How to Sign Authenticode Files with SignTool using KSP Library?
Home » How to Sign Authenticode Files with SignTool using KSP Library?
Signing code is a critical process for maintaining software integrity and developer trust.
How to Sign Authenticode Files with SignTool using KSP Library?
Home » How to Sign Authenticode Files with SignTool using KSP Library?
Signing code is a critical process for maintaining software integrity and developer trust. On a Windows-based system, Authenticode signing provides assurance after a program or driver has been posted that it has not been modified.
Using Microsoft SignTool and a Key Storage Provider (KSP) service such as DigiCert® KeyLocker, executed software, DLLs, and installers can securely be signed with the private key securely stored in the managed cloud service.
In this guide, you will be shown step by step how to sign Authenticode files using SignTool with the KSP library to hold the private key.
Prerequisites
Operating System: Windows 10 or Higher
Signing for Authenticode must occur in a Windows environment because SignTool is a Microsoft utility that is designed specifically for code signing that operates in Windows.
Windows 10 or greater is strongly recommended because it fully supports SHA-256 hash standards, certificate management tools have been updated, and there is better compatibility with the KSP library for DigiCert KeyLocker.
Older versions of Windows may not support newer cryptographic standards or still use old APIs for the certificate store, leading to potential errors signing and verifying files. Always ensure your Windows installation is up to date with the latest security or SDK patches.
Installed and Configured DigiCert® KeyLocker Client
The DigiCert KeyLocker client is a required software for secure access and use of your remote private keys stored on the public cloud. Rather than storing the private key on a local device where it can be stolen or compromised, KeyLocker securely retains the key in a hardware-backed cloud HSM (Hardware Security Module).
The KeyLocker client works with the Windows Key Storage Provider (KSP) so that security tools like SignTool can access your keys through a secure API.
Once the KeyLocker client is installed, it is necessary to set up your DigiCert account credentials and confirm connectivity with the KeyLocker service.
You will also list or manage your key pairs through DigiCert’s Signing Manager interface or command-line tool (smctl). This setup will confirm your system recognizes your signing identity before taking any signing action.
Download Microsoft SignTool
SignTool is the official utility provided by Microsoft as a command-line utility for signing and verifying Authenticode code. It is included with the Windows Software Development Kit (SDK), which you will also need to download from Microsoft’s official site.
When prompted, select the “Windows SDK Signing Tools” during the installation. After installation, locate the signtool.exe binary, usually located:
C:Program Files (x86)Windows Kits10bin<version>x64
To allow easier access via the command line, be sure to add this path as an environment variable on your system. To verify that you installed it correctly, you can run signtool.exe in your command prompt. If it was successful, you will see a list of options and commands.
A Valid Code Signing Certificate in DigiCert KeyLocker
You will need a current, valid code signing certificate issued by DigiCert in your KeyLocker account. The certificate is your digital identity and establishes your organization or individual developer account’s authenticity when you sign your applications.
Instead of a traditional file-based certificate that is stored as a .pfx or .p12 on your file system, KeyLocker provides certificates that store the ownership of your private keys within a secure cloud HSM that, by design, is non-exportable and remains secure from unauthorized use by others. This system meets and exceeds modern software supply chain security standards.
Finally, before you sign, ensure that your certificate meets the expiration requirements and is associated with the keypair alias that you intend to sign with. You may manage or inspect your certificates by using the DigiCert Signing Manager web console or use the smctl keypair list command.
Recommended: How to Configure DigiCert KeyLocker on Windows?
Alias of the Keypair or the Fingerprint of the Certificate linked to your DigiCert Account
Every certificate within DigiCert KeyLocker is associated with a unique keypair alias, which will serve as your reference ID that SignTool will utilize to locate the proper signing key through the KSP interface.
When you use SignTool, you will explicitly set the alias value with the /kc parameter.
