Menu

Code Signing in Windows Using Microsoft Signtool

Jan 6, 2026

Code Signing in Windows Using Microsoft Signtool

OVERVIEW: This page walks you through the process of token-based Code Signing in Windows platform using Microsoft Signtool. At the completion of this procedure, you will be able to sign in Windows platform using Microsoft Signtool. For more Code Signing guidelines, please refer to this page

Prerequisites

Important SignTool Options

  • /ac  -  Specify an Additional Certificate.

  • /a  -  Automatically selects the best certificate to sign the file from your  Windows Certificate Store.

  • /n "Certificate Common Name" Specifies the certificate to sign the file from your Windows Certificate Store using the certificate common name.

  • /fd SHA256  -  Specify the file digest algorithm used in creating file signatures.

  • /t  -  Specify a Microsoft Authenticode compatible time stamp server.

  • /tr  -  Specify an RFC 3161 compliant trusted time stamp server.*Recommended*

  • /td SHA256  -  Must be called after "/tr", this command specifies the TimeStamp digest Algorithm. *Recommended*                     

Note: Timestamping your Code is extremely important and is highly recommended for every piece of code that you sign. This timestamp will allow the file that you sign to remain valid long after the certificate itself has expired.

TimeStamp URLs:
http://timestamp.globalsign.com/tsa/r45standard

Guidelines

  1. You can either sign files out of a working directory, or you can place them in your Windows SDK\bin folder.

  2. Open the Command Prompt: Windows 7: Start > Run > cmd, or for Windows 8 - 10, press the Windows Key, then type cmd and press enter.

  3. Navigate to the directory with signtool.exe.

  4. Use the following command to sign your file: 
    signtool sign /a /tr http://timestamp.globalsign.com/tsa/r45standard /td SHA256 /fd SHA256 c:/path/to/your/file.exe

  5. Enter your Token Password. If the signing is successful you will see a prompt informing you so.

  6. To verify the successful signature use the following commands:
    Authenticode: signtool verify /v /pa
    Kernel Driver Signing: signtool verify /v /kp

 You may also verify the signature within the properties of the file, under the Digital Signatures tab.

Related Articles

Code Signing Best Practices

Mar 2, 2020, 6:33 AM

GlobalSign recommends that developers follow best practices for the Code Signing process and for securely generating and storing private keys.

Read More

Order EV Code Signing Certificate (HSM-Based)

Mar 2, 2020, 6:51 AM

Read More

Download and Install Code Signing Certificate (HSM-Based)

Mar 2, 2020, 7:10 AM

This page walks you through the process of downloading and installing you GlobalSign Code Signing Certificate using HSM. At the completion of this procedure, your Certificate will be ready to place signatures on drivers, executables, and other files.

Read More

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support