Microsoft SignTool
Microsoft SignTool is a command-line tool included in the Windows Software Development Kit (SDK) that is used to digitally sign files such as executable EXE files and DLLs. This tool allows developers to secure their applications with a digital signature, increasing user confidence in the authenticity and integrity of the software.
Installing SignTool
- SignTool is part of the Microsoft Windows Software Development Kit (SDK). The installer can be downloaded from the page Windows SDK.
- Help from Microsoft is on the site learn.microsoft.com/.../seccrypto/signtool with a detailed explanation of syntax and parameters.
Basic commands
Command to sign custom EXE application using CODE Signing certificate. If we do not have a file path set, it must be specified.
signtool sign /debug /n "web security" /fd SHA256 MyApp.exe
Basic parameters
- /debug - prints debugging information
- /n SubjectName - selects a signature certificate by subject name; Only part of the name can be entered.
- /a - automatically selects the best signing certificate
- /t URL - timestamp server option
- /fd certHash - hashing algorithm specification, mandatory parameter (sha256, sha384)
- /d Desc - specification of signed code
Syntax examples
signtool sign /a /fd SHA256 MyApp.exe
signtool sign /t http://time.certum.pl /a /fd SHA256 MyApp.exe
signtool sign /t http://timestamp.digicert.com /a /fd SHA384 "C:\path\to\MyApp.exe"
signtool sign /t http://time.certum.pl /n "MyCompany cert" /fd SHA256 /d "test code" MyApp.exe
Where next?
Back to Help
Found an error or don't understand something? Write us!