Overview
The SignTool utility digitally signs files, verifies signatures, and timestamps signed files. It is part of the Windows SDK and is commonly used in build pipelines for Windows applications, drivers, and installers.
Command-line Syntax
signtool [options] command [command-options] [files]
Common commands include sign, verify, timestamp, and remove.
Options
| Option | Description |
|---|---|
| /a | Automatically selects the best signing certificate. |
| /f File | Specifies a certificate file (PFX) to use. |
| /p Password | Password for the certificate file. |
| /tr URL | Timestamp server URL (RFC 3161). Example: https://timestamp.digicert.com |
| /td Algorithm | Digest algorithm for the timestamp (SHA256, SHA1). |
| /v | Verbose output. |
| /t URL | Legacy timestamp server URL. |
| /d Description | Specifies the file description. |
| /du URL | Specifies a URL for the description. |
| /s StoreName | Certificate store name (e.g., My). |
| /sha1 Thumbprint | Selects a certificate by its SHA‑1 thumbprint. |
| /csp Provider | Specifies a cryptographic service provider. |
| /kc Container | Specifies a key container name. |
Examples
Sign an executable using a certificate file
signtool sign /f MyCert.pfx /p MyPassword /tr https://timestamp.digicert.com /td SHA256 /fd SHA256 MyApp.exe
Verify a signed file
signtool verify /pa /v MyApp.exe
Timestamp an already signed file
signtool timestamp /tr https://timestamp.digicert.com /td SHA256 MyApp.exe
Sign all DLLs in a directory
for %f in (*.dll) do signtool sign /a /tr https://timestamp.digicert.com /td SHA256 "%f"
See also
- certreq – Request certificates from a CA.
- makecert – Create testing certificates.
- Official SignTool Documentation