Windows Code Signing exe file

One often creates Windows executable files from code compilation or for sharing scripts such as PowerShell or Python. An Anti-Malware applications will treat such files as threats and would ideally quarantine/kill them.

Executing binary files without a digital signature is not recommended. For example, if the host is compromised and an attacker creates a malware file with the same name how would the user know? Similar is the risk of excluding file names or paths in an Anti-Malware application. One could use HASHes for exclusion. But each time you compile the it will generate a new HASH.

Code signing is a better way. One could add the signer's certificate to the exclude settings of your end-user security, without worrying about versions. I discuss below an experiment with Window's Signtool. This is a part of Windows SDK. You may find different versions of the SDK for the OS version. For the present case, I have used the Windows 10 SDK.

Step 1. Create a Code Signing certificate.

I have used PowerShell to generate my Code Signing Certificate. However, one may use alternate options.

New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my `
-Subject "CN=myEmail" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-KeyExportPolicy Exportable `
-KeyUsage DigitalSignature `
-Type CodeSigningCert
dir cert:\currentuser\my

Tip: Replace myEmail by your email.

Step 2. Sign the exe file.

From your Windows menu launch Deployment and Imaging Tool Environment. Thi sis created by the SDK. Please note one would also use this environment to create WinPE, which is beyond the scope of current discussion. We Signtool for signing.

The exe file is now signed by the certificate you have generated in step 1. One could verify it by checking the file property.

Please refer to my article on sharing Python scripts as Windows Executable files.