Sign Files with Signtool

Signum can be used with Microsoft Signtool to sign files (.dll,.cab,.appx,.exe,.msi, .msix, .ps1, and so on) in Windows.

Prerequisites

Signum Windows Agent installed.
Signtool installed. For full instructions on how to install Signtool and a complete list of commands, see Microsoft https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool.

Certificate Access

Ensure that you are logged into the Signum Agent with a valid user that has access to a certificate by being assigned to a policy in Signum. Once logged in, you can view certificates in the Users certificate store if running the Agent in USER mode or the Local Machine certificate store in Windows if running the Agent in SERVER mode.

In Server Mode, you can also change the targeted store using the -targetStore flag with the rtsetup.exe tool. See Certificate Store Selection in the CLI Server Mode Interface.

The certificates can also be viewed in the shell, with the following powershell examples. These will return all certificates with a Code Signing EKU.

Using the Local Machine Store

Use the path to your local machine store:

CODE

Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
    $_.EnhancedKeyUsageList.Contains([Microsoft.PowerShell.Commands.EnhancedKeyUsageRepresentation]::new('Code Signing','1.3.6.1.5.5.7.3.3'))
} | ForEach-Object {
    [PSCustomObject]@{
        CN = ($_.Subject -split ',')[0] -replace '^CN=', ''
        Thumbprint = $_.Thumbprint
    }
} | ForEach-Object {
    Write-Output "CN: $($_.CN), Thumbprint: $($_.Thumbprint)"
}

Using the Users Store

Use the path to your current user store:

CODE

Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {
    $_.EnhancedKeyUsageList.Contains([Microsoft.PowerShell.Commands.EnhancedKeyUsageRepresentation]::new('Code Signing','1.3.6.1.5.5.7.3.3'))
} | ForEach-Object {
    [PSCustomObject]@{
        CN = ($_.Subject -split ',')[0] -replace '^CN=', ''
        Thumbprint = $_.Thumbprint
    }
} | ForEach-Object {
    Write-Output "CN: $($_.CN), Thumbprint: $($_.Thumbprint)"
}

Example Output

CODE

CN: Signum-RSA-2048 New, Thumbprint: F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B
CN: Signum-RSA-4096, Thumbprint: 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD
CN: Signum-RSA-3072, Thumbprint: 170570A1D56FBB5A4CC780B69ACAEF94010D5DAA

Signing

Example using the Certificate Thumbprint

CODE

PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /sha1 CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2  example.dll
Done Adding Additional Store
Successfully signed: example.dll

Example including a Time Stamp Authority

In general, it is best to always include a timestamp on signatures to ensure validity of the signature past the certificates expiration:

CODE

PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /sha1 CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2 /t Replace-With-TSA-URL  example.dll
Done Adding Additional Store
Successfully signed: example.dll

Example using the Certificate CN

Using the CN has the advantage that if the certificate is ever renewed existing scripts should be able to stay the same.

CODE

PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /n "Code Signing"  example.dll
Done Adding Additional Store
Successfully signed: example.dll

Example using the Windows Agent in Server Mode

In Server Mode, the Windows Agent places certificates in the Local Machine certificate store in Windows unless the -targetStore has been set to the users personal certificate store. Including the /sm flag with signtool uses the Local Machine store.

CODE

PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe sign /fd SHA256 /sm /sha1 CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2  example.dll
Done Adding Additional Store
Successfully signed: example.dll

Verifying

CODE

PS C:\Users\Demo\Desktop\Signum_Demo> signtool.exe verify /pa /v .\example.dll

Verifying: .\example.dll

Signature Index: 0 (Primary Signature)
Hash of file (sha256): B410D82594A7DD698C766FD5D9D6A417B1147DD91FE0BE7DED3C8E087CFACBEE

Signing Certificate Chain:
    Issued to: Keyfactor Demo CA
    Issued by: Keyfactor Demo CA
    Expires:   Fri Jul 23 15:28:37 2032
    SHA1 hash: B2948658CE2F3133B82BE32A35A84ED7F54B5A33

        Issued to: Keyfactor Demo Working
        Issued by: Keyfactor Demo CA
        Expires:   Thu Jul 24 16:36:13 2031
        SHA1 hash: D50E48B6F937AA6DE6F7DADC8DE3D3923CBB306B

            Issued to: Keyfactor Demo Code Signing
            Issued by: Keyfactor Demo Working
            Expires:   Thu Jul 24 16:36:13 2031
            SHA1 hash: BED3F3DD7C9FE484454408541D857F4F6FEEFC9E

                Issued to: Code Signing
                Issued by: Keyfactor Demo Code Signing
                Expires:   Sat Aug 03 11:35:34 2024
                SHA1 hash: CE1EB74EC5A8CC93EABA4066D15DDCBCEEF28EC2

File is not timestamped.


Successfully verified: .\example.dll

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0