Code Signing from Explorer Context Menu using SignTool and Hstart

After Windows Vista came out, many developers started to use code signing certificates to digitally sign their software and installation packages. This tutorial describes how to add a context menu to Windows Explorer to quickly sign executable files and DLL’s on a development workstation. The result looks like the following screenshot:

Add digital signature

SignTool is a command-line utility that digitally signs files, verifies signatures in files, or time stamps files. It is available as part of the Windows SDK which can be downloaded from Microsoft website. The command line looks like the following:

signtool.exe sign /a /t <URL of timestamp server> Sample.exe

SignTool is mainly used in post-build scripts. Although it is often required to sign a standalone EXE or DLL without running a complete build script. Personally I often perform quick tests of my software and these tests require executables to be signed.

I use the following Hstart command line to run SignTool without a console window:

hstart /NOCONSOLE /WAIT /MSG="Successfully signed and timestamped!"
       /ERRMSG="An error occurred while signing (signtool.exe)."
       /TITLE="Digital Signature" ""C:\WSDK\Bin\signtool.exe" sign /a /t
       http://timestamp.comodoca.com/authenticode "Sample.exe""

After signing is done (note the /WAIT switch), a simple message is displayed telling me that everything is OK:

Successfully signed and timestamped!

If something went wrong (for example: if the EXE file is read-only or if the timestamp server is not accessible), SignTool returns an error and the following message is displayed:

An error occurred while signing (signtool.exe).

To enable this Shell command, create a new .REG file with the following content:

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\SIGNTOOL]
@="Add digital signature"
[HKEY_CLASSES_ROOT\exefile\shell\SIGNTOOL\command]
@="\"E:\\BIN\\hstart.exe\" /NOCONSOLE /WAIT /MSG=\"Successfully signed and timestamped!\" /ERRMSG=\"An error occurred while signing (signtool.exe).\" /TITLE=\"Digital Signature\" \"\"C:\\WSDK\\Bin\\signtool.exe\" sign /a /t http://timestamp.comodoca.com/authenticode \"%1\"\""

A few notes on the REG file:

  1. The REG files have a special interpretation of backslash characters: you have to use it before double quotes and backslashes if these characters appear in the data value (\\ => \ and \" => ").
  2. Replace "E:\BIN\hstart.exe" and "C:\WSDK\Bin\signtool.exe" with your own paths.
  3. Create the same Shell command for HKEY_CLASSES_ROOT\dllfile to enable this feature for DLL files too.

The sample REG file is included in the Hstart package (see Examples\SignTool).


Quick Links