How to sign the Authenticode technology code using Microsoft SignTool

In this article, we'll look at the process of signing programs for Windows® using Authenticode technology in SignTool.

To use SignTool.exe to sign your applications, you will need to install any of the following software packages:

• Microsoft Visual Studio 2005 (or higher)
  
• Microsoft Windows® SDK 7 (either 8.1 or 10).
  

Using the SHA256 certificate to sign the code

When using SHA2 to sign code, make sure that you have the latest version of SignTool installed. This will help avoid unexpected errors.

For Comodo certificates: In the Windows® command line, type the following: 

signtool sign /tr http://timestamp.comodoca.com /td sha256 /fd sha256 /a "path\to\file.exe"

(For other certificates, you need to specify the URL of the timestamp server).

Note: In the Comodo documentation, experts recommend using a URL such as this: http://timestamp.comodoca.com?td=sha256

If everything was successful, you will see:

Done Adding Additional Store

Successfully signed and timestamped: filename.exe

Using the SHA1 certificate to sign the code

The Comodo Timestamp server by default uses SHA1 to set the Authenticode timestamps in SignTool and SignCode. This is done for compatibility with Windows® Vista and XP.

For Comodo certificates: To sign the code using the SHA1 certificate at the Windows® command line, type the following 

signtool sign /t http://timestamp.comodoca.com /a "path\to\file.exe"

(For other certificates, you need to specify the URL of the timestamp server).

If everything was successful, you will see:

Done Adding Additional Store

Successfully signed and timestamped: filename.exe

How to verify a digital signature

To verify the digital signature, right click on the file and select Properties. In the Digital Signatures tab, you will see the used code signature certificate and timestamp.