Code signing an application on Windows

      2 min read  

We recently purchased our code signing certificate from Comodo and while it was quite easy to obtain the certificate, using it to sign our application took some tinkering and knowhow which I probably will forget by tomorrow.

Most importantly, and I don’t believe this is communicated well enough through the whole process of ordering and receiving your certificate, you must use the same computer and browser to request the certificate as well as to collect it.

Once you installed the certificate on this exact computer you have to export it in order to continue which is described in detail here. Exporting to the .pfx format did not work for us because we used FireFox to request and obtain the certificate which doesn’t seem to allow you to export this format. We exported the certificate using the .p12 format which is also supported by the Windows signtool.exe application.

Before using the signtool to sign your application you probably have to add it to your PATH variable first. The path depends on your system (Windows 7/8/10) but it should look like this:

C:\Program Files (x86)\Windows Kits\8.0\bin\x64

Now that signtool.exe is in your PATH you can start using it by signing your applications .exe file:

signtool sign /t http://timestamp.digicert.com /f my-cert.p12 /p "mypass" my-app.exe

Note: You can use p.12 or .pfx certificates to sign. The /t timestamp parameter is only optional and will work regardless where you purchased your certificate from.

To verify that your application was signed successfully use this command:

signtool verify /pa /v my-app.exe