Free Trial
Contact Us

Knowledge Base

Knowledge BaseCode Signing

CODE SIGNING APPLICATIONS USING SIGNTOOL WITH CODE SIGNING CERTIFICATE:

Updated on January 2, 2025

Pre-requisites: 

Signtool SDK from Microsoft (It can be downloaded here). 

USB token where the EV code signing certificate and the private key are provisioned. The steps for collecting an EV code signing certificate can be found here 

Install the SafeNet Authentication Client (It can be downloaded here).  

Note: The private key provisioned in the USB token cannot be exported as a PFX /2 file. 

 

The following command signs the file using the EV code signing certificate stored in the USB token. In the Windows command prompt type, the command is shared below. 

 

SignTool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Your Company Name Inc." "C:\path\to\FileToSign.exe" 

 

 Where "Your Company Name Inc." is the certificate's Subject Name for which the EV code signing certificate is issued as shown in the screen shot shared below. Just double-click on the EV code signing certificate, then click on the Details tab 

 

 

"C:\path\to\FileToSign.exe" should be replaced with the actual location of the "EXE" or "MSI" file that you would like to sign using this certificate such as C:\Users\Desktop\foo.exe. 

 

If the process was successful, there will be the following response indicating that the program has been signed and timestamped. 

 

 

Done Adding Additional Store 

Successfully signed and timestamped: FOO.exe 

 

You can verify whether the application is signed or not by right clicking on it then clicking on Properties. If the Digital Signatures tab is displayed (the file is signed), you can view the signing certificate and timestamp information as shown in the screen shot. 

 

 

Graphical user interface, text, applicationDescription automatically generated 

 

 

 

Most used SignTool Options: 

 

  • /a - Automatically selects the best signing certificate. Sign Tool will find all valid certificates that satisfy all specified conditions and select the one that is valid for the longest time. 

 

  • /n - Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name. 

 

 

  • /Fd SHA256 - Specify the file digest algorithm used in creating file signatures.

 

  • /t - Specifies the URL of the time stamp server. 

 

  • /Td SHA256 - Must be called after '/tr', this command specifies the TimeStamp Digest Algorithm. *Recommended* 

 

  • /sha1 Hash -Used to select the signing certificate by the SHA-1 Hash       

 

  • /Ac - Specify an Additional Certificate. 

 

  • /csp CSPName - Specifies the cryptographic service provider (CSP) that contains the private key container. 

 

For further assistance or troubleshooting, you can refer to Sectigo’s official Knowledge Base or contact support. 

 

Need help?

Need help making a purchase? Contact us today to get your certificate issued right away.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start Chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources