SignTool
SignTool is a command-line tool provided by Microsoft as part of the Windows SDK (Software Development Kit). It is used to digitally sign files, including executable files, libraries (DLLs), drivers, installer packages, and other types of files on the Windows operating system.
Integrate signtool.exe with Sign Manager Controller (SMCTL) for simplified signing. Alternatively, you can sign directly with SignTool and reference your private key stored in DigiCert® KeyLocker.
Suggerimento
SignTool is only compatible for signing on Windows.
What can SignTool be used to sign?
Two versions of SignTool exist, these versions can be used to sign different types of files:
.appx
.appxbundle
.arx
.cab
.cat
.cbx
.cpl
.crx
.dbx
.deploy
.dll
.drx
.efi
.exe
.js
.msi
.msix
.msixbundle
.msm
.msp
.ocx
.psi
.psm1
.stl
.sys
.vbs
.vsix
.vxd
.wsf
.xap
.xsn
Download SignTool
SignTool is included in the Windows Software Development Kit (SDK). The Windows SDK additionally contains NuGet and Mage which may be used to sign other file types.
To install the Windows SDK:
Download the Windows SDK.
Run the winsdksetup.exe file that was downloaded.
Follow the instructions in the wizard to complete the installation.
Suggerimento
SignTool (64-bit) will be located in the file path:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64
SignTool (32-bit) will be located in the file path:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86
Recommendation
Both versions of SignTool are named signtool.exe, we suggest that you copy and paste the 32-bit version into a different file path and rename it to signtool_32.exe so that you are aware of what version you are signing with.
Set PATH environment variable
Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.
You can set the PATH environment variable to signtool.exe using command line or environment variables.
To set the path to your signing tools via command line:
set PATH=%path%;<path to signing tool folder>
Command sample:
set PATH=%path%;C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\
To set the path to your signing tools for your system or account:
Search for environment variables in the Windows start menu.
Select Edit environment variables for your account or Edit system environment variables.
Double click on the Path variable.
Click New.
Select Browse.
Select the path to the signing tool.
Example:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\
Click OK to save the path.
Click on OK to close the dialog.
Download and register KSP library
SignTool integrates with our KSP library to sign.
Follow these instructions to download and register DigiCert® KeyLocker KSP library.
Sign with SignTool
You can sign with SignTool directly or via DigiCert's signing tools integrated with SignTool: