Microsoft Authenticode Signing Instructions

Solution ID:    SO17631
Version:    12.0
Published:    08/03/2010
Updated:    06/11/2015

Solution

To sign software using Microsoft Authenticode or Microsoft Office and VBA certificates, download and install the following:

Microsoft Windows SDK (contains signtool.exe used for signing)

NOTE:  While we do our best to provide information for signing, Thawte does not support the code signing software and tools themselves

This example uses several of the arguments that SignTool supports:

° Sign: Configures the tool to sign the intended file
° /v: Specifies the verbose option for successful execution and warning messages
° /s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is MY)
° /t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
° /f: Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported
° /p: If the file is in PFX format protected by a password, use the /p option to specify the password
° /pa: Specifies that the Default Authentication Verification Policy is used


NOTE: The timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll (The timstamp.dll filename is required to conform to old MS-DOS naming convention)
 

Signing Steps:

NOTE:  For signing 64bit drivers, please see the following solution instead:  SO5565

  1. Go to: Start > Run
  2. Type CMD > click OK
  3. At the command prompt, enter the directory where signtool exists, the default directory is:
     
    C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin

    NOTE: The directory above may vary depending where the Microsoft Windows SDK was installed to.
     
  4. Run one of the following signing commands below to sign the file:
     

The following syntax signs the file using a certificate installed in the Personal certificate store of the Windows' OS

With the timestamp:

signtool.exe sign /s my /t http://timestamp.verisign.com/scripts/timstamp.dll /v "C:\filename.dll"


Without the timestamp:

signtool.exe sign /s my /v "C:\filename.dll"



The following syntax signs the file using a certificate with a password protected PFX file

With the timestamp:

signtool.exe sign /f C:\Authenticode\YourCert.pfx /p pfxpassword /t http://timestamp.verisign.com/scripts/timstamp.dll /v "C:\filename.dll"


Without the timestamp:

signtool.exe sign /f C:\Authenticode\YourCert.pfx /p pfxpassword /v "C:\filename.dll"

 

Test Your Signature
 
The Platform SDK SIGNTOOL.EXE utility contains a command to check a digital signature before distributing your file.

  1. Go to: Start > Run
  2. Type CMD > click OK
  3. At the command prompt, enter the directory where signtool exists
  4. Run the following:
     
signtool.exe verify /pa /v "C:\filename.dll"


Additional Information and Resources:

Installing a Microsoft Authenticode Certificate:
See solution ID:  SO13346

Microsoft knowledge base insformation:

http://www.microsoft.com/whdc/driver/64bitguide.mspx
http://msdn.microsoft.com/en-us/library/aa388170
http://msdn.microsoft.com/en-us/library/aa387764(v=VS.85).aspx 

 

 

Disclaimer:

Thawte has made efforts to ensure the accuracy and completeness of the information in this document. However, Thawte makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. Thawte assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document. Further, Thawte assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. Thawte reserves the right to make changes to any information herein without further notice.  

Knowledge Center


Search Tips