How to Sign an EXE or DLL in Visual Studio 2022 Using SignTool
Home » How to Sign an EXE or DLL in Visual Studio 2022 Using SignTool
(7 votes, average: 5.00 out of 5)
Code signing is a critical step in releasing secure, trusted software. Here’s a step-by-step guide to signing application executables or DLL files in Visual Studio.
Visual Studio simplifies software development and is essential for creating .NET applications. As developers increasingly distribute executable software, securing the exchange process is crucial. Code signing is vital to this security, protecting end-users and software distributors from malicious software and reputational harm. Code signing your application .exe and .dll files is essential when sending out executable content.
Before discussing how to sign an EXE in Visual Studio 2022, though, let’s briefly review what code signing is and why you should sign executables, DLLs, and other code in Visual Studio.
Code signing verifies the identity of the entity who released files and scripts and ensures that the code hasn’t been altered or infected with malware since signing. The process involves hashing and encryption and requires a code signing certificate. The sender encrypts the hash using their private key, and the recipient uses their public key to validate the signature. If the hashes match, the data is not tampered with, and if they are different, the file is compromised.
Code signing is a recommended software security practice and protects clients’ security and software creators’ reputations.
Let’s dive into how to sign an EXE using Visual Studio 2022. (Please note: This tutorial only covers how to sign an executable. This tutorial doesn’t cover manifest signing.)
Notice: It’s important to mention that the steps outlined in this article are the same for how to sign a DLL in Visual Studio. So, rather than write a separate article, we’ll address both how to sign an EXE and DLL in Visual Studio in this one.]
How to Sign an Executable or DLL in Visual Studio 2022
Looking for a video to walk you through the process of signing these files in Visual Studio? Look no further:
Of course, not everyone likes watching video tutorials. If you want a step-by-step guide to skim, then keep reading because we’ve got you covered.
Step 1: Purchase and Install a Code Signing Certificate
To sign an executable or DLL file in Visual Studio, the first thing you will need is a built-out executable you would like to sign. Next, you will need to obtain a code signing certificate from a trusted certificate authority (CA). (If your organization does not currently possess an organization validation (OV) code signing certificate or an extended validation (EV) token-based code signing certificate, you can purchase one here at CodeSigningStore.com.)
Once you get a code signing certificate, you’ll need to install the certificate into the Windows Certificate Store before proceeding with this tutorial on how to sign an EXE or DLL in Visual Studio.
Once you open Visual Studio, the next step will be to navigate to your project dashboard and open up the relevant project.
Step 3: Open PowerShell
Go to search bar or hit Ctrl+Q and look up “Developer PowerShell.”
The PowerShell terminal should open with the file pathway to the project you are working on. The executable you’re trying to sign should be in the folder that the pathway points to. If not, use the cd command to switch directories before proceeding.
Once you have PowerShell open, it should look like this:
Step 4: Use SignTool to Sign Your Executable or DLL File
The command line should show the file pathway to the folder of the current project you’re working on. Make sure that the .exe or .dll file you want to sign is in the destination folder — otherwise, this command will not work. (Remember: the directions are the same regardless of whether you’re signing an EXE or DLL file.)
To sign the file, we’ll use a tool called SignTool, which comes preinstalled in the Developer PowerShell of Visual Studio. This first command will automatically sign a file using your store’s best certificate. The command is as follows:
signtool sign /fd SHA256 dia.exe
In this case, our test project is a file named dia.exe. We’ll use this example file throughout this article.
What if you’re signing a DLL file instead of an EXE? No worries, the process will look virtually identical. Simply change the file extension in the command and continue with the process:
signtool sign /fd SHA256 dia.dll
How to Specify Which Certificate to Use in SignTool
What if you have multiple code signing certificates in your certificate store? No worries — there’s an easy way to specify which certificate you want to use. Simply use the following command:
signtool sign /n “My Company Certificate” /fd SHA256 dia.exe
That’s it! This command will enable you to sign your DLL or EXE file in Visual Studio. Now, it’s time to move on to the next step.
Step 5: Add a Timestamp to Your Executable
After the file has been successfully signed, it’s a code signing best practice to timestamp your signed files. This ensures that the digital signature will remain valid even after the certificate expires. For this example, we’ll use a DigiCert timestamp server to complete the following command.
Step 6: Verify the Code Signing and Timestamping Were Successful
Now that we have signed and timestamped our executable, we need to verify that this process was successful. To do that, enter the following command:
signtool verify /pa example.exe
The resulting SignTool response you’ll see in PowerShell should look something like this:
Why Is Code Signing Your EXE or DLL in Visual Studio Important?
Cybercriminals are more savvy and more organized now than they have ever been. In recent years, they have been able to successfully attack companies around the globe at devastating costs. Many of these companies send code to clients in the form of scheduled software updates and patches. This represents a huge opportunity for threat actors to infect many victims’ devices with malware, malicious scripts, and other damaging agents.
A successful attack of this nature could:
cause significant financial losses,
lead to potential litigation, and
result in permanent damage to a company’s reputation.
Code signing your application executables or DLL files from the very beginning in Visual Studio is a great way to help mitigate these risks. This also prevents the “Unknown Publisher” pop-up that displays when trying to install unsigned code in Windows. This warning causes confusion and can result in a loss of trust among users.
Code signing solves this problem by creating a standardized way of authenticating software releases and protecting clients and customers from the pervasive security threat in cyberspace. It’s a win-win for you and your software users.
Final Takeaways on Code Signing for EXE and DLL Files in Visual Studio
Code signing is an integral part of modern software distribution security. It’s a NIST-recommended security practice that, when implemented securely, ensures data integrity and authentication. This is needed now more than ever as cybercriminals continually seek new exploits in an ever-growing attack surface that includes development pipelines (such as the distribution of software updates).
By integrating code signing into your software security strategy and practices, you now have the tools you need to protect your organization, customers, and reputation.
Please check back on this blog for more useful content. You also can buy a code signing certificate at CodeSigningStore.com and enjoy significant savings on your purchase!
For more information on signing executable files, check out available resources:
Enter your contact information below below to receive your FREE Best Practices PDF:
Contact details collected by CodeSigningStore.com may be used to send you requested information, blog update notices, and for marketing purposes. Learn more…
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
suspension note
In order to comply with U.S. export control and economic sanctions laws and regulations, as well as our corporate policies, we do not support users accessing our applications from Cuba, Iran, North Korea, Syria, and the regions of Crimea, Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR) of Ukraine without prior approval from the U.S. government.
Please be aware that these restrictions apply even when a user is on temporary travel to embargoed regions although the user may not normally reside there. If you believe that you have reached this page in error, please reach out to support.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.