{{Header}}
{{title|title=Authenticode - Windows Digital Software Signatures}}
{{#seo:
|description=Using signtool.exe to sign or verify digital signatures for Windows programs.
}}
{{verification_tools_mininav}}
{{intro|
Use [https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe signtool.exe] to sign or verify digital signatures for Windows applications.
}}
= Introduction =
{{Always_verify_signatures_reminder}}
{{Quotation
|quote=Authenticode employs digital signature technology to ensure the authorship and integrity of binary data, such as installable software.
|context=[https://learn.microsoft.com/en-us/windows/win32/seccrypto/time-stamping-authenticode-signatures Microsoft Windows website]
}}
{{Quotation
|quote=Authenticode enables vendors of downloadable executable code (like plug-ins or ActiveX controls) to attach digital certificates to their products. This reassures end users about the code's source and confirms it hasn't been altered. It allows users to decide whether to accept or reject online software components before downloading.
|context=[https://learn.microsoft.com/en-us/windows/win32/secgloss/a-gly Microsoft Security Glossary]
}}
= Install SignTool =
This guide provides steps to install SignTool on Windows 11 (stable release). If you're using earlier versions of Windows (Windows XP, Vista, 7, 8 or 10), replace the Windows 11 SDK installer mentioned below with the appropriate SDK Installer from the [https://developer.microsoft.com/en-us/windows/downloads/sdk-archive Windows SDK archives].
[https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe SignTool] is a Windows command-line utility using [https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode Authenticode] to digitally sign and verify files, as well as timestamp them. It's part of the [https://en.wikipedia.org/wiki/Microsoft_Windows_SDK Microsoft Windows SDK]. After setting it up, you can use SignTool to verify the gpg4win package prior to installation.
{{Box|text=
'''1.''' Get the Installer:
* Visit [https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk this link].
* Right-click on the installer download option → Save → Once downloaded, Run it.
'''2.''' Specify Installation Path:
Upon the installer's launch:
* Continue → set the installation path to C:\Users\\Downloads\Windows Kits\\WindowsSDK → Next.
'''Figure:''' ''Choose SDK Installation Path''
{{ContentImage|
[[image:sdk_installer_specify_download_path.png]]
}}
'''3.''' Choose the Correct Package:
The Windows SDK installer offers various packages. You only need Windows SDK Signing Tools for Desktop Apps (SignTool). Note that package names might vary across SDK versions. For instance, in SDK for Windows 8.1, the package containing SignTool is labeled as Windows Software Developmental Kit, different from its counterpart in Windows 10.
'''Figure:''' ''Select SignTool Package''
{{ContentImage|
[[image:select_sdk_features_for_download.png]]
}}
After selecting the necessary package, click on Download. Once the installation finishes, you can close the installer.
'''Figure:''' ''SDK Installation Completion''
{{ContentImage|
[[image:sdk_installer_download_complete.png]]
}}
'''4.''' Done.
Installation of SignTool has been completed.
}}
= Usage =
[https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe signtool.exe] can be utilized to sign and verify applications. Note the consistent lowercase usage for both commands.
Details on installing and using Authenticode and signtool.exe are currently [[undocumented]] in the {{project_name_long}} wiki. Implementing Authenticode is [[unspecific|not specific to {{project_name_long}}]].
It's essential to understand that while {{project_name_short}} provides documentation on many topics relevant to its users, it isn't the primary source for all Windows tools or processes, especially those created and maintained by external entities like Microsoft. If a tool like signtool.exe lacks user-friendly documentation from Microsoft, it isn't inherently the responsibility of {{project_name_short}} to fill that gap.
{{project_name_short}} focuses on its specific domain and features, ensuring that users have the best experience within that scope. While we strive to offer comprehensive guidance, we cannot be expected to compensate for the documentation shortfalls of every third-party tool or process. For more in-depth details or tutorials on using such tools, users are encouraged to consult the tool's official documentation or forums.
= User Account Control =
User Account Control (UAC) is closely related to Authenticode.
'''Figure:''' ''Windows signature verification window for VirtualBox''
{{ContentImage|
[[File:Virtualbox_windows_digital_software_verification.png|400px|border]]
}}
= Authenticode vs. User Account Control =
SignTool verifies the digital signature of a file, particularly checking the signing certificate's issuer, revocation status, and validity.
Although manually using signtool verify can enhance security, many users might skip this step.[
How frequently do you notice websites providing Windows software downloads along with digital software signatures?
]
Windows automatically validates the digital signatures of drivers and downloaded apps, especially those needing elevated privileges for installation, through User Account Control (UAC). However, this auto-validation is less comprehensive than manual signtool verify checks.
= Authenticode vs. Other Verification Tools =
Authenticode is based on [[SSL|The Broken Certificate Authority System]], which is dependent on trustworthy third parties.
Alternative verification standards or tools like [[OpenPGP]] or [[signify]] can deliver end-to-end digital software signatures without relying on third parties. If available, these alternatives are recommended.
= VirtualBox =
Windows' VirtualBox isn't signed using OpenPGP / gpg / signify but with Authenticode. This method is standard for most Windows downloadable applications.
On Linux based operating systems, osslsigncode can be used to verify the integrity of VirtualBox. See {{whonix_wiki
|wikipage=Dev/Windows_Installer#Verification_of_VirtualBox
|text=Verification of VirtualBox
}}.
= Troubleshooting =
== SignTool is not Recognized ==
'''Figure:''' ''SignTool not Recognized Error''
{{ContentImage|
[[image:signtool_command_not_recognized.png]]
}}
This error means the SignTool executable is not accessible through cmd.exe. A common cause for this error is SignTool was not installed in the user's [https://web.archive.org/web/20220707004040/https://john-dugan.com/path-variable-in-windows/?PageSpeed=noscript PATH]. To fix this issue add signtool.exe to your system PATH. [ https://www.godaddy.com/help/windows-cmd-signtool-is-not-recognized-as-an-internal-or-external-command-operable-program-or-batch-file-19987
]
Note: This solution is temporary and works only until the command prompt is closed. When the command prompt is restarted signtool.exe must be added to the system PATH again.
{{Box|text=
'''1.''' Open a command prompt.
In the Windows Start menu, run.
{{CodeSelect|code=
cmd.exe
}}
'''2.''' Add the path to signtool.exe to your system PATH.
The default installation path for signtool.exe:
x86 systems: C:\Program Files (x86)\Windows Kits\\bin\x86
x64 systems: C:\Program Files (x86)\Windows Kits\\bin\x64
Run the following command to add "path\to\signtool.exe" to your system PATH. Also be sure to add the Windows version to the path.
{{CodeSelect|code=
set PATH="path to signtool.ext";%PATH%
}}
For example, the following command adds the path for an x64 system.
{{CodeSelect|code=
set PATH="C:\Program Files (x86)\Windows Kits\\bin\x64";%PATH%
}}
}}
== SignTool Certificate Chain Error ==
'''Figure:''' ''Root Certificate Error''
{{ContentImage|
[[image:signtool_error_root_certificate_not_trusted.png]]
}}
This error message occurs if the /pa switch is not used with SignTool. This is because the default SignTool verify some_file.exe command uses the Windows Driver Verification Policy. [ See stackoverflow for further information: [https://stackoverflow.com/questions/11230091/whys-my-root-certificate-not-trusted Why's My Root Certificate Not Trusted?]] In order for the file to verify properly the /pa switch must be used so SignTool uses the Default Authentication Verification Policy.
= Footnotes =
{{Footer}}
[[Category:Documentation]]