Symantec Code Signing for Microsoft Authenticode
Please follow our Microsoft Authenticode Signing instructions to sign your components using your Symantec Code Signing certificate:
Download Signing Tools
To develop Windows-based applications, you will need to download and install the platform SDK for Microsoft Windows. Make sure that you are running the most current version of the SDK. You may want to install only the Tools and Redistributable Components of the Microsoft Windows Core SDK to install the minimal tools needed for signing your files.
Note: SignTool.exe is not supported by Microsoft Windows 95/98/Me and NT.
For Windows XP, Windows 2000 & Windows 2003
You will have to use SignTool.exe. SignTool is a command-line tool that digitally signs files, verifies signatures in files and time stamps files. The tool is installed in \Bin of the Microsoft Windows Software Development Kit installation path. You will need your Digital ID file and your private key file.
For Windows Vista & Windows 7
You will have to use SignTool.exe. SignTool is a command-line tool that digitally signs files, verifies signatures in files and time stamps files. The tool is installed in \Bin of the Microsoft Windows Software Development Kit installation path. Your Digital ID is installed in the certificate store within Internet Explorer.
For Windows Vista, Windows 7 and Windows 2008 - Windows Hardware Quality Labs (WHQL)
Please refer to the second method.
Signing Files - Signatures recognised by Windows XP, Windows 2000 and Windows 2003
1. Click Start and Run.
2. Type CMD and click OK.
3. Go to the directory where signtool exists.
4. Run the following command-line:
signtool.exe sign /f mycert.pfx /p <password> /t http://timestamp.verisign.com/scripts/timstamp.dll /v "<file to be signed>"
where <password> is the password specified when the PFX file was created and <file to be signed> is the name of the file you want to sign.
You can test your signature by entering the following command-line:
signtool verify /pa /v <your-file-name>
Signing Files - Signatures recognised by all versions of Windows including Vista & 7
For Windows Vista 64-bit and Windows 7, the code also needs to be cross-signed with a certificate provided by Microsoft.
1. Get the Symantec Cross Certificate on Microsoft's website (Symantec Class 3 Public Primary Certification Authority).
2. Download PVK Import.
If your certificate is not already in the certificate store, use PVK Import to import your certificate into the Personal Store.
Run a command prompt and type the following line where SignTool.exe is located:
signtool sign /v /ac "C:\MSCV-VSClass3.cer" /s MY /n "Symantec Inc." /t http://timestamp.verisign.com/scripts/timstamp.dll "C:\CatFileName.cat"
Replace CatFileName.cat with the file you want to sign, MSCV-VSClass3.cer with the Symantec Cross Certificate file and Symantec Inc. with the name of your company as it appears in the ISSUED TO field of the certificate.
SignTool supports several arguments:
Sign: Configures the tool to sign the intended file
/v: Specifies the verbose option for successful execution and warning messages
/ac: Adds the cross-certificate from the CrossCertificateFile file to the digital signature
/s: Specifies a certificate store (If the certificate is imported into the Personal store, the SPCCertificateStore is My)
/n: Refers to the company name in your certificate as it appears in the "ISSUED TO" field of the certificate
/t: Specifies that the digital signature will be timestamped by the Time-Stamp Authority (TSA) indicated by the URL
You will find more information on Microsoft's website.