Skip to main content
Skip table of contents

Using Signum with Signtool

Introduction

Signum can be used with Microsoft’s Signtool to sign files (.dll,.cab,.appx,.exe,.msi, .msix, .ps1, etc…) in Windows. This guide is going to assume that Signtool has already been installed but for full instructions on how to install Signtool and a complete list of commands see Microsoft's https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool . This guide assumes the Signum Windows Agent has been installed.

Signing

First, ensure that you are logged into the Signum Agent with a valid user that has access to a certificate by being assigned to a policy in Signum. Once logged in you can view certificates in the Users certificate store if running the Agent in USER mode or the Local Machine certificate store in Windows if running the Agent in SERVER mode. In Server Mode you can also change the targeted store using the -targetStore flag with the rtsetup.exe tool. The certificates can also be viewed in the shell, powershell example below (will return all certificates with a Code Signing EKU).

Using the Local Machine Store

CODE 
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
    $_.EnhancedKeyUsageList.Contains([Microsoft.PowerShell.Commands.EnhancedKeyUsageRepresentation]::new('Code Signing','1.3.6.1.5.5.7.3.3'))
} | ForEach-Object {
    [PSCustomObject]@{
        CN = ($_.Subject -split ',')[0] -replace '^CN=', ''
        Thumbprint = $_.Thumbprint
    }
} | ForEach-Object {
    Write-Output "CN: $($_.CN), Thumbprint: $($_.Thumbprint)"
}

Using the Users Store

CODE 
Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {
    $_.EnhancedKeyUsageList.Contains([Microsoft.PowerShell.Commands.EnhancedKeyUsageRepresentation]::new('Code Signing','1.3.6.1.5.5.7.3.3'))
} | ForEach-Object {
    [PSCustomObject]@{
        CN = ($_.Subject -split ',')[0] -replace '^CN=', ''
        Thumbprint = $_.Thumbprint
    }
} | ForEach-Object {
    Write-Output "CN: $($_.CN), Thumbprint: $($_.Thumbprint)"
}

Example Output

CODE 
CN: Signum-RSA-2048 New, Thumbprint: F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B
CN: Signum-RSA-4096, Thumbprint: 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD
CN: Signum-RSA-3072, Thumbprint: 170570A1D56FBB5A4CC780B69ACAEF94010D5DAA

Using the Certificate Thumbprint

CODE 
PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /sha1 CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2  example.dll
Done Adding Additional Store
Successfully signed: example.dll

Example including a Time Stamp Authority

In general it is best to always include a timestamp on signatures to ensure validity of the signature past the certificates expiration.

CODE 
PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /sha1 CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2 /t Replace-With-TSA-URL  example.dll
Done Adding Additional Store
Successfully signed: example.dll

Using the Certificate CN

Using the CN has the advantage that if the certificate is ever renewed existing scripts should be able to stay the same.

CODE 
PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /n "Code Signing"  example.dll
Done Adding Additional Store
Successfully signed: example.dll

Using the Windows Agent in Server Mode

In Server Mode the Windows Agent will place certificates in the Local Machine certificate store in Windows unless the '-targetStore' has been set to the users personal certificate store. Including the ‘/sm’ flag with signtool will use the Local Machine store.

CODE 
PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /sm /sha1 CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2  example.dll
Done Adding Additional Store
Successfully signed: example.dll

Verifying

CODE 
PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe verify /pa /v .\example.dll

Verifying: .\example.dll

Signature Index: 0 (Primary Signature)
Hash of file (sha256): B410D82594A7DD698C766FD5D9D6A417B1147DD91FE0BE7DED3C8E087CFACBEE

Signing Certificate Chain:
    Issued to: Keyfactor Demo CA
    Issued by: Keyfactor Demo CA
    Expires:   Fri Jul 23 15:28:37 2032
    SHA1 hash: B2948658CE2F3133B82BE32A35A84ED7F54B5A33

        Issued to: Keyfactor Demo Working
        Issued by: Keyfactor Demo CA
        Expires:   Thu Jul 24 16:36:13 2031
        SHA1 hash: D50E48B6F937AA6DE6F7DADC8DE3D3923CBB306B

            Issued to: Keyfactor Demo Code Signing
            Issued by: Keyfactor Demo Working
            Expires:   Thu Jul 24 16:36:13 2031
            SHA1 hash: BED3F3DD7C9FE484454408541D857F4F6FEEFC9E

                Issued to: Code Signing
                Issued by: Keyfactor Demo Code Signing
                Expires:   Sat Aug 03 11:35:34 2024
                SHA1 hash: CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2

File is not timestamped.


Successfully verified: .\example.dll

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close