Windows Signing
Sign your Windows executables and installers with Authenticode. KestrelSign wraps signtool with a visual interface and handles certificate selection, timestamping, and verification.
Prerequisites
- Signtool.exe from the Windows SDK (KestrelSign's setup wizard will locate it)
- A valid code signing certificate installed in the Windows Certificate Store or on a hardware token
- Internet access for timestamping (recommended)
Certificate Types
OV (Organization Validation)
Standard code signing certificates that identify your organization. They are stored as software certificates (.pfx files) and can be imported into the Windows Certificate Store. Signed applications build SmartScreen reputation over time.
EV (Extended Validation)
Extended validation certificates provide immediate SmartScreen reputation, meaning users will not see a warning the first time they run your application. EV certificates are stored on a hardware token (USB device) such as a SafeNet eToken and require a PIN to use.
Tip: KestrelSign works with both OV and EV certificates. For EV certificates on SafeNet tokens, the setup wizard includes a SafeNet detection check and can help configure unattended signing by caching the token PIN for the session.
The Signing Process
1. Certificate Selection
KestrelSign reads your certificate store and presents available code signing
certificates. You select which certificate to use in your project settings.
The certificate's subject name (e.g., your company name) is used with
signtool's /n flag to identify the certificate at signing time.
2. Signing
When you click Sign, KestrelSign invokes signtool with the appropriate flags. For a typical signing operation, this includes the certificate name, SHA-256 digest algorithm, and an RFC 3161 timestamp server URL.
3. Timestamping
Timestamps ensure your signature remains valid even after your certificate
expires. KestrelSign uses RFC 3161 timestamp servers by default. You can
configure which timestamp server to use in project settings -- DigiCert's
server (http://timestamp.digicert.com) is the default.
4. Verification
After signing, KestrelSign runs signtool verify to confirm
the signature is valid. The result is included in the signing report.
Signing Installers
If you are building an NSIS installer (Pro feature), both the application executable and the installer itself should be signed. KestrelSign handles this as a two-step process: sign the application first, build the installer, then sign the installer.
Batch Signing
KestrelSign supports signing multiple files in a single operation. This is useful when your project includes additional executables, DLLs, or helper programs that need to be signed alongside the main application.
Common Issues
Signtool not found
The Windows SDK may not be installed, or signtool may not be in a standard location. Run the setup wizard -- it searches common SDK paths and will tell you exactly where to install the SDK if needed.
Certificate not found
Your certificate may not be in the current user's certificate store, or
it may have expired. Open certmgr.msc to check. For EV
certificates, make sure the hardware token is plugged in.
SmartScreen warnings
With OV certificates, new applications need to build reputation with Microsoft SmartScreen. This happens automatically as users download and run your signed application. EV certificates bypass this requirement.