Background:
When a self or internally developed application that is not signed with a well-known code signing certificate, Windows will prompt the following Security Warning when the app is run:
Open File - Security Warning
The publisher could not be verified. Are you sure you want to run this software?This warning is typically benign and most sys admins know what they are doing when such applications are being used. However, when an app is being distributed to client workstations and end users see this message, they might be deterred (which is a good thing) or cause unnecessary complaints to the help desk.
If it’s not feasible to obtain a well-known code signing certificate, signing the application with a self generated certificate could be a good solution for internal use. After the cert is generated and the application signed, all you need to do is deploy the cert to your client machines (using GPO or other RMM tools).
Steps:
1. Either use Visual Studio or install the Windows SDK which includes the Microsoft SignTool.
2. Generate a certificate:
$cert = New-SelfSignedCertificate -DNSName "www.yourdomain.com" -CertStoreLocation Cert:\LocalMachine\My -Type CodeSigningCert -Subject "YOUR_APPLICATION_NAME"3. Export the certificate into a .pfx certificate file using “Manage computer certificates” or the Export-PfxCertificate cmdlet.
4. Use the SignTool to sign the exe file with the exported .pfx certificate.
signtool sign /f YOUR_CERT_FILE.pfx /p YOUR_CERT_PASS /fd SHA256 "YOUR .EXE"
If you encounter the following error, set the PATH to your signtool.exe file using the following command:
'Signtool' is not recognized as an internal or external command, operable program or batch file.
set PATH=<full-path-to-your-signtool.exe>;%PATH%5. Deploy the certificate and the signed exe file to client workstations.