This tutorial requires you to have your Code Signing Certificate from DigiCert or Verokey already on your USB eToken. If you still need to get your USB eToken initialised and set up, check out our guide here.
When signing using the SignTool and command line, we have two options when it comes to selecting the Certificate for signing, you can let is automatically select one, or you can manually select one.
Automatically Select Signing Certificate with SignTool
To let Signtool automatically select the Code Signing Certificate to use to sign your program do the following:
- Open a command prompt as an administrator.
- Run the following command:
shell
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "c:\path\to\file_to_sign.exe"
You should then receive a confirmation that the file was successfully signed and timestamped.
Manually Specify the Code Signing Certificate to use with SignTool
Using the hash value of your Code Signing Certificate lets signtool know which Certificate to use.
In this case, you will be using the thumbprint value of your Code Signing Certificate. You must remove all spaces from the thumbprint value; it won't work if you don't. Replace the THUMBPRINT-HERE placeholder with your certificate sha1 hash.
shell
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 THUMBPRINT-HERE "c:\path\to\file_to_sign.exe"
You can view more options available to the SIgnTool with Microsoft's SignTool Documentation.
Discussions and Comments
Click here to view and join in on any discussions and comments on this article.