How to sign code with a certificate

You’ve been provided with a .PFX code signing certificate and instructed to sign your code.

What is Code Signing?

Code signing involves applying a digital signature to an executable file using a code signing certificate. This process ensures the authenticity and integrity of the code. When the code is executed, your organization’s security software verifies that the executable was signed with the valid certificate, confirming it hasn’t been tampered with.

Once signed, you can view the digital signature in the file’s properties.

Example: Digital signature on an EXE file created using a code signing certificate.

How to Sign Code

You can sign various types of files, including .exe files, .dll files, and PowerShell scripts.

In the examples below, assume your code signing certificate is stored at C:\Projects\MyCert.pfx with the password "Secure123".

Signing .exe and .dll Files

Run the following command in the command line:

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /f "C:\Projects\MyCert.pfx" /p Secure123 "C:\Projects\MyApp.exe"

After signing, you can verify the digital signature by checking the file’s properties.

Signing PowerShell Scripts

Execute the following PowerShell commands:

$cert = Get-PfxCertificate -FilePath C:\Projects\MyCert.pfx  
Set-AuthenticodeSignature -FilePath C:\Projects\MyScript.ps1 -Certificate $cert

You’ll be prompted to enter the certificate password. Input "Secure123" and click OK.

Once completed, open your PowerShell script to confirm that a signature block has been appended to it.

Example: PowerShell script with a signature block.

By following these steps, you ensure your code is securely signed and ready for distribution.