Code Signing Certificate for Microsoft Authenticode Instructions

General Information ID:    INFO190    Updated:    12/18/2015

Description

The following instructions help you get started. If you need more information, contact your browser or OS platform vendor directly.
 
STEP BY STEP OVERVIEW
 
Step 1: Download Signing Tools
 
The Platform SDK for Microsoft Windows contains the information and tools you need to develop Windows-based applications. You can use this SDK to develop both 32- and 64-bit applications. Make sure that you are running the most current version of the SDK.
 
Windows NT and Windows Me/98/95: SignTool.exe is not supported.
 
You can find links to download Windows Software Development Kit (SDK) here
 
To install the minimal tools needed for signing your files only install the Tools and Redistributable Components of the Microsoft Windows Core SDK.
 
Step 2: Operating System Overview
 
Windows XP/Windows 2000/Windows 2003
To sign, use the SIGNTOOL.EXE utility. The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. For information about why signing files is important, see Introduction to Code Signing. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.
 
SignTool is available as part of the Windows SDK, which you can download from http://go.microsoft.com/fwlink/?linkid=84091
You will also need your Digital ID file (generally called MyCredentials.spc) and your private key (MyPrivateKey.pvk). 

Windows Vista/Windows 7
To sign, use the SIGNTOOL.EXE utility. The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files.
 
SignTool is available as part of the Windows SDK, which you can download from http://go.microsoft.com/fwlink/?linkid=84091
Your Digital ID will install in certificate store within Internet Explorer

Windows Vista/7/2008 Windows Hardware Quality Labs (WHQL)
Please refer to this Knowledge Base Solution SO5820.
 
Step 3: Signing Files by Operating System
 
To have your signatures recognized by Windows XP/Windows 2000/Windows 2003:

Go to: Start > Run
  1. Type CMD > click OK
  2. At the command prompt, enter the directory where signtool exists
    Note: The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path
  3. Run the following:
     
signtool.exe sign /f mycert.pfx /p "password" /t http://timestamp.veriSign.com/scripts/timstamp.dll /v "file to be signed"

 

Note: Please see the following solution to create the PFX file (mycert.pfx): SO9777. Replace password with the password specified when the PFX file was created (omit /p if there was no password set). Replacefile to be signed with the name of the file you will be signing.
Note: The order of the command is important when signing the file. Any changes in the above given order may result in error messages.

For dual code signing instructions with SHA-1 & SHA-2 hashing algorithm, refer to INFO2274.
Note: SHA-2 code signing support for Windows 7 and Windows Server 2008 R2 is available. The recommended operating system software update is available from Microsoft TechNet: Microsoft Security Advisory 3033929.
 
Verify Your Signature
 
The Platform SDK SIGNTOOL.EXE utility contains a command to check a digital signature before distributing your file.
  1. Go to: Start > Run
  2. Type CMD > click OK
  3. At the command prompt, enter the directory where signtool exists
  4. Run the following:

 

signtool verify /pa /v "your-file-name"

 

Note: Replace "your-file-name" with the name of the file you signed

This example uses several of the arguments that SignTool supports:

  • Sign: Configures the tool to sign the intended file
  • Verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
  • /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
  • /n: Refers to the company name in your certificate as it appears in the "ISSUED TO" field of the certificate
  • /p: Specifies the password to use when opening a PFX file. (Use the /f option to specify a PFX file.)
  • /pa: Specifies that the Default Authenticode Verification Policy should be used. If the /pa option is not specified, Sign Tool uses the Windows Driver Verification Policy. This option cannot be used with the catdb options.
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is My)
  • /t: Specifies that the digital signature will be timestamped by the Authenticode Time-Stamp Authority (TSA) indicated by the URL
  • /v: Specifies the verbose option for successful execution and warning messages

Note: The Authenticode timestamping URL for Symantec is http://timestamp.verisign.com/scripts/timstamp.dll (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The RFC 3161 timestamping URL for Symantec is: http://timestamp.geotrust.com/tsa

For more information, refer to the following document from the Microsoft knowledge base:
Using SignTool to Sign a File:  http://msdn.microsoft.com/en-us/library/aa388170

When a code signed file is downloaded from a Web site using Internet Explorer, it will display this certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option to refuse installation.
 

To have your signatures recognized by all versions of Windows including Vista and 7:
 
For Windows Vista 64-bit and Windows 7 the signing process has changed. The code cannot simply be signed, it also needs to be "cross-signed" with a certificate provided by Microsoft.
 
For instructions on how to sign code for use in Windows Vista 64-bit and Windows 7, please follow the signing instructions from the following solution: SO5820
 
Note: Code signed using the cross-signing method will be recognized on all versions of Windows. It is therefore not required to create separately signed versions of the code for use on Windows 2000 - XP and Windows Vista/7.
 
 
Related Information
 
For more information about signing see the Microsoft Developer Network Website.

Contact Support

Knowledge Center

Languages:

This article is available in the following languages: