Skip to content

Instantly share code, notes, and snippets.

@MangaD

MangaD/code_signing_windows.md

Last active November 12, 2025 13:57
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MangaD/e8f67fb39a35abdbf4ad26711c5957cc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MangaD/e8f67fb39a35abdbf4ad26711c5957cc to your computer and use it in GitHub Desktop.
Download ZIP
Code Signing on Windows: Why You Need It and How to Do It as an Individual Developer
Raw
code_signing_windows.md

Code Signing on Windows: Why You Need It and How to Do It as an Individual Developer

CC0

Disclaimer: ChatGPT generated document.

If you're a developer distributing Windows software, you've probably encountered this: a user downloads your .exe file, runs it, and Windows displays a security warning saying the publisher is unknown. This warning, triggered by Microsoft SmartScreen, can scare users away from running your software.

The solution? Code signing.

This article will explain what code signing is, why it's essential, and how you, as an individual developer, can sign your executables properly to avoid warnings on Windows.

What Is Code Signing?

Code signing is a process that uses a digital certificate to sign software or executables. This signature tells the operating system and the end user that:

  • The software comes from a verified source.
  • The code hasn't been altered or tampered with since it was signed.

Windows, macOS, and even browsers use this digital signature to establish trust.

Without code signing, Windows shows warnings like:

"Windows protected your PC. Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk."

Why Code Signing Matters

  • Trust: Your name appears as the publisher instead of "Unknown Publisher".
  • Security: Users can verify that your executable hasn’t been modified.
  • SmartScreen Reputation: Signed applications gain trust over time, reducing warnings.
  • Professionalism: Shows you care about your users’ safety and your own reputation.

Are There Free Code Signing Certificate Authorities?

❌ Short answer: No.

There are currently no free trusted certificate authorities (CAs) that issue code signing certificates suitable for signing Windows .exe files.

Why?

  • Code signing involves verifying the identity of the developer.
  • Certificate Authorities must meet strict security and legal requirements.
  • Issuing a code signing certificate requires manual checks, and CAs bear legal liability.

📌 Note: Let's Encrypt and similar CAs only issue TLS certificates for websites. These cannot be used to sign code.

Trusted Certificate Authorities (Paid Options)

Here are some well-known CAs that offer code signing certificates:

CA Individual Support EV Option (bypass SmartScreen) Price Range
Sectigo (Comodo) ✅ Yes ❌ No (EV separate) ~$70–$150/year
DigiCert ❌ No (Org only) ✅ Yes ~$400–$800/year
SSL.com ✅ Yes ✅ Yes ~$80–$500/year
GlobalSign ❌ No (Org only) ✅ Yes ~$500+/year

You can find better deals from resellers, especially for Sectigo certificates. A few examples:

Make sure to verify reseller legitimacy.

Standard vs EV Certificates

There are two types of code signing certificates:

✨ Standard Code Signing Certificate

  • Can be stored as a .pfx file.
  • Requires a password.
  • Builds up SmartScreen reputation over time.
  • Suitable for most indie developers.

✨ Extended Validation (EV) Certificate

  • Required to bypass Microsoft SmartScreen immediately.
  • Requires a physical hardware token (USB key).
  • More expensive and involves stricter validation.
  • Best for companies or widely distributed software.

How to Sign an Executable

Once you have a .pfx certificate, you can use the signtool.exe utility to sign your executable.

Step-by-step:

  1. Store your certificate securely and do not commit it to version control.
  2. Use a secure password and ideally store it in an environment variable or GitHub secret.
  3. Example signing command:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe" sign \
  /fd SHA256 \
  /f path\to\yourcert.pfx \
  /p YourPassword \
  /tr http://timestamp.digicert.com \
  /td SHA256 \
  yourapp.exe

You can automate this in CI/CD using GitHub Actions with secrets, decoding the .pfx from base64, and using PowerShell to sign.

What About Self-Signed Certificates?

You can technically generate a self-signed certificate, but:

  • Windows won’t trust it.
  • Users will still see warnings.
  • It won’t build SmartScreen reputation.

So it's only useful for internal testing, not public releases.

Final Thoughts

If you're distributing Windows software and care about user trust, signing your .exe is not optional — it's a must. While there are no free trusted options, affordable certificates are available for individuals, and they add a layer of professionalism and security to your projects.

Once signed, your software will start building a SmartScreen reputation, and over time, those warnings will fade away — just like the hesitation users feel when they know they can trust you.

Useful Links

Need help automating code signing in your pipeline? Reach out or drop a comment below!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment