Skip to main content
Skip table of contents

Using Signum with Signtool

Introduction

Signum can be used with Microsoft’s Signtool to sign files (.dll,.cab,.appx,.exe,.msi,.ps1,etc…) in Windows. Most of the complexity around configuration is related to Signtool commands as Signum is just providing authenticated users access to the signing certificate. This guide is going to assume that Signtool has already been installed but for full instructions on how to install Signtool and a complete list of commands see Microsoft's https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool . This guide assumes the Signum Windows Agent has been installed.

Signtool Examples

The detailed view of the certificate stored in Signum, this can be accessed by selecting a certificate that has been configured in Signum from the Certificates section of the Admin Web Console.

image-20240604-083312.png

Using the Thumbprint

CODE 
PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /sha1 CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2  example.dll
Done Adding Additional Store
Successfully signed: example.dll

With a TSA

CODE 
PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /sha1 CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2 /t http://signserver.com/signserver/process?workerId=15  example.dll
Done Adding Additional Store
Successfully signed: example.dll

Using the Certificate CN

Using the CN has the advantage that if the certificate is ever renewed existing scripts should be able to stay the same.

CODE 
PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /n "Code Signing"  example.dll
Done Adding Additional Store
Successfully signed: example.dll

Verifying

A benefit of using a Native signing tool like Signtool is built in verification.

CODE 
PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe verify /pa /v .\example.dll

Verifying: .\example.dll

Signature Index: 0 (Primary Signature)
Hash of file (sha256): B410D82594A7DD698C766FD5D9D6A417B1147DD91FE0BE7DED3C8E087CFACBEE

Signing Certificate Chain:
    Issued to: Keyfactor Demo CA
    Issued by: Keyfactor Demo CA
    Expires:   Fri Jul 23 15:28:37 2032
    SHA1 hash: B2948658CE2F3133B82BE32A35A84ED7F54B5A33

        Issued to: Keyfactor Demo Working
        Issued by: Keyfactor Demo CA
        Expires:   Thu Jul 24 16:36:13 2031
        SHA1 hash: D50E48B6F937AA6DE6F7DADC8DE3D3923CBB306B

            Issued to: Keyfactor Demo Code Signing
            Issued by: Keyfactor Demo Working
            Expires:   Thu Jul 24 16:36:13 2031
            SHA1 hash: BED3F3DD7C9FE484454408541D857F4F6FEEFC9E

                Issued to: Code Signing
                Issued by: Keyfactor Demo Code Signing
                Expires:   Sat Aug 03 11:35:34 2024
                SHA1 hash: CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2

File is not timestamped.


Successfully verified: .\example.dll

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close