Ask a Question

Microsoft Authenticode Signing Instructions

Problem

Sign Microsoft Windows software using Microsoft Authenticode

Sign Microsoft Windows software using SDK 7.0

Sign Microsoft Windows software using SDK 8.1

Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1

Microsoft Windows SDK for Windows 8.1 and .NET Framework 4.5.1

Solution

To sign software using Microsoft Authenticode or Microsoft Office and VBA certificates, download and install the following:

NOTE:  While we do our best to provide information for signing, Thawte does not support the code signing software and tools themselves

This example uses several of the arguments that SignTool supports. 

  • sign: Configures the tool to sign the intended file
  • verify: Verifies the digital signature of files by determining whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy.
  • /a: Automatically selects the best signing certificate. Sign Tool will find all valid certificates that satisfy all specified conditions and select the one that is valid for the longest time. If this option is not present, Sign Tool expects to find only one valid signing certificate.
  • /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
  • /fd: Specifies the file digest algorithm to use for creating file signatures. The default is SHA1.
  • /n: Specifies the Common Name of a certificate.  Use this option if you have certificates issued to more then one organization in your certificate store.
  • /p: If the file is in PFX format protected by a password, use the /p option to specify the password
  • /pa: Specifies that the Default Authentication Verification Policy is used.
  • /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is MY)
  • /t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
  • /tr: Specifies the URL of the RFC 3161 time stamp server.  This option cannot be used with the /t option.
  • /v: Specifies the verbose option for successful execution and warning messages.
      

Special Signing Situations:

Before signing, please review the special situations below.  If you will be signing a file for one of the situations, please follow the link for documentation specific to that situation.

Signing Steps:

  1. Go to: Start > Run
  2. Type CMD > click OK
  3. At the command prompt, enter the directory where signtool exists using the CD command to change to that directory, the default directory is:
     
    CD C:\Program Files (x86)\Windows Kits\8.1\bin\x64

    Note: The directory above may vary.
     
  4. Run one of the following signing commands below.

    Important: Thawte recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.

Note: SignTool will use SHA-1 as the default signature digest algorithm, even if you are using a SHA-256 certificate.  Please use the command to add the appropriate signature digest algorithm.

The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp

The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp

Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
            (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

 

The following syntax signs the file using a certificate stored in your Personal certificate store

SHA-1 with Timestamp

Note: The original timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll (The timstamp.dll filename is required to conform to old MS-DOS naming convention) however http://timestamp.verisign.com/scripts/timestamp.dll now also can be used.

signtool.exe sign /a /s MY /n "Common name" /t http://timestamp.verisign.com/scripts/timestamp.dll /v "C:\filename.dll"

 


Note: If there are multiple certificates installed in your Personal certificate store, use the /sha1 option to specify the hash value of the Code Signing Certificate.
This would be the thumbprint value of your Code Signing Certificate. Please ensure to remove all spaces for the thumbprint value.
For example:

signtool.exe sign /a /s MY /sha1 sha1_thumbprint_value /n "Common name" /t http://timestamp.verisign.com/scripts/timestamp.dll /v "C:\filename.dll"


SHA-256 with RFC 3161 Timestamp:

signtool.exe sign /a /s MY /n "Common name" /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /v "C:\filename.dll"


Note: If there are multiple certificates installed in your Personal certificate store, use the /sha1 option to specify the hash value of the Code Signing Certificate.
This would be the thumbprint value of your Code Signing Certificate. Please ensure to remove all spaces for the thumbprint value.
For example:

signtool.exe sign /a /s MY /sha1 sha1_thumbprint_value /n "Common name" /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /v "C:\filename.dll"

Note: If you are signing the file with a certificate stored in a password protected PFX file, simply use the arguments "/f YourCertFileName.pfx /p pfxpassword" instead of "/ a /s MY /n "Common name" in the command.
 

Test Your Signature
 
Method 1: Using signtool

  1. Go to: Start > Run
  2. Type CMD > click OK
  3. At the command prompt, enter the directory where signtool exists
  4. Run the following:
     
signtool.exe verify /pa /v "C:\filename.dll"


Method 2: Using Windows

  1. Right-click the signed file
  2. Select Properties
  3. Select the Digital Signatures tab.  The signature will be displayed in the Signature list section.


Additional Information and Resources:

Microsoft knowledge base insformation:
http://www.microsoft.com/whdc/driver/64bitguide.mspx
http://msdn.microsoft.com/en-us/library/aa388170
http://msdn.microsoft.com/en-us/library/aa387764(v=VS.85).aspx