Signing files with digital certificate

Introduction:

Digital signatures is important thing in verifying the authenticity of files. There are several ways to sign your files with certificate. I would like to show some of them. The first one will be Microsoft's signtool.exe.

Microsoft's signtool.exe is a command-line tool that allows you to sign files using code signing certificates and verify their signatures. In this article, we'll walk through the process of using signtool.exe to sign files, provide examples, and cover signature verification.

Note: Before proceeding, ensure that you have a valid code signing certificate obtained from a trusted Certificate Authority (CA). Or you can create you local certificate for development purposes. Check my blog with article: "How to create local (Development) certificate for digital signing".

Get signtool.exe

Microsoft's signtool.exe is a part of Windows SDK. To check it you should try to navigate to Windows Kits folder. The defaul path simular to:

C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64

Also another way is: open the Command Prompt or PowerShell on your Windows machine. In the Command Prompt or PowerShell, type the following command to verify that signtool.exe is accessible:

signtool

Note: For this you also should have appropriate environment variable

Signing

Navigate to the Directory Containing the File to Sign. Use the cd command to navigate to the folder where the file you want to sign is located.

Then to sign the file, use the following command:

signtool sign /f "path_to_your_certificate.pfx" /p "your_certificate_password" /t "http://timestamp.digicert.com" "file_to_sign.exe"

Replace the following values:

• "path_to_your_certificate.pfx" with the file path of your code signing certificate.
• "your_certificate_password" with the password for your certificate.
• "http://timestamp.digicert.com" with the URL of the timestamp server. Timestamping is essential to ensure the signature remains valid even after the certificate expires.
• "file_to_sign.exe" with the file name of the file you want to sign.

Signature verification

To verify the signature of the signed file, use the following command:

signtool verify /pa /v "signed_file.exe"

Replace "signed_file.exe" with the filename of the signed file.

Tips & issues:

• Ensure you have a valid code signing certificate issued by a trusted CA.
• Double-check that you are providing the correct path to the certificate file and the correct password.
• Always timestamp your signatures using a reputable timestamp server to ensure the signature remains valid even after the certificate expires.
• If your certificate has expired, you won't be able to use it for signing. Obtain a new certificate and replace the old one.
• If you receive an "Untrusted Certificate" warning during the verification process, ensure that the certificate's root authority is trusted on your machine.

Summary

Using signtool.exe is an essential process for digitally signing files, you can confidently sign your files and distribute them with the assurance that they come from a trusted source. Always remember to keep your code, signing certificate, password secure and renew it before it expires to maintain the integrity of your signatures.