Didier Stevens

Wednesday 31 December 2008

Howto: Add a Digital Signature to Executables

Filed under: Encryption — Didier Stevens @ 10:56

Signtool.exe is the default Windows development tool to add a digital signature (Authenticode) to Windows executables (PE files). This howto shows you how to use signtool. You’ll need to create your own certificate and key (or buy one) to sign code.

To obtain signtool, download the platform SDK or the .NET SDK.

I use signtool in my makefile with command line options to automatically sign compiled code, but in this howto, I’ll show the interactive use.

First we will install the certificate with key we’ll use to sign code. Double-click the file and let the wizard do its work with the default option:



Because the wizard will also install the root CA certificate found in the PKCS12 file, it will ask you if you trust it.


It is not necessary to install this root CA certificate for code signing purposes, but if you don’t, signtool will not include the root CA certificate in the certificate chain. And you also need to install this root CA certificate if you want to automatically trust all certificates issued by this root CA (or its subordinate CAs).

Now start signtool from a command-line like this: signtool signwizard.


For the purposes of this howto, we’ll sign notepad.exe. When you sign an executable that is already signed, the existing signature is overwritten. Actually, notepad is not signed by Microsoft with an embedded signature, but using a security catalog.


We’ll use the default options presented by the wizard (except for the timestamp):



Select the certificate with key we installed: use Select from Store…




By default, the signature doesn’t include a timestamp signed by an external authority (a counter-signature). It’s easy to add one, for example using Verisign’s timestamp service: http://timestamp.verisign.com/scripts/timstamp.dll (of course, using this option requires Internet access).


Finally, click finish for the wizard to do its work:



From now on, notepad.exe’s properties displays a Digital Signatures tab:




This certificate is OK because we installed the root CA certificate in our certificate store. But if you check this signature on another machine or with another account (which doesn’t trust our root CA), we’ll get a warning that although the signature is valid, we don’t trust the root CA:



If you didn’t make a backup of notepad.exe and want to remove the signature, use my digital signature tool disitool.


  1. […] Signature to a Firefox Add-on Filed under: Encryption — Didier Stevens @ 22:02 After signing a Windows executable with our own certificate, let’s sign an XPI […]

    Pingback by Howto: Add a Digital Signature to a Firefox Add-on « Didier Stevens — Thursday 1 January 2009 @ 22:03

  2. […] Signature to a PDF File Filed under: Encryption, PDF — Didier Stevens @ 21:47 After signing an executable and a Mozilla add-on, let’s sign a PDF document with our […]

    Pingback by Howto: Add a Digital Signature to a PDF File « Didier Stevens — Sunday 4 January 2009 @ 21:47

  3. I followed the instruction, but my signtool shows not the certificate after pressing the “select from store” button (instead windows say that no certificate was found). The certificate can be found with the “certmgr.msc” tool. When I use the “custom” way instedad of “typical”, I am able to select the file (ia.crt) but than the key can not selected. I am using Windows 7.

    Comment by Ekke — Saturday 11 December 2010 @ 20:52

  4. @Ekke When you find the cert with the cert manager, where is it exactly located?

    Comment by Didier Stevens — Saturday 11 December 2010 @ 21:20

  5. I installed ca.crt into “trusted root certification authorities” and ia.crt into “personal”.

    Comment by Ekke — Sunday 12 December 2010 @ 13:19

  6. As allways – error in front of computer! Missed to generate the ia.p12 file. After installing this, its running. Thanx!

    Comment by Ekke — Sunday 12 December 2010 @ 13:25

  7. Had you ever tried to sign a device driver with the given method? Even everything looks nice (e.g. Signature path valid etc.), Windows 7, 64 bit version deny the drivers installation.

    Comment by Ekke — Monday 13 December 2010 @ 11:29

  8. @Ekke You can’t use a self-signed certificate for Kernel Mode Code Signing https://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx

    Comment by Didier Stevens — Monday 13 December 2010 @ 17:40

  9. Cant get rid of that issuer even afer I deleted cert files.Any ideas

    You are about to install a certificate from a certification authority (CA) claiming to represent:

    Windows cannot validate that the certificate is actually from “***”. You should confirm its origin by contacting “***”. The following number will assist you in this process:

    Thumbprint (sha1): 0B7F31C0 7EA21AD5 FA0487C5 EA63D58F 1798E0AE

    If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click “Yes” you acknowledge this risk.

    Do you want to install this certificate?

    Comment by rain — Friday 22 April 2011 @ 22:03

  10. @rain So your remaining problem is the popup?

    Comment by Didier Stevens — Saturday 23 April 2011 @ 11:14

  11. […] it’s only now that I hold all the pieces to test this flag. A normal authenticode signature is not enough. And you can not use a selfsigned certificate. You need to buy a certificate (aka […]

    Pingback by Using DLLCHARACTERISTICS’ FORCE_INTEGRITY Flag « Didier Stevens — Thursday 27 October 2011 @ 17:46

  12. Can you do anything to self-sign an EXE and replace the “Unidentified Publisher” text (that shows in the Windows UAC dialog) with your own text? Obviously the EXE can’t be “trusted” since it is a self-signed cert, but it seems like UAC should show the “signing” text instead of “Unidentified Publisher”. I can get the EXE properties to indicate that I have successfully signed the EXE, but the UAC still shows “Unidentified Publisher”. I know I can “manually trust” my cert and make it work on my own system, but I can’t ask my end users to do that. I just want the UAC to identify the EXE with my name instead of “Unidentified Publisher”. If that can ONLY be done with a valid, purchased cert (that is, one that is not self-signed), I’d like to know for sure.

