Home » Software Security Blog » How to Digitally Sign Executable Files and Why It’s Important
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
what is executable signing

AV-TEST says they register more than 450,000 new malware programs and potentially unwanted applications (PUAs) every day. Digitally signing executable files helps you protect your application’s integrity and establish trust

According to 2020 data from Statista, one of the most common ways people receive malware is through executable files. So, it’s reasonable to ask questions like: ‘Are .exe files safe to install?’ For instance, a user may receive a Microsoft Defender SmartScreen warning message if they run an unsigned executable file because the file is untrusted by the security tool.

Usually, users face Microsoft Defender SmartScreen warning messages if someone tries installing an unsigned (i.e., untrusted) software or application. Why? Because Windows operating systems consider unsigned executables and scripts as unsafe and potentially malicious files because they could be. (Better safe than sorry, right?)

So, how can you ensure your executable files don’t seem suspicious to your users or their operating systems? Using an executable signing certificate is the answer. To make your executable files more trustworthy in the user’s eyes and to remove the Microsoft SmartScreen warning, you’ll need to digitally sign your executable files using a code signing certificate.

What Is an Executable Signing Certificate?

Executable signing certificates, commonly referred to as code signing certificates, are digital files you can use to digitally sign executable files (.exe files). The code signing certificate uses a cryptographic hash that validates the executable file’s integrity and authenticity.

Executable code signing certificates are issued by reputable certificate authorities (CAs) like Sectigo and DigiCert. These certificates allow you to apply a digital signature that verifies the author’s identity and helps to confirm that the digitally signed executables are from a legitimate organization — not any malicious cybercrooks.

Executable signing certificates identify the software publisher to the user. A trusted publisher is one whose certificate is installed in the certificate store of Trusted Publishers. You can’t be a trusted publisher without a certificate!

unsigned software message
Unsigned Software Example
unsigned software message
Signed Software Example

Code Signing Certificates

Furthermore, executable signing certificates are available with standard (sometimes called organization validation, or OV) and extended validation (EV). The EV version provides better trust and identity assurance than a standard certificate because it requires a physical hardware security token for executable signing. Using this token during the code signing process eliminates the Microsoft SmartScreen warning that we mentioned earlier.

Benefits of Signing Executable Files With an EV Code Signing Certificate

It’s challenging to get users to trust any newly created executable file. A signed certificate is more trustworthy, improving the reputation of the creator of the file. Some of the benefits of signing executable files using EV code signing certificates are:

  • Promotes trust and identity. Using an EV code signing certificate verifies and asserts your identity as the creator of the executable file. This is particularly beneficial when distributing and sharing signed software applications on multiple platforms like third-party software publishing websites.
  • Ensures file integrity. Digitally signing your software offers proof that the executable file hasn’t been meddled or tampered with since you signed it.

How to Sign Executable Files Using EV Code Signing Certificate

Before you can digitally sign your executable file using an EV code signing certificate, you’ll first need to install SafeNet on the device that you plan to sign software on. SafeNet Authentication Client is desktop software that allows you to access and manage your EV code signing certificates and change the password for your tokens.

Below are the steps to digitally sign executables. But, before you start digitally signing executable files, you should:

  • Set up SafeNet.
  • Use a computer that has Microsoft Windows OS installed.
  • Install SignTool as part of your Windows Development Kit on your computer.

Steps to Sign Executable Files

Once you complete the above steps, follow these instructions to digitally sign your executable files:

  • Insert the USB token that you got from your CA into your system.
  • Open the software SafeNet Client that you installed in your system.
  • Open the command-line tool SignTool.
  • Use the following command to digitally sign and timestamp your executable using SHA-256.

Note: Be sure to change the information to match your CA’s timestamp server address and the file path to your executable file.

signtool sign /tr https://timestamp.<certificate-authority-name>.com /td sha256 /fd sha256 /a "c:\path\file_you_wish_to_sign.exe"

  • You’ll be asked to enter the EV certificate token’s password once you enter the above command.
  • Once you enter the token password, the executable file will be signed.

Verify Your Executable Is Properly Signed

Once you’ve signed your executable, you should verify the signature before making it available to end-users:

  • Open the folder where you’ve saved your signed executable file.
  • Select and right-click that executable file and click on properties.
  • If your executable file is signed correctly, you’ll see the EV code signing certificate details on the Digital Signatures menu.

Closing Thoughts

Dangerous malware infects many executable files. Microsoft’s operating system takes every possible step to make users aware of its dangers, for instance, by displaying Microsoft Warning messages if anyone tries to install unsigned or suspicious executables.

If you want users to trust your executable files, you should sign them using an EV code signing certificate from respected CAs like Sectigo or DigiCert. This way, if someone tries to tamper with your software after you’ve signed it, users will know that it’s been modified because it will trigger the Microsoft Defender SmartScreen warning message.