Sign with Signtool (via a certificate on a cryptographic token)

To sign a Microsoft .CAB .EXE .DLL component, use the instructions here under.

Signing with Signtool

The following command will allow you to sign your executable using the certificate:

C:\Program Files\Microsoft Platform SDK\Bin> sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "ORGANIZATION NAME" "C:\path\to\FILE_TO_SIGN.exe"

sign is the signature instruction.

Enter your Token Password. If the signing is successful you will see a prompt informing you so.

Most popular SignTool options

• /n: Organization Name: Must be the same (or a substring) as the CN field of your certificate.
• /fd: allows you to choose the signature algorithm. The default is SHA256.
• /td and /tr: respectively dedicated to the timestamp server according to RFC 3161 and the hashing algorithm used by the latter. The server provided in this example is the Sectigo timestamp server. For GlobalSign certificates, you can use the following server: http://timestamp.globalsign.com/tsa/r6advanced1

Check a signature

To check a signature:

C:\Program Files\Microsoft Platform SDK\Bin> signtool.exe verify /v /pa C:\path\to\FILE_TO_SIGN

Signtool wizard mode

You can also use signtool with the wizard (only with signtool v6.0 or lower).

To do this, start it with :

C:\Program Files\Microsoft Platform SDK\Bin> signtool signwizard

See Microsoft official documentation

External links

• Signtool official documentation
• Signtool Usage Examples
• Sectigo documentation
• GlobalSign documentation


• Microsoft TechNet: Authenticode
• MSDN: How to sign Visual Basic or Visual C# (smart devices) applications


• Double executable signing
• Windows Code Signing