Already since several years I’m signing all my binary files digitally – like setups or product executables.

But why is the digital signature of binary files so important?

If a binary file is digitally signed the user, who wants to execute the file, can make sure it is the original file and it was not modified in any way. Additionally Windows Vista and Windows 7 User Account Control displays

instead of this ugly message box:Beside that also app store systems like Intel AppUp require that your setups are being digitally signed.

To start you will first need a code signing certificate. If you are a developer in the Intel AppUp program, you get this directly from the AppUp developer website. Otherwise you can get cheap certificates from Comodo here: http://codesigning.ksoftware.net

After you have received your code signing certificate, you can use a small GUI application for signing binary files.

Or, if you don’t like GUI applications or want to include the signing into your build process, you can create a small batch file like this and just drag & drop the binary file that you want to sign on this batch file (or pass it as parameter):

signtool.exe sign /f "certificate.pfx" /p "password" /t "http://timestamp.verisign.com/scripts/timstamp.dll" "%1"

Obviously you need to exchange certificate.pfx with the file name of your certificate (which should be placed in the same directory as the batch file and the file signtool.exe) and password with your certificate password that you have chosen while exporting it from your web browser. To get the file signtool.exe, you need to download the free Microsoft Windows SDK.

Here are some frequently asked questions on code signing certificates and digital signature.

Do you already digitally sign your binary files, too?

This post is also available in Deutsch.