If your certificate is synced to the Windows Certificate Store, you may also sign using the SHA-1 fingerprint of the certificate. The fingerprint will refer to the particular certificate, as it is unique to the Windows Certificate Store.
You can obtain the fingerprint by running PowerShell commands for example:
Get-ChildItem Cert:CurrentUserMy | Select-Object FriendlyName, Thumbprint
Keeping track of the alias and the fingerprint allows you to utilize either method of signing depending on your signing configuration and the environment.
Administrative Privileges for Command Execution and Syncing of Certificates
Some of the steps in the overall signing process—specifically syncing of certificates to the Windows certificate store, as well as accessing protected cryptographic services—do require you to have administrative privileges.
If you are lacking the appropriate permissions, you may encounter access-denied or certificate-not-found errors.
Before starting any sign-in or verify command, you will need to right-click on the Command Prompt or PowerShell icon and select “Run as administrator.” This key step allows SignTool, the KeyLocker client, and the utilities for the Windows certificate store to run without any permission issues.
Administrative permissions will be necessary for the additional steps of registering new certificate providers for use, modifying registry values for use with your Key Storage Provider (KSP), or synchronizing KeyLocker certificates using the smctl windows certsync command.
Running through administrative privileges avoids interruptions and enables the signing process to take place effectively and securely.
Steps for Signing Files using KSP Library and SignTool
Ensure your DigiCert KeyLocker client has been installed and the KSP (“DigiCert Signing Manager KSP”) has been configured correctly on your Windows system. This access allows SignTool to retrieve your private key from KeyLocker in a secure manner.
Identify the keypair alias from your DigiCert dashboard. Alternatively, obtain a copy of your public certificate (.crt file) or find the certificate thumbprint from your Windows certificate store.
If you have a local copy of your certificate, use this command:
signtool.exe sign /csp “DigiCert Signing Manager KSP” /kc <keypair_alias> /f <certificate_file> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed>
Example:
signtool.exe sign /csp “DigiCert Signing Manager KSP” /kc key1 /f example.crt /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 MyApp.exe
This command timestamps and signs your file with https://signmycode.com/resources/dual-sign-your-software-file-using-sha-256-sha for modern compatibility.
If you prefer signing via fingerprint, first sync your certificate with Windows:
smctl windows certsync –keypair-alias=<keypair_alias>
Then use SignTool to sign:
signtool.exe sign /sha1 <certificate_thumbprint> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed>
Example:
signtool.exe sign /sha1 3550ffca3cd652dde30675ce681ev1e01073e647 /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 MyApp.exe
You can also retrieve the thumbprint in PowerShell:
$cert = Get-ChildItem Cert:CurrentUserMy | Where-Object {$_.FriendlyName -like “<CERTIFICATE_ALIAS>”}
$thumbprint = $cert.Thumbprint
Write-Host($cert.Thumbprint)
After signing, verify the file’s integrity and signature validity:
signtool verify /v /pa <signed_file>
Example:
signtool verify /v /pa MyApp.exe
Should the verification succeed, your file has been securely signed and is ready for distribution.
Conclusion
By using SignTool and the DigiCert KeyLocker KSP library, you benefit from both Microsoft-trusted Authenticode signatures and a cloud-based method for securing your keys.
This workflow is appropriate for any Windows executables, drivers, or installations, providing the level of assurance expected to maintain compliance and trust from your users.
For any trusted Code Signing Certificate and secure key management, SignMyCode is your end-to-end solution for DigiCert Code Signing automation and sign-on-demand.
Cloud Code Signing
Seamless Automated Code Signing Tasks without Need of Physical HSM or Token using Cloud Code Signing Certificate.
Code Signing as a Service
Janki Mehta
Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.
*** This is a Security Bloggers Network syndicated blog from SignMyCode – Resources authored by Janki Mehta. Read the original post at: https://signmycode.com/resources/how-to-sign-authenticode-files-with-signtool-using-ksp-library
About Author
