Frequently Asked Questions

Signing Windows Code with Microsoft SignTool

Print this Article
Last Updated: October 23, 2014 5:39 PM

Our code signing certificates can be used to sign a variety of different Microsoft® Windows code formats, including EXE, OCX, DLL and CAB.

The basic process is as follows:

  1. The software developer purchases a code signing certificate from us and installs the certificate and private key on the machine that will be used to build the distributed code.
  2. The software developer creates code to sign.
    • For CAB files, space should be allocated for the digital signature by adding the following entry to your .ddf file before creating the cab file: Set ReservePerCabinetSize=6144.
    • For other types of files, you don't need to do anything special.
  3. Use the SignTool.exe utility to sign and verify the code.

Though we test these steps on older platforms, we cannot provide assistance for operating systems whose support has been terminated by their vendors (e.g. Windows XP and Microsoft). To alleviate potential issues, we recommend using the latest version of a currently-supported OS.

To Sign Windows Code with Microsoft SignTool

  1. Launch the SignTool Wizard by invoking signtool signwizard from the command line. The Digital Signature Wizard displays.
  2. Click Next.
  3. In the File Selection window, browse to the binary file (.exe, .ocx, .dll or .cab) you want to sign, and then click Next.
  4. In the Signing Options window, click Custom, and then click Next.
  5. In the Signature Certificate window, do one of the following:
    • If the certificate is installed in the local certificate store, click Select from Store, and then navigate to the certificate.
    • If you have the certificate file in SPC format, click Select from File, and then navigate to the code signing certificate file.
    • If you have a PFX certificate bundle file instead, you can use SignTool.exe from the command line by entering this command:
      Signtool sign /f certfile.pfx /p password /tr http://tsa.starfieldtech.com /td SHA256 mycode.exe
  6. Click Next.
  7. In the Private Key window, do one of the following:
    • If you have the private key file in PVK format, click Private key file on my disk and browse to the private key file. Select the appropriate values for the CSP and Provider Type fields based on the options you used when you requested the code signing certificate.
    • If the private key is installed in the CSP, click Private key in a CSP. Select the appropriate values for the CSP, Key Container and Key Type fields based on the options you used when you requested the code signing certificate.
  8. Click Next. You might be prompted to enter the password for the private key if you specified a PVK file.
  9. In the Hash Algorithm window, click the algorithm you used when setting up your cert (probably SHA2), and then click Next.
  10. Select the All certificates in the certification path, including the root certificate option in the Certificates in the certification path group. Click Next.
  11. Type a description and URL that describe the code being signed, and then click Next.
  12. If you want to use time stamping, click Add a time stamp to the data, and then enter the time stamping server URL. Click Next.

    NOTE: Time stamping allows the signed code to be valid past the expiration date of the code signing certificate, as long as the certificate was valid when the code is signed and the code has not been tampered with since it was signed.

  13. In the summary window, verify all the information is correct, and then click Finish. Your code is now signed.

You can also use SignTool.exe to verify the digital signature was added to the code.