Home » Software Security Blog » How to Sign Executable Files With a Code Signing Certificate
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
sign executable files with code signing certificate

We’ll break down how to sign your EXE files to make them more trustworthy for users

As a software developer, you likely know the lifecycle of developing software and are well acquainted with the challenges that come with them. This includes everything from errors and quality checks to the essential phases virtually all software should go through prior to being published. One important step is signing your software’s executable files with a code signing certificate.

Modern security threats make signing your executable files basically mandatory. It’s how you can prevent the “unknown publisher” warning messages from displaying in users’ browsers and Windows User Access Control pop-ups. And depending on which type of code signing certificate you use — standard versus extended validation (EV) — you can also make the Windows Defender SmartScreen messages. (EV code signing certificates enable your software to be trusted automatically by users’ Windows operating systems and browsers.)

unverified publisher vs verified publisher

Let’s quickly explore why signing your software is important and how to sign an executable.

What Code Signing Does for Software Security

Signing your software helps you prove to users’ browsers and operating systems that your software comes from a trusted source. So, suppose you don’t know how to sign an executable file or have questions about signing an EXE file. In that case, we recommend reading our guide that provides step-by-step instructions on how to code sign an EXE file using Microsoft Authenticode signatures. However, we’ll also walk you through the process momentarily in this article.

Once you complete all the required verification processes, such as providing all the documents and information the issuing certificate authority (CA) requests, your Microsoft Authenticode code signing certificate will be issued. Then, you need to save the .p12 (PFX) file and follow the steps below to sign your executable file.

How to Sign an Executable File

Signing your software isn’t a process that’s particularly complicated. Say you have an executable you want to sign titled YourSoftware.exe. You can sign it using the following steps:

  • Open the Start menu by clicking the Windows button in your computer’s navigation bar. (If you’re using Windows 10, just type the following command into the search bar at the bottom of your navigation toolbar.)
  • Type cmd and select Command Prompt.
  • Once the command prompt opens, run one of the two following commands — the one you choose should depend on whether you’re using a regular personal information exchange (PFX) file or one that’s password protected.
  • Signing when using a standard (non-password protected) PFX file:

SignTool sign /f YourCertFile.pfx YourSoftware.exe

  • Signing while using a password-protected PFX file:

SignTool sign /f YourCertFile.pfx /p AddYourPasswordHere YourSoftware.exe

If you’ve completed the aforementioned steps, congratulations! You have successfully signed your executable file. But what if you want to timestamp your signature?

How to Sign an Executable While Also Timestamping It

Check out this post on timestamping to learn more about what timestamping is and why it’s important for executable signing. But to provide you with a quick understanding, a timestamp provides a verifiable way to show precisely the moment when you signed your software. This way, if the file is altered after you signed it, users know that it’s likely been tampered with and that the file can’t be trusted.

To sign using a DigiCert code signing certificate, use the following command:

SignTool sign /f YourCertFile.pfx /t https://timestamp.digicert.com YourSoftware.exe

Once you complete your signing process, we recommend verifying your signature.

How to Verify the EXE File Signing Worked Properly

To check whether your software’s .exe file was signed properly, simply enter the following command into your Command Prompt window to verify the signer certificate:

SignTool verify /v YourSoftware.exe

Wrapping Up

As a software publisher or developer, you may already know how code signing your executable file can help avoid security warning messages while also verifying your identity. Unfortunately, you may not always remember the steps involved or have questions about how to sign executable files.

If that’s the situation and you’re questioning “how to sign an EXE file,” then the steps we’ve mentioned here will help you to sign your executable file quickly. We hope it proves helpful. Good luck!