Table of Contents
2
Home » Wiki » How to Sign an EXE File Using a Code Signing Certificate?

How to Sign an EXE File Using a Code Signing Certificate?

by | Code Signing

Sign EXE File Using Code Signing

Signing a Windows EXE File with Code Signing

Code signing is an important process for establishing security and building trust in software. It allows users to verify the identity of the publisher and ensure that the code has not been altered or corrupted since signing. By cryptographically signing executables and application packages, developers can provide assurances that their software comes from a trusted source and has not been tampered with.

This article provides a step-by-step guide on how to sign EXE file using Code Signing certificate from a trusted certificate authority. We will cover the prerequisites, including obtaining a certificate, the SignTool commands for signing, testing, and verifying the signature, troubleshooting issues, best practices, and case studies of code-signing attacks. Following proper code-signing processes is critical for countering software supply chain attacks.

Key Takeaways

  • Code signing provides security and builds trust by verifying the software’s publisher. It involves obtaining a certificate and cryptographically signing executables.
  • Hardware and software prerequisites include a Windows OS, SignTool, and secure hardware like a USB token for storing the private key.
  • Use SignTool commands to specify the certificate, hashing algorithm, timestamp server, and path to the EXE file. Then, enter the code signing certificate password.
  • Test the signature by checking browser warnings on download, verifying details in file properties, and using SignTool to validate the signature.
  • Follow best practices like protecting private keys, separating signing roles, monitoring key usage, and automating signing in CI/CD pipelines.
  • Study past code signing attacks like SolarWinds to learn lessons for hardening signing infrastructure.
Also Read: How to Sign EBS Jar Files with HSM (Hardware Security Module)

Prerequisites for Signing an EXE or Application

Before diving into the steps for signing, there are some requirements and preparatory tasks:

Obtaining a Code Signing Certificate

The first prerequisite is to acquire a code signing certificate from a trusted certificate authority (CA) like DigiCert, Comodo, GlobalSign, etc.

  • Types of code signing certificates: Major types include OV Code Signing and EV Code Signing certificates. EV provides the highest assurance of one’s identity.
  • Choosing a trusted CA: Select an established CA with a good reputation for thorough verification practices. Avoid cheap certificates with minimal validation.

Hardware and Software Requirements

  • Windows Operating System: SignTool runs on Windows. macOS and Linux users need access to a Windows machine.
  • Microsoft SignTool Utility: This provides the signing commands. It comes pre-installed or downloaded from Microsoft Docs.
  • Secure Hardware Device: This is for storing the code signing certificate’s private key securely. Options include a USB token, HSM module, YubiKey, etc.

Setting Up the Secure Hardware Device

  • Initializing And Changing the Default Password: Set a strong password to access the private key on the device.
  • Installing Client Software: Install any authentication software needed to interface with the device, such as SafeNet Authentication Client.

Step-by-Step Guide to Sign EXE File Using Code Signing

With the prerequisites covered, we can move on to the step-by-step process to Sign EXE File Using Code Signing certificate:

  • Insert the hardware token into the device
  • Open client authentication software
  • Open the command line interface
  • Enter signing and timestamping commands
  • Enter the password for a secure hardware device

Step 1: Insert The Hardware Token into The Device

  • Locate the physical USB token or other secure hardware device that contains the code signing certificate’s private key. When not in use, store it separately from the computer.
  • Plug the USB token into an available USB port on the computer.
  • If the device requires drivers, allow any driver installation prompts.

Step 2: Open Client Authentication Software

  • Locate and launch the authentication client software provided by the hardware token vendor, such as SafeNet Authentication Client.
  • If prompted, connect to the local USB device. The client will interface with the hardware token.

Step 3: Open The Command Line Interface

  • Open the Windows start menu and search for “Command Prompt” or “PowerShell.
  • Right-click and select “Run as Administrator” on the application shortcut.
  • If prompted by UAC, click Yes to approve running as admin.
Also Read: How to Sign the PowerShell Script Code with YubiKey

Step 4: Enter Signing And Timestamping Commands

  • Navigate to the directory containing SignTool.exe if not already there. The default install location is C:\Program Files\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools on modern Windows versions.
  • Construct the SignTool command with the proper parameters:
SignTool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 C:\Software\Application.exe
  • When prompted, type the password to unlock the PFX certificate file.
  • When prompted, type the password to unlock the private key stored on the hardware token device.

Step 5: Enter The Password For A Secure Hardware Device

  • The SignTool utility will connect to the secure hardware device using the authentication client software to access the private key material.
  • When prompted, type the password configured on the device to allow SignTool to unlock and utilize the private key for signing.
  • The executable will be signed if no errors occur. The signed binary will be output in the same directory.

