Code Signing Certificate for Microsoft Authenticode Instructions

General Information ID:    INFO190
Version:    31.0
Published:    11/13/2007
Updated:    04/26/2012

Description

 
The following instructions help you get started. If you need more information, contact your browser or OS platform vendor directly.
 
STEP BY STEP OVERVIEW
 
Step 1: Download Signing Tools
 
The Platform SDK for Microsoft Windows contains the information and tools you need to develop Windows-based applications. You can use this SDK to develop both 32- and 64-bit applications. Make sure that you are running the most current version of the SDK. 
 
Windows NT and Windows Me/98/95: SignTool.exe is not supported. 
 
 
To install the minimal tools needed for signing your files only install the Tools and Redistributable Components of the Microsoft Windows Core SDK. 
 
Step 2: Operating System Overview
 
Windows XP/WIndows 2000/Windows 2003
To sign, use the SIGNTOOL.EXE utility. The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. For information about why signing files is important, see Introduction to Code Signing. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.
 
SignTool is available as part of the Windows SDK, which you can download from http://go.microsoft.com/fwlink/?linkid=84091 
You will also need your Digital ID file (generally called MyCredentials.spc) and your private key (MyPrivateKey.pvk). 

Windows Vista/Windows 7

To sign, use the SIGNTOOL.EXE utility. The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. For information about why signing files is important, see Introduction to Code Signing. .
 
SignTool is available as part of the Windows SDK, which you can download from http://go.microsoft.com/fwlink/?linkid=84091
Your Digital ID will install in certificate store within Internet Explorer

Windows Vista/7/2008 Windows Hardware Quality Labs (WHQL)
Please refer to this Knowledge Base Solution SO5820
 
Step 3: Signing Files by Operating System
 
To have your signatures recognised by Windows XP/WIndows 2000/Windows 2003:

Go to: Start > Run
  1. Type CMD > click OK
  2. At the command prompt, enter the directory where signtool exists
    Note: The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path
  3. Run the following:

    signtool.exe sign /f mycert.pfx /p <password> /t http://timestamp.verisign.com/scripts/timstamp.dll /v "<file to be signed>"

    Note: Please see the following solution to create the PFX file (mycert.pfx): SO9777.  Replace <password> with the password specified when the PFX file was created (omit /p if there was no password set). Replace <file to be signed> with the name of the file you will be signing. 

Note: The order of the command is important when signing the file. Any changes in the above given order may result in error messages.

Test Your Signature

 
The Platform SDK SIGNTOOL.EXE utility contains a command to check a digital signature before distributing your file.
  1. Go to: Start > Run
  2. Type CMD > click OK
  3. At the command prompt, enter the directory where signtool exists
  4. Run the following:

    signtool verify /pa /v <your-file-name>

    Note:  Replace <your-file-name> with the name of the file you signed 
When a code signed file is downloaded from a Web site using Internet Explorer, it will display this certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option to refuse installation.
 
To have your signatures recognised by all versions of Windows including Vista and 7:
 
For Windows Vista 64-bit and Windows 7 the signing process has changed. The code cannot simply be signed, it also needs to be "cross-signed" with a certificate provided by Microsoft.
 
For instructions on how to sign code for use in Windows Vista 64-bit and Windows 7, please follow the signing instructions from the following solution: SO5820
 
Note: Code signed using the cross-signing method will be recognised on all versions of Windows. It is therefore not required to create separately signed versions of the code for use on Windows 2000 - XP and Windows Vista/7.
 
Related Information
 
For more information about signing see the Microsoft Developer Network Website

Contact Support

Knowledge Center