Q: What's the easiest way to digitally sign an internally developed application's executable?

A: You might have this question if you need to give partners an easy mechanismto check the trustworthiness and authenticity of an application that you useinternally. To digitally sign an executable, you can leverage Microsoft'sAuthenticode code-signing technology.

Before you can get started, you'll need a code-signing certificate andassociated private key. You can generate your proper code-signing certificateusing your internal Windows public key infrastructure (PKI) or you can buy onefrom a commercial Certification Authority (CA) such as Verisign.

To do the actual code signing, you can use the Sign Tool (signtool.exe)command-line utility that Microsoft bundles in the Windows SDK. You can download the SDK for Windows 7 and .NET Framework 4 from theMicrosoft Download Center.

As an example, to sign the mytool executable with Sign Tool, you would typethe following at the command line:

signtool sign /a "c:pathtomytool.exe"

The /a switch makes Sign Tool automatically select the code-signingcertificate that's valid for the longest time period in case you have multiplecode-signing certificates on your machine.

To easily verify the digital signature on the mytool.exe program withsigntool.exe, you can type the following at the command line:

signtool verify /pa "c:pathtomytool.exe"

The /pa switch tells Sign Tool to use the default Authenticode verificationpolicy. After Sign Tool has successfully validated the digital signature and allcertificates in the signing certificate chain, it will report "Successfullyverified" -- as Figure 1 shows for the xpsanalyzer.exe tool.

Figure 1: Output from the Sign Tool command-line utility verifying digital signatures (click image for larger view)

To get more detailsabout the verification process, you can use the /v switch, as follows:

signtool verify /pa /v "c:pathtomytool.exe"

Output from this command is also shown in Figure 1. In this case, the toolreports "Number of Files Successfully Verified: 1" after a successfulverification. For a detailed overview of the Sign Tool command syntax, check theMSDN "SignTool.exe" page.