Skip To Main Content
Trustzone Logo

Certificates

    Solutions

      Join our Newsletter

      Contact Us

      How to sign files with Microsoft Sign Tool

      Microsoft Sign Tool is a command line tool that can be used to digitally sign files with codesign certificates provided by TRUSTZONE.

      Microsoft Sign Tool is a command line tool that can be used to digitally sign files with codesign certificates provided by TRUSTZONE. The tool is part of the Windows SDK and is installed in the \bin folder of the installation path of the SDK. You can sign with both standard and EV codesign certificates.

      Prerequisites

      You can use the instructions on this page to sign a file with Microsoft Sign Tool.

      • Open Command Prompt (Winkey + R, type CMD and then enter)
      • If Sign Tool has been added to path you should be able to start the tool by writing “signtool” otherwise navigate to the \bin directory of the Windows SDK. (FX. C:\Program Files (x86)\Windows Kits\10\bin\x64)
      • Then use the following command to sign you file:
      signtool sign /a /fd SHA256 /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 c:/path/to/your/file

      Note: that if you are using an EV codesign certificate the SafeNet client will prompt you for the token password

      • Verify that your files have been successfully signed by using the following command
      signtool verify /v /pa  c:/path/to/your/file

      Common Sign Tool options:

      /ac – Specify an additional certificate.

      /a – Automatically selects the first available codesign certificate to sign the file from your personal Windows Certificate Store.

      /fd SHA256 – Specify the file digest algorithm used in creating file signatures. SHA256 is the currently recommended one (09/2021)

      /t – Specify a Microsoft Authenticode compatible timestamp server.

      /tr Specify an RFC 3161 compliant trusted timestamp server.

      /td SHA256 – This parameter needs to be called after “/tr”, as the command specifies the TimeStamp Digest Algorithm. SHA256 is currently recommend (09/2021)

      /sha1 Hash – Used to select the signing certificate by the SHA-1 Hash (Thumbprint).

      Note: Timestamping your file is highly recommended as it will allow the signature to stay valid a long time after the certificate itself has expired.

       

      Jon Tittmann

      Vetting/Support Team Lead & OpEx

      Jon has been an integral part of TRUSTZONE for the past six years, during which he has acquired substantial expertise in the cyber security field. As the team leader for our support team, he possesses a profound understanding of the sector, enabling him to resolve even the most complex challenges within the certificate industry effectively.

      Follow us

      Submit Your Technical Queries Here for Expert Assistance!

      We will contact you as soon as possible.

      Please enter your details below.