File Signing Tool (Signcode.exe)

The File Signing tool signs a portable executable (PE) file (.dll or .exe file) with an Authenticode digital signature. You can sign either an assembly or an individual file contained in a multifile assembly. If you are distributing an assembly, you should sign the assembly rather than the individual files. Running Signcode.exe without specifying any options launches a wizard that helps with signing.

signcode [options] filename | assemblyname
Argument Description
filename The name of the PE file to sign.
assemblyname The name of the assembly to sign. This file must contain an assembly manifest.
Option Description
-$ authority Specifies the signing authority of the certificate, which must be either individual or commercial. By default, Signcode.exe uses the certificate's highest permission.
-a algorithm Specifies the hashing algorithm for signing, which must be either md5 (the default) or sha1.
-c file Specifies the file that contains the encoded software publishing certificate.
-cn name Specifies the common name of the certificate.
-i info Specifies a place to get more information on content (usually a URL).
-j dllName Specifies the name of a DLL that returns an array of authenticated attributes for signing files. You can specify more than one DLL by repeating the -j option.
-jp param Specifies a parameter to be passed for the preceding DLL. For example: -j dll1 -jp dll1Param. The tool allows only one parameter per DLL.
-k keyname Specifies the key container name.
-ky keytype Specifies the key type, which must be signature, exchange, or an integer (such as 4).
-n name Specifies a text name that represents the content of the file to sign.
-p provider Specifies the name of the cryptographic provider on the system.
-r location Specifies the location of the certificate store in the registry, which must be either currentuser (the default) or localmachine.
-s store Specifies the certificate store that contains the signing certificate. The default is my store.
-sha1 thumbprint Specifies the thumbprint, which is the sha1 hash of the signing certificate included in the certificate store.
-sp policy Sets the certificate store policy, which must be either spcStore (the default) or chain. If you specify chain, all certificates in the verification chain, including self-signed certificates, are added to the signature. If you specify spcStore, trusted, self-signed certificates are not included with the certificates in the chain that are added to the signature.
-spc file Specifies the SPC file that contains software publishing certificates.
-t URL Indicates that the file is to be timestamped by the timestamp server at the specified http address.
-tr number Specifies the maximum number of timestamp trials until success; defaults to 1.
-tw number Specifies the delay (in number of seconds) between each timestamp trial. Defaults to 0.
-v pvkFile Specifies the private key (.pvk) file name that contains the private key.
-x Timestamps, but does not sign, the file.
-y type Specifies the cryptographic provider type to use.
-? Displays command syntax and options for the tool.


To sign with a software publisher certificate (SPC) file, you must specify the -spc ** and -v options if your private key is in a PVK file. If your private key is in a registry key container, you must specify the -spc ** and -k options. If you want to sign your file with an SPC file, you should create the SPC file using the Certificate Creation tool and the Software Publisher Certificate Test tool.


The following command signs XYZ.exe using the XYZ.spc Software Publisher Certificate and the private key in the registry key container XYZ.

signcode /spc XYZ.spc /k XYZ XYZ.exe

The following command signs the assembly myAssembly using the certificate in myCertificate.spc and the private key in myKey.pvk.

signcode /spc myCertificate.spc /v myKey.pvk  myAssembly

See Also

.NET Framework Tools | Permissions | Certificate Creation tool(Makecert.exe) | Software Publisher Certificate Test tool(Cert2spc.exe)