Skip to main content

Sign Authenticode files with SignTool using KSP library

SignTool is a command-line tool provided by Microsoft as part of the Windows SDK (Software Development Kit). It is used to digitally sign files, including executable files, libraries (DLLs), drivers, installer packages, and other types of files on the Windows operating system.

Follow these instructions to sign directly using SignTool and securely reference your private key stored in Software Trust Manager

Prerequisites

Sign

You can sign a file with SignTool using either of the following:

  • Download a copy of certificate

  • Certificate fingerprint

Sign with certificate

To sign, run:

signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc <keypair_alias> /f <certificate_file> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed> 

Command sample:

signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc key1 /f example.crt /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 signthis.util.exe  

Sign with certificate fingerprint

Sync certificates (Windows only)

Before attempting to sign with Signtool, Mage, and NuGet using the certificate fingerprint, run this command to sync your certificates to the Windows certificate store.

To sync the default certificate associated with the specified keypair alias:

smctl windows certsync --keypair-alias=<keypair alias>

Note

For more information refer to the Windows command manual.

To sign, run:

signtool.exe sign /sha1 <certificate thumbprint> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file to be signed> 

Command sample:

signtool.exe sign /sha1 3550ffca3cd652dde30675ce681ev1e01073e647 /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 example.exe 

To sign, run the following PowerShell command:

$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.FriendlyName -like "<CERTIFICATE ALIAS>"} 

$thumbprint = $cert.Thumbprint 

Write-Host($cert.Thumbprint)  

signtool.exe sign /sha1 <certificate thumbprint> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file to be signed> 

Verify a signature

To verify a signed file:

signtool verify /v /pa <signed file>

Command sample:

signtool verify /v /pa ws.util.exe

Note

Signature verification may result in errors during test signing due to signing with test CAs.