    Comment by J — Saturday 17 March 2012 @ 4:12

  13. @J
    1) are you using a simple self-signed cert or one with a root CA and a sub CA?
    2) what do you mean with manually trust? Install the root CA?

    Comment by Didier Stevens — Saturday 17 March 2012 @ 9:13

  14. 1) I created a root CA and a sub CA
    2) Yes, by “manually trust” I meant install the root CA. On the machine where I created the certs, I installed the root CA and when I run my EXE it shows me my name (as specified when creating the cert) instead of “Unidentified Publisher”. If I run my EXE on a brand new machine (equivalent to a “customer”), it shows me “Unidentified Publisher” still.

    I’m really hoping you or someone else can confirm my results and to say whether anything else is even possible. Like I said, I don’t expect the EXE to indicate it is now fully “trusted” being self-signed and all, but it sure seems like the UAC should be able to say the equivalent of “This EXE was signed by XXX who is not currently trusted. Do you want to run it anyway?”.

    Thanks for helping Didier.

    Comment by J — Saturday 17 March 2012 @ 17:12

  15. @J AFAIK, there is no other way to display your name than to have the EXE signed under a root CA that is trusted, e.g. stored Trusted Root CA store.

    Comment by Didier Stevens — Saturday 17 March 2012 @ 21:15

  16. Didier, I created my own certificate and key using https://toolbokz.com/gencert.psp. I received no errors or warnings. I then renamed ia.p12 to ia.pfx and the ran the command:
    signtool sign /f “c:\program files\windows sdks\v7.1\bin\ia.pfx” “c:\development\commnfac\setup.exe”
    I received no messages and everything looked ok. However, when I copied the setup.exe file onto another computer and ran it, the dialog box showed Publisher: Unknown. Also, because I have Norton Internet Security, I get a message from Norton saying the program is a threat and asks if I want to continue. I thought signing an EXE file was suppose to put a name in the published area and avoid messages from antivirus/malware programs. What is going wrong?

    Please help.


    Comment by Bob Gattol — Friday 20 March 2015 @ 18:23

  17. @Bob Did you install the root CA on the second machine?

    Comment by Didier Stevens — Saturday 21 March 2015 @ 9:54

  18. @Didier No. I just ran the signed setup program from a flash drive. Sounds like I have to do something before this.

    Comment by bobgatto — Sunday 22 March 2015 @ 3:48

  19. If tou want the signature to be valid, you need to install the root CA.

    Comment by Didier Stevens — Sunday 22 March 2015 @ 10:50

  20. @Didier So you’re saying I have to copy ca.key onto the computer before I install the signed program?

    Comment by bobgatto — Sunday 22 March 2015 @ 13:10

  21. @bob No, you never share your private keys. You have to keep them secure. You need to install the root CA if you want your signature to be valid: ca.crt

    Comment by Didier Stevens — Sunday 22 March 2015 @ 17:01

  22. @Didier So where does the ca.crt get installed and does it have to be installed first?. My installer gives the option of selecting where the program is to be installed

    Comment by bobgatto — Sunday 22 March 2015 @ 17:40

  23. @bob Your installer? What is your final goal with this?

    Comment by Didier Stevens — Sunday 22 March 2015 @ 18:34

  24. @Didier I have an installer that I want to run on another computer to install a program u wrote. I signed the installer but the UAC dialog keeps coming up with Publisher: Unknown and my Norton Internet Security displays a dialog box showing it is an untrustworthy program and should not be installed. I want to show the publisher with the company name and to have Norton trust this program.

    Comment by bobgatto — Sunday 22 March 2015 @ 20:01

  25. @bob A program I wrote? What program? And is this machine you want to install on your machine? Or somebody else, like a client?

    Comment by Didier Stevens — Sunday 22 March 2015 @ 20:20

  26. @Didier I’m sorry. I meant I when I wrote u It’s my program. Eventually I would like to get it on other home computers. But for now, I’ve developed, compiled, and signed it on my laptop and am testing installation on my desktop.

    Comment by bobgatto — Sunday 22 March 2015 @ 20:27

  27. @Bob OK, because my Windows programs are already signed with a commercial certificate. You need to install the root CA on the target machine. Copy it to the machine (ca.crt), double-click it, select to install the certificate for the machine in store Trusted Root Certification Authorities.

    Comment by Didier Stevens — Sunday 22 March 2015 @ 20:49

  28. […] have a couple of how-to posts on digital signatures, like this code signing post. Let me revisit this topic now that Microsoft announced some upcoming changes to code […]

    Pingback by Authenticode And Timestamping And sha256 | Didier Stevens — Tuesday 24 November 2015 @ 0:01

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 375 other followers

%d bloggers like this: