Signing with Microsoft Sign Tool
Microsoft Sign Tool is a command line tool that can be used to digitally sign files with codesign certificates provided by TRUSTZONE. The tool is part of the Windows SDK and is installed in the \bin folder of the installation path of the SDK. You can sign with both standard and EV codesign certificates.
- Windows 10 SDK https://developer.microsoft.com/windows/downloads/windows-10-sdk/
- Standard codesign certificate or EV codesign certificate with SAC installed and token plugged in
You can use the instructions on this page to sign a file with Microsoft Sign Tool.
- Open Command Prompt (Winkey + R, type CMD and then enter)
- If Sign Tool has been added to path you should be able to start the tool by writing “signtool” otherwise navigate to the \bin directory of the Windows SDK. (FX. C:\Program Files (x86)\Windows Kits\10\bin\x64)
- Then use the following command to sign you file:
signtool sign /a /fd SHA256 /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 c:/path/to/your/file
Note: that if you are using an EV codesign certificate the SafeNet client will prompt you for the token password
- Verify that your files have been successfully signed by using the following command
signtool verify /v /pa c:/path/to/your/file
Common Sign Tool options:
/ac – Specify an additional certificate.
/a – Automatically selects the first available codesign certificate to sign the file from your personal Windows Certificate Store.
/fd SHA256 – Specify the file digest algorithm used in creating file signatures. SHA256 is the currently recommended one (09/2021)
/t – Specify a Microsoft Authenticode compatible timestamp server.
/tr Specify an RFC 3161 compliant trusted timestamp server.
/td SHA256 – This parameter needs to be called after “/tr”, as the command specifies the TimeStamp Digest Algorithm. SHA256 is currently recommend (09/2021)
/sha1 Hash – Used to select the signing certificate by the SHA-1 Hash (Thumbprint).
Note: Timestamping your file is highly recommended as it will allow the signature to stay valid a long time after the certificate itself has expired.