Sign Authenticode files with SignTool using KSP library
SignTool is a command-line tool provided by Microsoft as part of the Windows SDK (Software Development Kit). It is used to digitally sign files, including executable files, libraries (DLLs), drivers, installer packages, and other types of files on the Windows operating system.
Follow these instructions to sign directly using SignTool and securely reference your private key stored in Software Trust Manager
Prerequisites
Windows operating system
Download and configure Software Trust Manager clients
Keypair alias
Download a copy of your certificate or use the certificate fingerprint
Sign
You can sign a file with SignTool using either of the following:
Download a copy of certificate
Certificate fingerprint
Sign with certificate
To sign, run:
signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc <keypair_alias> /f <certificate_file> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed>
Command sample:
signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc key1 /f example.crt /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 signthis.util.exe
Sign with certificate fingerprint
Sync certificates (Windows only)
Before attempting to sign with Signtool, Mage, and NuGet using the certificate fingerprint, run this command to sync your certificates to the Windows certificate store.
To sync the default certificate associated with the specified keypair alias:
smctl windows certsync --keypair-alias=<keypair alias>
Note
For more information refer to the Windows command manual.
To sign, run:
signtool.exe sign /sha1 <certificate thumbprint> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file to be signed>
Command sample:
signtool.exe sign /sha1 3550ffca3cd652dde30675ce681ev1e01073e647 /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 example.exe
To sign, run the following PowerShell command:
$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.FriendlyName -like "<CERTIFICATE ALIAS>"}
$thumbprint = $cert.Thumbprint
Write-Host($cert.Thumbprint)
signtool.exe sign /sha1 <certificate thumbprint> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file to be signed> Verify a signature
To verify a signed file:
signtool verify /v /pa <signed file>
Command sample:
signtool verify /v /pa ws.util.exe
Note
Signature verification may result in errors during test signing due to signing with test CAs.