PowerShell utility designed to simplify the code-signing process for MSI and EXE installers. This script wraps Microsoft's signtool.exe with a GUI for file selection and handles SHA256/RFC 3161 timestamping logic automatically.
- Dual File Pickers: Easily select both the target installer and the PFX certificate through file picker
- Secure Password Handling: Captures certificate passwords securely via the command line
- SHA256 Compliance: Applies SHA256 hashing for both the file signature and the timestamp.
- Timestamping: Uses the DigiCert RFC 3161 server to ensure the signature remains valid even after the certificate expires.
- Output : Automatically stages verified signed binaries to
C:\Signed Installer.
- Permissions: Run as Administrator.
- SignTool Path: This script requires
signtool.exeand its associated binaries to be located atC:\SignTool\. - Certificate: Requires a valid
*.pfxcode-signing certificate and its password.
signtool.exe is part of the official Windows SDK. To set up the C:\SignTool directory:
- Download the Windows SDK from the official Microsoft Download page.
- During installation, select "Windows SDK Signing Tools for Desktop Apps".
- Once installed, locate
signtool.exe(normally inC:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\) and copy it (along with its supporting .dll files) to yourC:\SignToolfolder.
- Run
Sign.ps1as Administrator. - Step 1: Select the MSI or EXE you want to sign.
- Step 2: Select your PFX certificate.
- Step 3: Enter the PFX password when prompted.
- Retrieve your signed installer from
C:\Signed Installer.
Note: Not currently tested on MSIX installer but should work!
Developed by Aftab Khan | May 2026