Testing and Verifying the Signed EXE or Application

Once the EXE file has been signed, we need to test the signature and ensure it validates correctly and thoroughly:

Method 1: Check in a Web Browser to Download

  • Upload a Signed File to Test The URL: Upload the EXE to a test website or file-sharing service that scans downloads.
  • Download And Check for Warnings: Try downloading the file and see if the browser shows any warnings about unsigned content.

Method 2: Inspect Certificate Details in File Properties

  • Right Click Signed File, Open Properties: In File Explorer, right-click the signed EXE, and then go to Properties.
  • Navigate to the Digital Signatures Tab: Check the Digital Signatures tab for signature details.
  • View Signature and Timestamp Information: Verify the signing certificate info, validity period, and timestamp are present.

Method 3: Verify The Signature Using Signtool

  • Change to SignTool directory: Open a command prompt in the SignTool install location.
  • Run the verify command on a signed file: Use syntax like SignTool verify /pa filepath
  • Check output for signature validation: It should display “Successfully verified” if the signature is valid.

Troubleshooting Common Issues

If the code signature is not valid, here are some common issues and remedies:

“Unknown Publisher Security Warning” on Download / Install

  • Cause: The certificate is not chained to a trusted root CA.
  • Fix: Get a certificate from a reputable CA whose root is pre-installed on systems.
Also Read: How to Fix Unknown Publisher Security Warning in Windows 10

Signature Details Missing in File Properties

  • Cause: SignTool command failed or file not signed properly.
  • Fix: Re-run SignTool, being sure to use the correct certificate and syntax.

Verification Errors in Signtool Output

  • Cause: Invalid signature due to certificate, timestamp, or crypto issue.
  • Fix: Ensure the certificate validity period has not expired. Verify timestamp server connectivity.

Best Practices for Secure Code Signing

To maximize the security of code signing processes, here are some best practices for Code Signing HSM to follow:

Protecting Code Signing Private Keys

  • Importance of Secure Key Storage and Access Control: Store keys in certified hardware like HSMs. Limit access to authorized users only.
  • Use Certified HSMs or Cloud Key Management Solutions: On-premises, cloud-hosted, and hybrid models provide robust key protection and management.
Also Read: What is a Cloud Hardware Security Module?

Implement Signing Policies and Approval Workflows

  • Separate Code Submission and Signing Approval Roles: The person who writes the code should be different from the one who approves and signs it.
  • Monitor and Track Key Usage and Signing Activities: Maintain detailed audit logs of all signing events and key access.

Integrate Signing into Ci/Cd Pipelines

  • Automate Signing in The Software Development Lifecycle: Build signing into the automated build, test, and release processes.
  • Enable Signing After QA, Vulnerability Scans, etc.: Only sign the code after it passes security tests and compliance checks.
  • Shift Left on Code Signing For Devsecops: Moving signing earlier in the pipeline improves velocity and security.
Also Read: How to Sign Unsigned Driver with Microsoft SignTool?

Case Studies of Code Signing Attacks and Lessons Learned

Examining past code signing vulnerabilities and supply chain attacks provides valuable lessons:

SolarWinds Supply Chain Attack

  • Hackers compromised SolarWinds build system and signed malicious code with a valid certificate.
  • Shows the importance of securing developer environments and limiting signer access.

Asus Live Update Utility Backdoor

  • Attackers infiltrated ASUS systems to sign a weaponized update utility with a stolen certificate.
  • Need for robust certificate lifecycle management and rapid revocation capabilities.

Takeaways for Hardening Code Signing Infrastructure

  • Utilize technologies like HSMs to safeguard keys.
  • Implement separation of duties for signing.
  • Carefully vet employees with code signing privileges.
  • Monitor certificate issuance and signing events for anomalies.
  • Have plans to revoke compromised certificates quickly.

Final Thoughts

In conclusion, signing an EXE file using a code signing certificate is a crucial step to establish trust and authenticity for your software. By following the step-by-step process outlined in this article, you can easily Sign EXE File Using Code Signing, ensuring that your application is digitally signed and verified. This not only enhances security but also provides users with confidence in the integrity of your software. Embrace this best practice and leverage the power of code signing to protect your application and your reputation in the software industry.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.

What is FIPS HardwareWhat is FIPS Hardware? What is a YubiKey: How to Set it up with Auth0?What is a YubiKey: How to Set it up with Auth0? Renew Code Signing CertificateHow to Renew Code Signing Certificate?