A: You might have this question if you need to give partners an easy mechanism to check the trustworthiness and authenticity of an application that you use internally. To digitally sign an executable, you can leverage Microsoft's Authenticode code-signing technology.
Before you can get started, you'll need a code-signing certificate and associated private key. You can generate your proper code-signing certificate using your internal Windows public key infrastructure (PKI) or you can buy one from a commercial Certification Authority (CA) such as Verisign.
To do the actual code signing, you can use the Sign Tool (signtool.exe) command-line utility that Microsoft bundles in the Windows SDK. You can download the SDK for Windows 7 and .NET Framework 4 from the Microsoft Download Center.
As an example, to sign the mytool executable with Sign Tool, you would type the following at the command line:
signtool sign /a "c:\path\to\mytool.exe"
The /a switch makes Sign Tool automatically select the code-signing certificate that's valid for the longest time period in case you have multiple code-signing certificates on your machine.
To easily verify the digital signature on the mytool.exe program with signtool.exe, you can type the following at the command line:
signtool verify /pa "c:\path\to\mytool.exe"
The /pa switch tells Sign Tool to use the default Authenticode verification policy. After Sign Tool has successfully validated the digital signature and all certificates in the signing certificate chain, it will report "Successfully verified" -- as Figure 1 shows for the xpsanalyzer.exe tool.
To get more details about the verification process, you can use the /v switch, as follows:
signtool verify /pa /v "c:\path\to\mytool.exe"
Output from this command is also shown in Figure 1. In this case, the tool reports "Number of Files Successfully Verified: 1" after a successful verification. For a detailed overview of the Sign Tool command syntax, check the MSDN "SignTool.exe" page.