the certificate and private key on the machine that will be used to build the distributed code.
  2. The software developer creates code to sign.
    • For CAB files, space should be allocated for the digital signature by adding the following entry to your .ddf file before creating the cab file: Set ReservePerCabinetSize=6144.
    • For other types of files, nothing special needs to be done.
  3. Use the SignTool.exe utility to sign and verify the code.
    • Download Windows SDK for Windows 2008 Server and .NET 3.5. To install the minimal tools needed for signing your files only install the Tools and Redistributable Components of the Microsoft Windows Core SDK. For more information see Microsoft's Sign Tool documentation.

      NOTE: SignTool.exe is not supported on Windows NT and Windows Me/98/95. SignCode.exe and ChkTrust.exe can be used on these platforms, instead.

    • You need to specify the private key, certificate, code to be signed and optionally the time stamping server URL. For more information, see http://tsa.starfieldtech.com.
    • You can use the SignTool.exe program from the command line to sign a file, an example would be:
      signtool sign /f certfile.pfx /p password /t timestampURL mycode.exe
      or you can run the SignTool Wizard by invoking this command:
      signtool signwizard
      For more information on the SignTool program, see Microsoft's SignTool file signing documentation.
    • You can also use the SignTool program to verify a file signature.
      signtool verify mycode.exe
      For more information on verifying code with SignTool, see Microsoft's SignTool file verification documentation..

Using the SignTool Wizard

  1. Launch the SignTool Wizard by invoking signtool signwizard from the command line. The Digital Signature Wizard will display. Click Next to start the Wizard.
  2. In the File Selection dialog, browse to the binary file (.exe, .ocx, .dll or .cab) you want to sign. Click Next
  3. In the Signing Options dialog, click Custom and then click Next.
  4. The Signature Certificate dialog displays:
    • If the certificate is installed in the local certificate store, click Select from Store and navigate to the certificate.

      • OR

    • If you have the certificate file in SPC format, click Select from File and navigate to the code signing certificate file

      • OR

    • If you have a PFX certificate bundle file instead, SignTool.exe can be used from the command line instead of the wizard using this command
      Signtool sign /f certfile.pfx /p password /t timestampURL mycode.exe
  5. Click Next.
  6. The Private Key dialog displays.
    • If you have the private key file in PVK format, click Private key file on my disk and browse to the private key file. Select the appropriate values for the CSP and Provider Type fields based on the options you used when you requested the code signing certificate.

      • OR

    • If the private key is installed in the CSP, click Private key in a CSP. Select the appropriate values for the CSP, Key Container and Key Type fields based on the options you used when you requested the code signing certificate.
  7. Click Next. You may be prompted to enter the password for the private key if you specified a PVK file.
  8. In the Hash Algorithm dialog, click sh1 and then click Next.
  9. Select the All certificates in the certification path, including the root certificate option in the Certificates in the certification path group. Click Next.
  10. Type a description and URL that describe the code being signed. Click Next.
  11. If time stamping is desired, click Add a time stamp to the data and specify the time stamping server URL.

    NOTE: Time stamping allows the signed code to be valid past the expiration date of the code signing certificate, as long as the certificate was valid when the code is signed and the code has not been tampered with since it was signed.

    Click Next
  12. In the summary window, verify all the information is correct and click Finish

Your code is now signed. You may also use SignTool.exe to verify the digital signature was added to the code.