Signing your executable using a Code Signing certificate

If you, like me, ever need to sign your executable tool or document using a code signing certificate, this guide may be helpful. In this post, I will tell you how to sign your executable using Certum’s SimplySign.

When searching for code signing certificate providers, one of the options is Certum. They offer some of the most affordable certificates (although still expensive). I needed to sign my freeware tool, AFT SonicDecloner, to distribute it to users and prevent it from triggering Windows notifications like “unverified program” or being flagged by antivirus software.

Certum provides a way to sign applications without any hardware tokens or readers. Instead, they offer a desktop tool called SimplySign, which you can install on Windows. It acts like a hardware reader, making your certificate available in Windows.

Here is the procedure:

1. Purchase a Code Signing Certificate

First, you need to register with Certum and purchase one of their Cloud Code Signing certificates—either regular or EV (Extended Validation). EV implies extended verification and is the most expensive option. The EV certificate cost me €379 for one year (as of the end of 2024).

2. Complete Identity Verification

Once purchased, you will need to go through an identity verification process, during which you will be requested to present various documents proving your identity. You will also need to pass a live presence test—an automated procedure using a webcam. The entire process takes about one week.

3. Activate Your Certificate

After your certificate is issued, the technical work begins.

You will receive two emails from Certum:

  • One email will include a special secret code — a sequence of letters.
  • Another email will provide a link to activate the certificate and information about the SimplySign mobile app, which is available on Google Play and the App Store.

Here’s what you need to do:

  1. Install the SimplySign app on your mobile device, but do not proceed further yet.
  2. On your computer, use the activation link from the Certum email to open a login page. The page will ask for the secret code, which you will enter. You will then be presented with a QR code on the screen.
  3. In the SimplySign app on your mobile device, enter your email address and select the option to authenticate using a QR code. Scan the QR code displayed on your computer screen with your phone’s camera.
  4. Once authenticated, choose the option indicating that your primary use of the app will be to generate tokens. A token is a numerical code that is valid for a limited time.

4. Install SimplySign Desktop

  • Go to the Certum website and find the SimplySign Desktop installation. Install it on your computer. I used Windows, but other platforms are available.
  • After installation, run the application and enter your email address.
  • Open the SimplySign app on your mobile device and generate a token. Use this token on your computer to authenticate with SimplySign Desktop.
  • The SimplySign Desktop program will log you in if everything is done correctly. It will reside in the system tray near the clock. You can open it and see your available certificates. Voilà! You are authenticated and should now be able to sign.

5. Sign Your Application

Signing is done via the command line using signtool.exe, which is part of the Windows SDK. You can download it here: Windows SDK. When installing, select only the Application Signing Tools option, you do not need anything else.

Once installed, open the Command Prompt. For this example, let’s say your application is called hello.exe. Use the following command:

C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /n "<certificate name>" /fd SHA256 hello.exe

Replace <certificate name> with the exact name of your certificate as it appears in the list of certificates in the SimplySign tool.

That’s it!