blog.didierstevens.

com

Howto: Add a Digital Signature to

Executables
3 minutes

Signtool.exe is the default Windows development tool to add a

digital signature (Authenticode) to Windows executables (PE files).
This howto shows you how to use signtool. You’ll need to create
your own certificate and key (or buy one) to sign code.

To obtain signtool, download the platform SDK or the .NET SDK.

I use signtool in my makefile with command line options to

automatically sign compiled code, but in this howto, I’ll show the
interactive use.

First we will install the certificate with key we’ll use to sign code.
Double-click the file and let the wizard do its work with the default
option:

1 of 10 7/31/17, 9:58 PM
 Because the wizard will also install the root CA certificate found in
the PKCS12 file, it will ask you if you trust it.

It is not necessary to install this root CA certificate for code signing

purposes, but if you don’t, signtool will not include the root CA
certificate in the certificate chain. And you also need to install this
root CA certificate if you want to automatically trust all certificates
issued by this root CA (or its subordinate CAs).

2 of 10 7/31/17, 9:58 PM
 Now start signtool from a command-line like this: signtool
signwizard.

For the purposes of this howto, we’ll sign notepad.exe. When you
sign an executable that is already signed, the existing signature is
overwritten. Actually, notepad is not signed by Microsoft with an
embedded signature, but using a security catalog.

3 of 10 7/31/17, 9:58 PM
 We’ll use the default options presented by the wizard (except for
the timestamp):

4 of 10 7/31/17, 9:58 PM
 Select the certificate with key we installed: use Select from Store3

5 of 10 7/31/17, 9:58 PM
 By default, the signature doesn’t include a timestamp signed by an
external authority (a counter-signature). It’s easy to add one, for
example using Verisign’s timestamp service:
http://timestamp.verisign.com/scripts/timstamp.dll (of course, using
this option requires Internet access).

6 of 10 7/31/17, 9:58 PM
 Finally, click finish for the wizard to do its work:

From now on, notepad.exe’s properties displays a Digital

Signatures tab:

7 of 10 7/31/17, 9:58 PM
 This certificate is OK because we installed the root CA certificate in
our certificate store. But if you check this signature on another

8 of 10 7/31/17, 9:58 PM
 machine or with another account (which doesn’t trust our root CA),
we’ll get a warning that although the signature is valid, we don’t
trust the root CA:

9 of 10 7/31/17, 9:58 PM
 If you didn’t make a backup of notepad.exe and want to remove the
signature, use my digital signature tool disitool.

10 of 10 7/31/17, 9:58 PM