Sign executable on Windows

Requirements

Signtool
public certificate key(.cer or .crt or .pem)
private certificate key (.key)
openssl (tested on mingw64)

Install signtool

You need to install this Windows sdk Windows sdk 10.0.10240

Then Signtool should be installed in:

bash

x86 -> c:\Program Files (x86)\Windows Kits\10\bin\x86
x64 -> c:\Program Files (x86)\Windows Kits\10\bin\x64

Generate .pfx file

You can use openssl to generate a .pfx file from your private and public key.

You can use mingw64 on windows to use openssl.

bash

openssl pkcs12 -export -out <CERTIFICATE_NAME>.pfx -inkey <PRIVATE_KEY>.key -in <PUBLIC_KEY>.cer

Sign executable

bash

signtool sign /f <CERTIFICATE_NAME>.pfx /p <PASSWORD> <EXECUTABLE>

Bonus: sign multiple files

powershell

$folderPath = "D:\_install\bin"
$exeFiles = Get-ChildItem -Path $folderPath -Filter *.exe

foreach ($exeFile in $exeFiles) {
	& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /f D:\certificate.pfx $exeFile.FullName
}

References

Microsoft documentation

Sign executable on Windows ​

Requirements ​

Install signtool ​

Generate .pfx file ​

Sign executable ​

Bonus: sign multiple files ​

References ​

Sign executable on Windows

Requirements

Install signtool

Generate .pfx file

Sign executable

Bonus: sign multiple files

References