Frequently Asked Questions

  1. Where do I get a code signing certificate?
  2. Where do I get SignTool.exe?
  3. How do I create a .pfx file?
  4. How do I access my cert on the hardware token?
  5. How do I dual sign my file for SHA1 and SHA256 digests?



  1. Where do I get a code signing certificate?

    Sectigo (formerly Comodo), sells code signing certificates. Don't confuse these with their SSL certificates, which cannot be used for code signing. You can get a discount on Sectigo code signing certs from K Software.

  2. Where do I get SignTool.exe?

    Even though this is a free utility, Microsoft has not made this a separate download. If you use any Microsoft development tools, you may already have it on your system (use Window's Start/Search function). It must be version 6.3 or later. Otherwise, you can install their Windows SDK and then locate it on your system. Example path:

    C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe

  3. How do I create a .pfx file?

    PFX files are now obsolete. Beginning in 2023, code signing certs arrive on secure hardware tokens in the form of a USB thumb drive. Leave the PFX field blank if you have a token.

  4. How do I access my cert on the hardware token?

    Download and install the free SafeNet Authentication Client. Get the appropriate edition for your Windows version. When signtool is executed via SignGUI, the SafeNet client will popup automatically and prompt you for the token password (as provided by the certificate authority). SignGUI gives you the option to copy the password to the Windows Clipboard so that it can be pasted in using the Ctrl-v key combination.

  5. How do I dual sign my file for SHA1 and SHA256 digests?

    Since Microsoft and other O/S and browser vendors are phasing out support for SHA1 (which has security issues), you can dual sign your EXE program file with SHA1 (making it compatible on Vista and older systems) and with SHA256 (also referred to as SHA-2), the more secure hashing algorithm already supported by Windows 7 and newer systems.

    On pass one, select your normal timestamp server, such as http://timestamp.comodoca.com/authenticode with "RFC 3161 server" and "SHA256 timestamp" left unchecked. Set Signature Placement to Primary and Signature Hash to SHA1. Sign your files. For pass two, change the timestamp server to http://timestamp.globalsign.com/?signature=sha2 and check both the "RFC 3161 server" and "SHA256 timestamp" boxes. Then set Signature Placement to Appended and Signature Hash to SHA256. Sign your files. Note that you only want to do this part once, otherwise it will keep appending new signatures to your file. Only the primary signature can be replaced. If you mess up the appended signatures, you'll have to recompile your program and start over.