Skip to content

Code signing how-to

What is code signing and why is it required?


Code signing provides benefits to application security features like Windows Defender Application Control (WDAC). It allows the system to cryptographically verify that a file hasn't been tampered with before any code is to run.

Windows doesn't require software developers to digitally sign their code. Users can install applications from sites other than the Microsoft Store if they allow such applications to run. When code sign is provided, Windows reduces the number of warnings when running.


Code signing your app assures users that it's from a known source and hasn’t been modified since it was last signed. Signing uses a certificate issued by Apple.

How to obtain Certificate?

A certificate can be obtained from certification authority companies. Both Microsoft and Apple specify which companies are compatible with their respective platforms.


Many certification authority companies provide a certification for code signing for windows.

Certum Open Source developer certificate program

Certum(r) is one of the certification authority services provided by Asseco Ltd.

They provide discounted a code signing certificate to FOSS projects. They not only check developer individual identities but also check the project itself.

Comodo certificate for individuals

Comodo provides a certification with affordable prices for individuals.


Certificate issued by Apple

Application notarized by Apple




signtool.exe is a utility bundled with Windows SDK. SignTool is a command-line tool that digitally signs files, verifies the signatures in files, and time stamps files.

The tool is installed in the \Bin folder of the Microsoft Windows SDK installation path, for example C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe.

You can find more information at



osslsigncode is a small tool that implements part of the functionality of the Microsoft tool signtool.exe - more exactly the Authenticode signing and timestamping. osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where the commands exist.

See for more informations.


OpenSC is an open source smart card tools and middleware. It supports PKCS#11/MiniDriver/Tokend.

The list of supported hardware is at OpenSC Wiki.