Signing Windows files with SignTool and the Entrust KSP library
To sign files with SignTool – or other supported tools – and the Entrust KSP library, you need to identify the Entrust Code Signing Certificate to use, either by:
The certificate thumbprint.
The CN field of the Subject value.
You can obtain both values by running the following command in a PowerShell console.
get-childitem cert:\CurrentUser\MYFor example:
>Get-ChildItem Cert:\CurrentUser\My PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\MyThumbprint Subject---------- ------- 5226DA79***************17F23832800BA2A CN=Entrust, ........See below for how to sign Windows files with these values.
Running SignTool with the Entrust validation certificate CN
The following command signs the Windows file in the <file_path> path and identifies the Entrust validation certificate with the <subject_cn> subject CN.
signtool sign /n "<subject_cn>" /fd SHA256 /tr "http://timestamp.entrust.net/rfc3161ts2" /td SHA256 <file_path>For example:
>signtool sign /n "Entrust" /fd SHA256 /tr "http://timestamp.entrust.net/rfc3161ts2" /td SHA256 ./demo.exeDone Adding Additional StoreSuccessfully signed: ./demo.exeRunning SignTool with the Entrust validation certificate thumbprint
The following command signs the Windows file in the <file_path> path and identifies the Entrust validation certificate with the <cert_thumbprint> thumbprint.
signtool sign /sha1 "<cert_thumbprint>" /fd SHA256 /tr "http://timestamp.entrust.net/rfc3161ts2" /td SHA256 <file_path>For example:
>signtool sign /sha1 "5226DA79***************17F23832800BA2A" /fd SHA256 /tr "http://timestamp.entrust.net/rfc3161ts2" /td SHA256 ./demo.exeDone Adding Additional StoreSuccessfully signed: ./demo.exe