This article will be the default article after the implementation of
the new Minimum Requirements for Code Signing on February 1, 2017.
- GlobalSign Code Signing Certificate Downloaded & Installed onto a hardware token.
- Windows Software Development Kit (SDK) For Windows 8.1
- MS Cross Certificate for R1 – Used for Kernel Driver Signing within Windows
- SHA-256 orders additionally use the R1-R3 Cross Certificate – default March 31, 2014 & after. (The R1-R3 Cross Certificate will need to be installed on the signing computer but not specified as an additional certificate during the signing procedure)
Important SignTool Options
- /ac - Specify an Additional Certificate.
- /a - Automatically selects the best certificate to sign the file from your Windows Certificate Store.
- /n "Certificate Common Name" Specifies the certificate to sign the file from your Windows Certificate Store using the certificate common name.
- /fd SHA256 - Specify the file digest algorithm used in creating file signatures.
- /t - Specify a Microsoft Authenticode compatible time stamp server.
- /tr - Specify an RFC 3161 compliant trusted time stamp server.*Recommended*
- /td SHA256 - Must be called after "/tr", this command specifies the TimeStamp digest Algorithm. *Recommended*
- /sha1 Hash - Used to select the signing certificate by the SHA-1 Hash (Thumbprint).
This timestamp will allow the file that you sign to remain valid long after the certificate itself has expired.
SHA-1 based: http://rfc3161timestamp.globalsign.com/standard
SHA-2 based: http://rfc3161timestamp.globalsign.com/advanced
- You can either sign files out of a working directory, or you can place them in your Windows SDK\bin folder.
- Open the Command Prompt: Windows 7: Start > Run > cmd, or for Windows 8 - 10, press the Windows Key, then type cmd and press enter.
- Navigate to the directory with signtool.exe.
- Use the following command to sign your file:
signtool sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 c:/path/to/your/file.exe
Note: For Kernel Driver Signing include the argument “/ac GlobalSign Root CA.crt” to the signtool command in order to complete the MS cross certificate chain.
sign /a /ac GlobalSign Root CA.crt /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 c:/path/to/your/file.exe
- Enter your Token Password. If the signing is successful you will see a prompt informing you so.
- To verify the successful signature use the following commands:
Authenticode: signtool verify /v /pa
Kernel Driver Signing: signtool verify /v /kp
You may also verify the signature within the properties of the file, under the Digital Signatures tab.