Program Signing and Timestamping with SIgnTool

Prepare and Sign your files, executables and applications for release with the SIgnTool command tool when you Code Signing Certificate is on your USB eToken

This tutorial requires you to have your Code Signing Certificate from DigiCert or Verokey already on your USB eToken. If you still need to get your USB eToken initialised and set up, check out our guide here.

When signing using the SignTool and command line, we have two options when it comes to selecting the Certificate for signing, you can let is automatically select one, or you can manually select one.

Automatically Select Signing Certificate with SignTool

To let Signtool automatically select the Code Signing Certificate to use to sign your program do the following:

  1. Open a command prompt as an administrator.
  2. Run the following command:

shell

signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "c:\path\to\file_to_sign.exe"

You should then receive a confirmation that the file was successfully signed and timestamped.

Manually Specify the Code Signing Certificate to use with SignTool

Using the hash value of your Code Signing Certificate lets signtool know which Certificate to use.

In this case, you will be using the thumbprint value of your Code Signing Certificate. You must remove all spaces from the thumbprint value; it won't work if you don't. Replace the THUMBPRINT-HERE placeholder with your certificate sha1 hash.

shell

signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 THUMBPRINT-HERE "c:\path\to\file_to_sign.exe"

You can view more options available to the SIgnTool with Microsoft's SignTool Documentation.

Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Paul Baka


Helpful Guides

View more Guides, FAQs and information to help with your Certificate purchases.

Learning Centre

View more resources on cyber security, encryption and the internet.


Continue reading with these guides you may be interested in...

#Code Signing

Configure and Setup Verokey/DigiCert USB eToken

Video Included

Today, we are going to run through the process of ordering and configuring your new DigiCert or Verokey Code Signing Certificate. Then, we will initialise a new USB eToken to have the Certificate installed onto it as a secure HSM USB Device.