Windows code-signing in 5 minutes or less

Note: this might be unsafe - only use this as a quick reference if you know what you’re doing.

 Create the self-signed certificate


Save this into ssl.cfg or similar.


distinguished_name = req_distinguished_name
req_extensions = default_req_extensions

# empty


basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, nonRepudiation
extendedKeyUsage = critical, codeSigning, msCodeInd, msCodeCom

 Make the certificate and private key

ssl.cfg refers to the file created above. Adjust the subject as necessary.

openssl req -x509 -newkey rsa -keyout testkey.pem -nodes -days 3650 -sha256 -config ssl.cfg -subj "//CN=Demo code-signing certificate" -out testcert.pem

You can get OpenSSL in either Git for Windows or Cmder.

 Create a PFX and import it into your personal certificate store

openssl pkcs12 -export -inkey testkey.pem -in testcert.pem -out testpfx.pfx -nodes -passout pass:

Open mmc.exe, add the Certificates snap-in and select My user account, then right-click on the Personal trust store and Import.

 Import the certificate into the system’s trust store


In the previously opened window, right-click on Trusted Root Certification Authorities and import the certificate (and not the PFX which includes the private key).


Remove the user-specific certificates snap-in and add a Computer account certificates snap-in, then do as outlined above to import the certificate.

 Sign some code

"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign mybinary.exe

You can get signtool from Microsoft’s Windows 7 SDK.


Now read this

Setting an alternative shell in macOS Terminal

After switching to Zsh on my new Mac I noticed a little issue with the built-in Terminal. When using the default Bash shell, the app could tell whether a process (besides the shell) was running in it and present a confirmation if you... Continue →