Sign Code with Authenticode to Bypass AV

TL;DR

Signing your code with a valid Authenticode certificate helps avoid false positives from antivirus (A/V) software. This guide shows you how to get a certificate and use it to sign executables, installers, and other files.

1. Get an Authenticode Certificate

You’ll need a code signing certificate from a trusted Certificate Authority (CA). Here are some options:

• DigiCert: A well-known provider with various certificate types.
• Sectigo (formerly Comodo): Offers affordable certificates.
• GlobalSign: Another reputable CA.

The process generally involves:

1. Choosing a certificate type (Standard or Extended Validation). Extended Validation provides more trust but requires stricter identity verification.
2. Providing company information and details about the signers.
3. Generating a Certificate Signing Request (CSR) – see step 2.
4. Validating your identity (usually through email, phone calls, or documentation).
5. Purchasing and downloading the certificate.

2. Generate a Certificate Signing Request (CSR)

You’ll need to create a CSR using OpenSSL or PowerShell. Here’s how with OpenSSL:

openssl req -newkey rsa:2048 -nodes -keyout yourcompany.key -out yourcompany.csr

Follow the prompts, providing accurate information. The Common Name (CN) should usually be your company name or domain.

3. Install the Certificate

Import the certificate into your Windows Certificate Store:

1. Double-click the downloaded .cer file.
2. Select “Install Certificate”.
3. Choose “Local Machine” store.
4. Select “Place all certificates in the following store”.
5. Browse and select “Trusted Root Certification Authorities”.

4. Sign Your Code with Signtool

Signtool is a command-line tool included with the Windows SDK. Make sure you have it installed.

• Locate Signtool: Usually found in C:Program Files (x86)Windows Kits10bin10.0.xxxxx.0x64 (the ‘xxxxx’ will vary depending on your SDK version).

Sign an executable:

signtool sign /f yourcompany.pfx /p yourpassword /t http://timestamp.digicert.com yourfile.exe

Replace:

• yourcompany.pfx with the path to your certificate file (PFX format).
• yourpassword with the password for your PFX file.
• http://timestamp.digicert.com with a valid timestamp server URL (DigiCert is shown as an example, use the one provided by your CA).
• yourfile.exe with the path to the file you want to sign.

5. Verify the Signature

Use Signtool to verify the signature:

signtool verify /pa yourfile.exe

This will confirm that the code is signed and hasn’t been tampered with.

6. Troubleshooting Common Issues

• Certificate Revoked: Ensure your certificate isn’t revoked by checking with your CA.
• Incorrect Timestamp Server: Use a valid timestamp server provided by your CA.
• File Hash Algorithm Mismatch: Some A/V software requires specific hash algorithms (SHA256 is generally recommended). Signtool allows you to specify the algorithm using the /h parameter.