Knowledge Base

Prepare Your Computer & Secure Token for EV Code Signing Files with SignTool

Prepare Token and Computer

1. Secure Token

   1. Using a DigiCert Supplied Secure Token

      Many customers will choose to have DigiCert ship a secure token to them. If this applies to you, you will need to do the following:

      1. Activate Token

         Activate your token and retrieve its password from within your DigiCert account.

      2. Install the Driver for the Safenet eToken Device

         During the token activation process, you are given the link to download and install the driver for the Safenet eToken device.

      3. Change eToken Password

         After obtaining your password, DigiCert recommends you change your etoken password as a security best practice.

   2. Using Your Secure Token

      If you are bringing your own FIPS 140-2 Level 2 compliant token from a different vendor, you need to do the following:

      1. Install Device Hardware

         Install your device's hardware on your PC.

      2. Install EV Code Signing Certificate

         Install your EV Code Signing Certificate on your token before proceeding with these instructions.

2. Windows SDK

   Next, install the Windows SDK onto your computer.

Sign Your Files

After your token and computer are ready, use the SignTool command to sign your program. You can run either the automatic or manual method below.

Note: Microsoft will support SHA1 Code Signing Certificates until Jan 1, 2020. Microsoft recommends using SHA-256 certificate/digest algorithm/timestamp for all applications. Microsoft has not yet released a SHA1 deprecation policy for drivers. For more information, refer to the Windows Enforcement of Authenticode Code Signing and Timestamping page.

Automatic vs. Manual

If you have more than one Code Signing Certificate on your computer, we recommend that you manually select which certificate to use for signing the code. When running any of the SignTool commands, modify the section in red to match your filename(s). After running the command, you are prompted to enter your device's password.

1. Automatically Select Signing Certificate

   To let Signtool automatically select the Code Signing Certificate to use to sign your program do the following:

   1. Open a command prompt as an administrator.

   2. Run one of the following commands:

      To Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

      signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "c:\path\to\file_to_sign.exe"

      
      To Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp

      signtool sign /t http://timestamp.digicert.com /a "c:\path\to\file_to_sign.exe"
       

   3. You should then receive a confirmation that the file was successfully signed and timestamped.

2. Manually Specify the EV Code Signing Certificate to Use

   You can select which certificate to publish your programs using one of the manual SignTool commands specified below.

   1. Get Code Signing Certificate's Subject Name

      1. To get a certificate's subject name in your user's account, go to the Start menu, type certmgr.msc and press Enter.

      2. In the certmgr window, expand Personal > Certificates to list all of the certificates installed for that user account.

      3. The subject name of the certificate is the text listed under the Issued To field

         

   2. Then, enter this text into the "subject name" of one of the commands below and follow it with the file you're signing:

      To Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

      signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n "subject name" "C:\path\to\fileToSign.exe"

      
      To Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp

      signtool sign /t http://timestamp.digicert.com /n "subject name" "C:\path\to\fileToSign.exe"
       

   3. You should then receive a confirmation that the file was successfully signed and timestamped.

Additional Information:

Batch Signing Files

If you want to batch sign your files, you need to enable single logon for the SafeNet Token. Once single logon is enabled and you have logged into the Token, you can batch sign your files, enabling you to enter your password only once per user session.

How to Enable Single Logon for a SafeNet Token

1. Open SafeNet Authentication Client Tools.

   Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.

2. Click the Advanced View icon (gold gear).

3. In the menu tree in the left pane, select Client Settings.

4. In the right pane, select the Advanced tab.

5. On the Advanced tab, select the Enable single login option.

6. Click Save.

7. To activate the single logon feature, log off from the computer and log on again.

Identify a Certificate by its Hash Value

Using the hash value of a Code Signing Certificate is another way to let signtool know which Code Signing Certificate to use.

If you have multiple certificates installed in your Personal Certificate store, it may be better to use the /sha1 option to specify the hash value of the Code Signing Certificate instead of using /a or /n "subject name" in the signing command.

In this case, you would be using the thumbprint value of your Code Signing Certificate. You must remove all spaces from the thumbprint value; if you do not, it won't work. You can also use our DigiCert Utility to easily get the thumbprint.

1. Option 1: How to Sign Code with a SHA256 Certificate/Digest Algorithm/TimestampSHA256 signing:

   signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 [thumbprint] file.exe
    

2. Option 2: How to Sign Code with a SHA1 Certificate/Digest Algorithm/Timestamp:

   signtool sign /t http://timestamp.digicert.com /sha1 [thumbprint] file.exe
    

For more information on the different signtool.exe options, see Microsoft's SignTool Documentation.