Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Sign with signtool (registry / Vista and following)

Signature with an assistant (only with signtool v6.0 and lower versions)

Follow the procedure here under to sign Windows .CAB .EXE .DLL .OCX .XAP components.

Prerequisites: your certificate and private key are in the Windows registry (installation via IE7 under Vista for example).
  1. launch signtool
    	C:\Program Files\Microsoft Platform SDK\Bin> signtool signwizard
    	
  2. Select the file you want to sign
  3. Select Typical (not custom)
  4. Click "Select from store"
  5. Select your certificate
  6. In the timestamping section, enter http://timestamp.digicert.com?alg=sha256
  7. Verify all of the information is correct and click Finish

Signtool cli usage

It is also possible to sign with signtool using the command line.

signtool sign /as /n "CERTIFICATE_NAME" /tr http://timestamp.digicert.com?alg=sha256 /td SHA256 /fd SHA256 "PATH_TO_EXECUTABLE"
The /n argument is used to select your certificate. It need to be placed in the Personnal store.

The /fd argument allows you to choose the signing algorithm. SHA1 is the default.

/as allows adding a signature and select it as the default.

The /tr and /td arguments are respectively dedicated to the RFC 3161 and the hash algorithm used. The example server is DigiCert's. For Globalsign certificates, you can use the following server:http://timestamp.globalsign.com/?signature=sha2 .

Double executable signing

It is also possible to sign your binaries using SHA1 and SHA2 to guarantee a maximal compatibility. However it can only work for binaries (.exe) and not for .msi installers. To do so, simply execute the two following commands:

signtool sign /n "CERTIFICATE_NAME" /t http://timestamp.digicert.com?alg=sha1 /fd SHA1 "PATH_TO_EXECUTABLE"


signtool sign /as /n "CERTIFICATE_NAME" /tr http://timestamp.digicert.com?alg=sha256 /td SHA256 /fd SHA256 "PATH_TO_EXECUTABLE"
The first command is used to sign the file using SHA1, the second one, SHA2. The SHA2 signature is set as default. The timestamping server for the SHA1 signature is using Microsoft's format. The example is valid for DigiCert certificates.

For Globalsign certificates, you can use the following servers:
Microsoft format : http://timestamp.globalsign.com/scripts/timstamp.dll
RFC 3161 : http://timestamp.globalsign.com/?signature=sha2

Renewal case (identical CN)

If you have multiple certificates with the same CN, Windows should automatically select the most appropriate certificate. If that is not the case, you can manually specify the SHA1 thumbprint of your certificat via the /sha1 parameter followed by the thumbprint.

signtool sign /as /n "CERTIFICATE_NAME" /tr http://timestamp.digicert.com?alg=sha256 /td SHA256 /fd SHA256 /sha1 YOUR_CERTIFICATE_SHA1_THUMBPRINT "PATH_TO_EXECUTABLE"

External links