Signing an App using a CodeSign certificate with SignTool & Windows 10

I was recently working with a new Windows app we built at CleanBrowsing and our users were getting hit with security warnings post-installation. This warning was generated because the app was not signed.

Ok, let’s get things signed.

To sign I would need a code-sign certificate. I went through the process of getting an Extended Validation (EV) certificate from GlobalSign.

Site Note: The process was not too bad, you sign some forms, take some pictures and you’re done. You do need a Windows machine when download the certificate, be prepared for that.

This biggest annoyance is that you need Internet Explorer to download the certificate and install it on your token. I had to download IE 11 to get this done. Yes, I tried with MS Edge, and other modern browsers but nothing worked.

Couple of Prerequisites to be aware of:

  • SafeNet (You will get your token from this organization)
  • Windows SDK (Using Windows 10)

Be aware that signing will be done via the Windows command prompt. Pay special attention to where the SDK is installed.


Step 1: Open Command Prompt in Administrator Mode

Step 2: Set Working Directory to SignTool Directory

Using Windows 10 SDK, in 2021, this was my working directory for SignTool

cd “\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64

Step 3: Set appropriate options

This is what my command looked like when I was done:

signtool sign /a /tr /td SHA256 “C:\Users\[User name]\path\to\file.exe”

Options Used:

/a = automatically set the name according to what was on the certificate, if you want to set it differently I believe you use /n “subject name”

/tr = This sets the timestamp, and the “r” option references a RFC3161 compliant trusted time stamp. Each CA will have a timestamp you can use. For example Globalsign uses: while DigiCert uses:

(note: the irony of those not using HTTPS is not lost on me)

/td = This sets the timestamp algorithm to use, the recommended configuration is SHA256 so just use that and save yourself the headache. Every provider will do this a bit differently. For GlobalSign, it only works if you use /advanced in the slug the way I have it: with the /td SHA256

” “ = Lastly, make sure you put the path to the executable you are trying to sign, include the double quotes.

When you hit enter, it will ask you for the token password ( I hope you haven’t forgotten it):

When it’s done, you’ll get this output in your command prompt:

Done Adding Additional Store
Successfully signed: C:\Users\[User name]\path\to\file.exe

Leave a Reply