Professional Documents
Culture Documents
How To - Add A Digital Signature To Executables
How To - Add A Digital Signature To Executables
com
First we will install the certificate with key we’ll use to sign code.
Double-click the file and let the wizard do its work with the default
option:
1 of 10 7/31/17, 9:58 PM
Because the wizard will also install the root CA certificate found in
the PKCS12 file, it will ask you if you trust it.
2 of 10 7/31/17, 9:58 PM
Now start signtool from a command-line like this: signtool
signwizard.
For the purposes of this howto, we’ll sign notepad.exe. When you
sign an executable that is already signed, the existing signature is
overwritten. Actually, notepad is not signed by Microsoft with an
embedded signature, but using a security catalog.
3 of 10 7/31/17, 9:58 PM
We’ll use the default options presented by the wizard (except for
the timestamp):
4 of 10 7/31/17, 9:58 PM
Select the certificate with key we installed: use Select from Store3
5 of 10 7/31/17, 9:58 PM
By default, the signature doesn’t include a timestamp signed by an
external authority (a counter-signature). It’s easy to add one, for
example using Verisign’s timestamp service:
http://timestamp.verisign.com/scripts/timstamp.dll (of course, using
this option requires Internet access).
6 of 10 7/31/17, 9:58 PM
Finally, click finish for the wizard to do its work:
7 of 10 7/31/17, 9:58 PM
This certificate is OK because we installed the root CA certificate in
our certificate store. But if you check this signature on another
8 of 10 7/31/17, 9:58 PM
machine or with another account (which doesn’t trust our root CA),
we’ll get a warning that although the signature is valid, we don’t
trust the root CA:
9 of 10 7/31/17, 9:58 PM
If you didn’t make a backup of notepad.exe and want to remove the
signature, use my digital signature tool disitool.
10 of 10 7/31/17, 9:58 PM