FREE Signtool GUI

CREATIVE TOOLS FOR CREATIVE MINDS

Simple SignTool GUI for code signing certificates

All Products | Experimental Tools

No installation, just unzip and run

Since many things have changed over the years, and now the code-signing certificate is delivered on a USB stick, I created a small tool to help me code-sign files for distribution.

This tool essentially calls signtool.exe, adds a timestamp, and signs your .exe files. But it comes with some handy bonus features: • Sign multiple files at once • Drag and drop .exe files into the window • Save the current file set to a .ksig file: Double-clicking a *.ksig file will automatically open the SignTool GUI and pre-load the files that need to be signed. For example, in my installation distribution folder, I have a .ksig file containing all the files that need to be signed. I just double-click the .ksig file to sign them. • Drag & drop the .ksig file to the GUI: This has the same effect as double-clicking on it.

An Idiot’s Guide to Signing Files

To distribute .exe files, you should sign them, which will inform the end user that the files have not been tampered with and that they come from you. There are two types of code-signing certificates: OV (Organization Validation) and EV (Extended Validation). OV certificates are cheaper and easier to obtain, but they also trigger Microsoft's reputation check when downloading your signed files, which may display the message "FILE is not commonly downloaded and could harm your computer." This could scare your customers. EV certificates, on the other hand, are automatically recognized as approved by Microsoft Defender. (Note: Mediachance signs with an OV certificate.) Previously, certificates were downloadable as PFX files with a password, and there was a whole process involving only Internet Explorer and ordering the certificate from the machine where it would be installed. This is no longer the case, but many websites or YouTube videos still show this old method. You can no longer get downloadable PFX certificates. All certificates now reside on a “eToken,” a special USB drive that can be log on with a password. The certificate is then available for signing with the SignTool. It may sound more complicated than it is due to the use of various terms—I spent quite some time deciphering the process, only to find out that it’s actually very easy. When you order your OV certificate from resellers (e.g., Digicert, Sectigo, etc.), you will need to specify whether you want the eToken (a special USB key) shipped to you, or if you want to use your own hardware key to host the token. To keep it simple, the first time, you should have them ship you the eToken (USB key) for a slightly higher price, but you can likely reuse that key next time. The SafeNet eToken looks like a USB memory key with an ugly blue light at the top.

It’s really simple: Install the SafeNet Authentication Client (you don’t need the SafeNet drivers, as they are already included), reboot your computer, then open the client and insert your special eToken USB key. It should recognize the key automatically. On the main screen, the only thing you should do is change the Token Password—don’t touch any other options. Next, click on the gear icon (which is a rather poor choice for the "Advanced" view), and you should see a tree structure with your token and its settings.

Next, we select Client Settings. Under the Advanced tab, I like to highlight Enable Single Logon and PKCS#11. Why? Once you log onto this eToken with your password—which should have been emailed to you by whomever sold you the certificate—you can use SignTool on that computer without having to enter your password again until you restart or remove the USB stick. This comes in super handy in cases where you'll need to sign several files. To log on to the token, right-click on the token name—blank in the image above—and select Log On Token. The second option, if you have selected Enable Single Logon, ensures subsequent uses of SignTool will no longer call for the password. Note: You only have 3 attempts to enter this password correctly, so make sure you enter the correct password. If you were given the SafeNet eToken with your certificate already loaded from the Certificate Authority, you do not have an Administrator password. For that reason, do not try to enter one; otherwise, you will be permanently locked out of the token after 5 attempts. That admin password is only created at the time the USB key is initialized—a format-like process. Now, the rest is super simple: just code-sign your .exe files by using SignTool or the SignTool GUI.

There are no usable files on the drive, but it requires the SafeNet Authentication Client to work. Important: While you might come across some slightly confusing videos on YouTube that suggest you need to initialize the key when you receive it, that’s exactly what you don’t want to do. The initialization procedure is for when you are adding a token to the device yourself, not when you purchase the USB key with the token already installed.

Do NOT attempt the following operations under any circumstances: Deleting Token Content Importing a Certificate to a Token Exporting a Certificate from a Token Clearing a Default Certificate Deleting a Certificate Logging On to the Token as an Administrator Changing the Administrator Password Unlocking a Token by the Challenge-Response Method Setting a Token Password by an Administrator

OUR COMMERCIAL APPS