DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Authenticode® Program Signing & Timestamping Using SignTool

Solution ID : TL87
Last Modified : 08/20/2025

Prepare Your Computer & Secure Token for Code Signing Files with SignTool

Prepare the Token and the Computer

  1. Secure Token

    1. Using a DigiCert-Provided Hardware Token

      If you've purchased a DigiCert-provided hardware Token, refer to Set Up Your DigiCert-Provided eToken
       

    2. Using Your Secure Token

      If you are using your own FIPS 140-2 Level 2 compliant token from a different vendor, you need to do the following:

      1. Install the necessary Token hardware on your PC.

      2. Install your Code Signing Certificate on your token before proceeding with the signing process.

  2. Windows SDK

     Install the Windows SDK on your computer.
     

Sign Your Files

Use the SignTool command to sign your files. You can run either the automatic or manual method below.

Automatic vs. Manual

If you have more than one Code Signing Certificate on your computer, we recommend that you manually select which certificate to use for signing the code. When running any of the SignTool commands, modify the section in red to match your filename(s). After running the command, you are prompted to enter your token password.

  1. Automatically Select Signing Certificate

    By following the steps below, SignTool will automatically select the code signing certificate that will be used to sign your file:

    1. Open Command Prompt as an administrator.
       

    2. Run the following command: 

      signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "c:\path\to\file_to_sign.exe"
      In the command, replace "C:\path\to\fileToSign.exe" with the exact path where the file you're intending to sign is located.
       

    3. You should then receive a confirmation that the file was successfully signed and timestamped.
       

  2. Manually Specify a Code Signing Certificate 

    You can specify the certificate you want to use to sign your file by using the manual SignTool command below:

    1. Get the Code Signing Certificate's Subject Name

      1. To get a certificate's subject name in your user's account, go to the Start menu, type certmgr.msc, and press Enter.

      2. In the certmgr window, expand Personal > Certificates to list all of the certificates installed for that user account.

      3. The subject name of the certificate is the text listed under the Issued To field


         

    2. Then, in the command below, replace "subject name" with your certificate's subject name and "C:\path\to\fileToSign.exe" with the exact path where the file you're intending to sign is located:

      signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n "subject name" "C:\path\to\fileToSign.exe"
       

    3. You should then receive a confirmation that the file was successfully signed and timestamped.
       

Additional Information:

Batch Signing Files

To batch sign your files, you must enable single sign-on for the SafeNet Token. Once single sign-on is activated and you’ve logged into the token, you can batch sign your files, allowing you to enter your password only once per user session.

How to Enable Single Logon for a SafeNet Token:

  1. Open SafeNet Authentication Client Tools.

    Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.

  2. Click the Advanced View icon (gold gear).

  3. In the menu tree in the left pane, select Client Settings.

  4. In the right pane, select the Advanced tab.

  5. On the Advanced tab, select the Enable single login option.

  6. Click Save.

  7. To activate the single logon feature, log off from the computer and log on again.


Identify a Certificate by its Hash Value

Using the hash value of a Code Signing Certificate is another way to let signtool know which Code Signing Certificate to use.

Suppose you have multiple certificates installed in your Personal Certificate store. In that case, it may be better to use the /sha1 option to specify the hash value of the Code Signing Certificate instead of using /a or /n "subject name" in the signing command.

In this case, you would be using the thumbprint value of your Code Signing Certificate. You must remove all spaces from the thumbprint value; otherwise, it won't work. 

    signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 [thumbprint] file.exe

For more information on the different signtool.exe options, see Microsoft's SignTool Documentation.