How to Sign an EXE File Using the Code Signing Process

Code signing is the digital equivalent of sealing an envelope or stamping a document with your company's seal. It proves the identity of the publisher and ensures the integrity of the software. Unsigned software often triggers security warnings or is blocked by Windows SmartScreen, which can damage user trust.

Whether you’re a solo developer or part of a large DevOps team, signing your EXE files is a best practice you can’t afford to skip.

• Trust: Signed code tells users the software comes from a verified publisher.
• Integrity: Guarantees the code has not been modified after signing.
• SmartScreen Reputation: Reduces security warnings in Windows.
• Compliance: Required by many app stores and enterprise environments.
  
  

Standard Code Signing Certificate

• Best for small developers or internal apps.
• Requires storage of private key on local machine.

Extended Validation (EV) Code Signing Certificate

• Stronger identity validation.
• Required for immediate SmartScreen reputation.
• Private key stored on hardware token (USB).

Prerequisites for Code Signing Certificate

• A code signing certificate (Standard or EV) from a trusted CA.
• Windows SDK (for SignTool).
• Finalized .exe file.
• (Optional) USB Token for EV certificates.

https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/

A. Using Microsoft SignTool (Standard Certificate)

1. Launch Developer Command Prompt for Visual Studio.
2. Run the following command:

signtool sign /f YourCertificate.pfx /p YourPassword /tr http://timestamp.digicert.com /td sha256 /fd sha256 YourApp.exe

Explanation of parameters:

• /f: Path to the certificate (PFX file).
• /p: Password to unlock the PFX.
• /tr: Timestamp URL.
• /td: Digest algorithm for timestamp.
• /fd: Digest algorithm for file.

B. Using EV Certificate (Token-Based)

1. Plug in the USB token.
2. Run the command using certificate name:

signtool sign /n "Your Company Name" /tr http://timestamp.digicert.com /td sha256 /fd sha256 YourApp.exe

No need for /f and /p when using a token.

After signing, verify it to ensure correctness.

A. Windows Explorer

1. Right-click on the .exe file.
2. Go to Properties > Digital Signatures.
3. View details of the signature.

B. Using SignTool

signtool verify /pa /v YourApp.exe

• Certificate not found: Ensure the certificate is correctly installed or connected.
• Invalid timestamp: Use a valid timestamp server (e.g., DigiCert, Sectigo).
• SmartScreen still warning: EV certs help avoid this; otherwise, SmartScreen reputation builds over time.
• "Unknown Publisher": Check certificate chain and ensure it's not expired.

• Use a timestamp server: Prevents signatures from expiring when your certificate does.
• Secure private keys: Store PFX files safely or use EV hardware tokens.
• Use SHA-256: Modern standard required by most platforms.
• Sign before distribution: Always sign after final build.
• Renew certificates early: Avoid gaps in signing capabilities.

Signing your EXE files not only secures your software but also elevates your credibility. Users and systems prefer signed software, and platforms like Windows enforce trust requirements more rigorously than ever.

Don’t leave your code vulnerable—integrate signing as a routine part of your development and release process.