Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
As a software developer, you likely know the lifecycle of developing software and are well acquainted with the challenges that come with them. This includes everything from errors and quality checks to the essential phases virtually all software should go through prior to being published. One important step is signing your software’s executable files with a code signing certificate.
Modern security threats make signing your executable files basically mandatory. It’s how you can prevent the “unknown publisher” warning messages from displaying in users’ browsers and Windows User Access Control pop-ups. And depending on which type of code signing certificate you use — standard versus extended validation (EV) — you can also make the Windows Defender SmartScreen messages. (EV code signing certificates enable your software to be trusted automatically by users’ Windows operating systems and browsers.)
Let’s quickly explore why signing your software is important and how to sign an executable.
Signing your software helps you prove to users’ browsers and operating systems that your software comes from a trusted source. So, suppose you don’t know how to sign an executable file or have questions about signing an EXE file. In that case, we recommend reading our guide that provides step-by-step instructions on how to code sign an EXE file using Microsoft Authenticode signatures. However, we’ll also walk you through the process momentarily in this article.
Once you complete all the required verification processes, such as providing all the documents and information the issuing certificate authority (CA) requests, your Microsoft Authenticode code signing certificate will be issued. Then, you need to save the .p12 (PFX) file and follow the steps below to sign your executable file.
Signing your software isn’t a process that’s particularly complicated. Say you have an executable you want to sign titled YourSoftware.exe. You can sign it using the following steps:
SignTool sign /f YourCertFile.pfx YourSoftware.exe
SignTool sign /f YourCertFile.pfx /p AddYourPasswordHere YourSoftware.exe
If you’ve completed the aforementioned steps, congratulations! You have successfully signed your executable file. But what if you want to timestamp your signature?
Check out this post on timestamping to learn more about what timestamping is and why it’s important for executable signing. But to provide you with a quick understanding, a timestamp provides a verifiable way to show precisely the moment when you signed your software. This way, if the file is altered after you signed it, users know that it’s likely been tampered with and that the file can’t be trusted.
To sign using a DigiCert code signing certificate, use the following command:
SignTool sign /f YourCertFile.pfx /t https://timestamp.digicert.com YourSoftware.exe
Once you complete your signing process, we recommend verifying your signature.
To check whether your software’s .exe file was signed properly, simply enter the following command into your Command Prompt window to verify the signer certificate:
SignTool verify /v YourSoftware.exe
Prove Your Software Is Trustworthy
Signing your code shows users that your software and updates can be trusted.
Download our free code signing best practices eBook to learn how to help keep your supply chain secure and your company, customers & end-users safe.
As a software publisher or developer, you may already know how code signing your executable file can help avoid security warning messages while also verifying your identity. Unfortunately, you may not always remember the steps involved or have questions about how to sign executable files.
If that’s the situation and you’re questioning “how to sign an EXE file,” then the steps we’ve mentioned here will help you to sign your executable file quickly. We hope it proves helpful. Good luck!