Code signing is a critical security measure for software developers. By digitally signing your executables, you provide users with confidence that your software hasn't been tampered with since its creation. Extended Validation (EV) certificates offer the highest level of trust and security verification available.

This guide walks you through the complete process of signing executable files using an EV code signing certificate.

What Is an EV Code Signing Certificate?

Extended Validation certificates require the most rigorous identity verification process. Unlike standard certificates, EV certificates:

1. Require physical documentation and legal entity verification

2. Typically come with a USB hardware token for secure key storage

3. Instantly establish a higher level of trust with users

4. Avoid Windows SmartScreen warnings that often plague new software

Prerequisites

Before you begin the signing process, ensure you have:

1. Purchased an EV code signing certificate from a trusted Certificate Authority

2. Received your USB token containing your private key

3. Installed any required drivers for your USB token

4. The executable files you wish to sign

Step-by-Step Signing Process To Sign Executable Files Using EV Code Signing Certificates

1. Install Required Software

Most certificate providers will supply necessary software to use your EV certificate. Typically, you'll need:

1. The driver software for your USB token

2. Microsoft's SignTool (included in Windows SDK)

Install these components before proceeding.

2. Connect Your Hardware Token

Insert your USB token into an available USB port. Wait for Windows to recognize the device and install any required drivers.

3. Locate SignTool

SignTool is typically located in:

C:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\

Consider adding this path to your system environment variables for easier access.

4. Basic Signing Command

Open Command Prompt as Administrator and use this basic syntax:

signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n "Your Certificate Subject Name" "PathToExecutable.exe"

For EV certificates stored on a hardware token, the command is slightly different:

signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n "Your Certificate Subject Name" "PathToExecutable.exe"

5. Adding Timestamps

Timestamps are crucial as they allow your signature to remain valid even after your certificate expires:

signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n "Your Certificate Subject Name" "PathToExecutable.exe"

6. Verifying Your Signature

Always verify your signature after completion:

signtool verify /pa /all "PathToExecutable.exe"

A successful verification will display confirmation that the signature is valid.

Real-World Example

Let's say you have an application called "MyApp.exe" and your EV certificate is registered to "My Company, Inc." The signing process would look like:

signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n "My Company, Inc." /t http://timestamp.digicert.com "C:\Projects\MyApp\bin\Release\MyApp.exe"

Batch Signing Multiple Files

To sign multiple files at once, create a batch script:

batch

@echo off

set SIGNTOOL="C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe"

set CERT_NAME="My Company, Inc."

for %%f in (*.exe *.dll) do (

    %SIGNTOOL% sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n %CERT_NAME% /t http://timestamp.digicert.com "%%f"

    echo Signed: %%f

)

echo All files signed successfully.

pause

Troubleshooting Common Issues

Certificate Not Found

If SignTool cannot locate your certificate, ensure:

1. Your USB token is properly connected

2. The certificate subject name matches exactly (including spaces and punctuation)

3. You're running Command Prompt as Administrator

Failed Timestamp

If timestamping fails:

1. Check your internet connection

2. Verify the timestamp server is operational

3. Try an alternative timestamp server (e.g., http://timestamp.sectigo.com)

Access Denied

This typically indicates permission issues:

1. Ensure you're running Command Prompt as Administrator

2. Check if the file is being used by another process

3. Verify you have write permissions for the target file

Conclusion

Signing your executables with an EV code signing certificate significantly increases user trust and reduces security warnings. The process may seem complex initially, but once set up, it can be easily integrated into your build process.

Remember that your EV certificate is a valuable security asset. Keep your USB token secure and never share your private keys or passwords. With proper implementation, code signing becomes a seamless part of your software distribution workflow, establishing your reputation as a trustworthy developer.