Add codesign signature to an executable or a library

byAlex R.
Code signing executables and DLLs with signtool.exe - Authenticode SHA256

Code signing is essential for distributing Windows executables and libraries professionally. It proves the software's origin, ensures the binary hasn't been tampered with, and eliminates SmartScreen warnings for end users. This guide covers everything you need to sign your .exe and .dll files using signtool.exe — the standard Windows SDK tool for Authenticode signing.

Prerequisites

  • A valid code signing certificate installed in your Windows certificate store (from Comodo, DigiCert, Sectigo, etc.)
  • signtool.exe — included in the Windows SDK (or Visual Studio installation)
  • The file(s) you want to sign (.exe, .dll, .msi, etc.)

Basic Signing Command

The simplest way to sign a file using a certificate from your personal store:

signtool.exe sign /n "Your Certificate Subject" /fd SHA256 /t http://timestamp.comodoca.com/authenticode filename.dll

Parameters explained:

  • /n "cert subject" — selects the certificate by its subject name from the current user's personal store
  • /fd SHA256 — specifies SHA-256 as the file digest algorithm (required for modern signing)
  • /t — adds a timestamp using an RFC 3161 timestamp server (prevents signature expiry when the cert expires)

Sign with SHA-256 Timestamp (Recommended)

Use /tr instead of /t for a proper RFC 3161 timestamp, which is the modern standard:

signtool.exe sign ^
  /n "Your Certificate Subject" ^
    /fd SHA256 ^
      /tr http://timestamp.sectigo.com ^
        /td SHA256 ^
          filename.exe

Sign with a PFX Certificate File

If your certificate is in a .pfx file rather than the Windows store:

signtool.exe sign ^
  /f "C:\certs\MyCertificate.pfx" ^
    /p "YourPassword" ^
      /fd SHA256 ^
        /tr http://timestamp.sectigo.com ^
          /td SHA256 ^
            filename.exe

Sign Multiple Files at Once

signtool.exe sign /n "Your Certificate Subject" /fd SHA256 /tr http://timestamp.sectigo.com /td SHA256 *.dll *.exe

Verify the Signature

After signing, verify the signature is valid:

signtool.exe verify /pa /v filename.exe

If successful, you'll see: Successfully verified: filename.exe

Common Timestamp Servers

# Sectigo (recommended)
http://timestamp.sectigo.com

# DigiCert
http://timestamp.digicert.com

# Comodo (legacy)
http://timestamp.comodoca.com/authenticode

Summary

Code signing with signtool.exe is straightforward once you have a valid certificate. Always use SHA-256 for the file digest algorithm and include an RFC 3161 timestamp server so your signed binaries remain valid even after the signing certificate expires. For CI/CD pipelines, store the certificate password securely in your secret management system and automate signing as part of your build process.

Tags

Post a Comment

Previous Post Next Post
Share to other apps
Copy Post Link