Code Signing Certificate for Microsoft Authenticode Instructions

General Information ID:    INFO190    Updated:    02/22/2016

Description

The following instructions help you get started. If you need more information, contact your browser or OS platform vendor directly.
 
STEP BY STEP OVERVIEW
 
Step 1: Download Signing Tools
 
The Platform SDK for Microsoft Windows contains the information and tools you need to develop Windows-based applications. You can use this SDK to develop both 32- and 64-bit applications. Make sure that you are running the most current version of the SDK.
 
Windows NT and Windows Me/98/95: SignTool.exe is not supported.
 
You can find links to download Windows Software Development Kit (SDK) here
 
To install the minimal tools needed for signing your files only install the Tools and Redistributable Components of the Microsoft Windows Core SDK.
 
Step 2: Operating System Overview
 
Windows Server 2003
To sign, use the SIGNTOOL.EXE utility. The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. For information about why signing files is important, see Introduction to Code Signing. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.
 
SignTool is available as part of the Windows SDK, which you can download here.
You will also need your Digital ID file (generally called MyCredentials.spc) and your private key (MyPrivateKey.pvk). 

Windows Vista/Windows 7
To sign, use the SIGNTOOL.EXE utility. The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files.
 
SignTool is available as part of the Windows SDK, which you can download here
Your Digital ID will install in certificate store within Internet Explorer

Windows Vista/7/2008 Windows Hardware Quality Labs (WHQL)
Please refer to this Knowledge Base Solution SO5820.
 
Step 3: Signing Files by Operating System

Go to: Start > Run
  1. Type CMD > click OK
  2. At the command prompt, enter the directory where signtool exists
    Note: The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path
  3. Run the following:
     

  4. SHA-1 with Timestamp
    signtool.exe sign /a /s MY /n "Common name" /fd sha1 /t http://timestamp.verisign.com/scripts/timstamp.dll /v "<file to be signed>"

    SHA-256 with RFC 3161 Timestamp
    signtool.exe sign /a /s MY /n "Common name" /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /v "<file to be signed>"

    Note: Replace <password> with the password specified when the PFX file was created (omit /p if there was no password set). Replace <file to be signed> with the name of the file you will be signing.

    Note: If you are signing the file by use a certificate stored in a password protected PFX file, simply use the arguments "/f YourCertFileName.pfx /p pfxpassword"   instead of "/a /s MY /n "Common namein the command.

    Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
                (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

    The SHA-1 with RFC 3161 timestamping URL is http://timestamp.geotrust.com/tsa

    The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp

For dual code signing instructions with SHA-1 & SHA-2 hashing algorithm, refer to INFO2274.
Note: SHA-2 code signing support for Windows 7 and Windows Server 2008 R2 is available. The recommended operating system software update is available from Microsoft TechNet: Microsoft Security Advisory 3033929.
 
Verify Your Signature
 
The Platform SDK SIGNTOOL.EXE utility contains a command to check a digital signature before distributing your file.
  1. Go to: Start > Run
  2. Type CMD > click OK
  3. At the command prompt, enter the directory where signtool exists
  4. Run the following:

 

signtool verify /pa /v "your-file-name"

 

Note: Replace "your-file-name" with the name of the file you signed

This example uses several of the arguments that SignTool supports.

  • sign: Configures the tool to sign the intended file
  • verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
  • /a: Automatically selects the best signing certificate. Sign Tool will find all valid certificates that satisfy all specified conditions and select the one that is valid for the longest time. If this option is not present, Sign Tool expects to find only one valid signing certificate.
  • /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
  • /fd: Specifies the file digest algorithm to use for creating file signatures. The default is SHA1.
  • /n: Specifies the Common Name of a certificate.  Use this option if you have certificates issued to more then one organization in your certificate store.
  • /p: If the file is in PFX format protected by a password, use the /p option to specify the password
  • /pa: Specifies that the Default Authentication Verification Policy is used.
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is MY)
  • /t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
  • /tr: Specifies the URL of the RFC 3161 time stamp server.  This option cannot be used with the /t option.
  • /v: Specifies the verbose option for successful execution and warning messages.
     


For more information, refer to the following document from the Microsoft knowledge base:
Using SignTool to Sign a File:  http://msdn.microsoft.com/en-us/library/aa388170

 

When a code signed file is downloaded from a Web site using Internet Explorer, it will display this certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option to refuse installation.
 

To have your signatures recognized by all versions of Windows including Vista and 7:
 
For Windows Vista 64-bit and Windows 7 the signing process has changed. The code cannot simply be signed, it also needs to be "cross-signed" with a certificate provided by Microsoft.
 
For instructions on how to sign code for use in Windows Vista 64-bit and Windows 7, please follow the signing instructions from the following solution: SO5820
 
Note: Code signed using the cross-signing method will be recognized on all versions of Windows. It is therefore not required to create separately signed versions of the code for use on Windows 2000 - XP and Windows Vista/7.
 
 
Related Information
 
For more information about signing see the Microsoft Developer Network Website.

Contact Support

Knowledge Center