Home Order Patches News Support

Frequently Asked Questions

  1. Where do I get a code signing certificate?
  2. Where do I get SignTool.exe?
  3. How do I create a .pfx file?
  4. How do I dual sign my file for SHA1 and SHA256 digests?


  1. Where do I get a code signing certificate?

    Comodo, Thawte, and VeriSign sell code signing certificates. Don't confuse these with their SSL certificates, which cannot be used for code signing. You can get a discount on Comodo code signing certs from K Software.

  2. Where do I get SignTool.exe?

    Even though this is a free utility, Microsoft has not made this a separate download. If you use any Microsoft development tools, you may already have it on your system (use Window's Start/Search function). It must be version 6.3 or later. Otherwise, you can install their Windows 10 SDK (works with Windows Vista and later) and then locate it on your system here:

    C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe

  3. How do I create a .pfx file?

    Your certificate provider will give you a .pvk (private key file) and an .spc (software publisher certificate) file. Use Microsoft's Pvkimprt.exe utility to create your .pfx (personal information exchange) file. The Association of Shareware Professionals has some handy instructions. If your cert provider did not give you any files to download then your web browser likely installed it directly on your system. Use these instructions to export your pfx file.

  4. How do I dual sign my file for SHA1 and SHA256 digests?

    Since Microsoft and other O/S and browser vendors are phasing out support for SHA1 (which has security issues), you can dual sign your EXE program file with SHA1 (making it compatible on Vista and older systems) and with SHA256 (also referred to as SHA-2), the more secure hashing algorithm already supported by Windows 7 and newer systems.

    On pass one, select your normal timestamp server, such as http://timestamp.comodoca.com/authenticode with "RFC 3161 server" and "SHA256 timestamp" left unchecked. Set Signature Placement to Primary and Signature Hash to SHA1. Sign your files. For pass two, change the timestamp server to http://timestamp.globalsign.com/?signature=sha2 and check both the "RFC 3161 server" and "SHA256 timestamp" boxes. Then set Signature Placement to Appended and Signature Hash to SHA256. Sign your files. Note that you only want to do this part once, otherwise it will keep appending new signatures to your file. Only the primary signature can be replaced. If you mess up the appended signatures, you'll have to recompile your program and start over.