Best and automated way to sign executables on Windows?

Hi there.

What I will ship is “Editor”, not game btw.
I need to sign each executable UE generates during build from source code process and I have a valid certificate to sign my executables. I can use my certificate with a call like that:

signtool sign /other /args

My RunUAT command to build the editor is based on BuildGraph:
RunUAT.bat BuildGraph -script="Engine/Build/InstalledEngineBuild.xml -set:SignExecutables=true/false" ...

This UAT command has a “SignExecutables” argument, so it makes me think that this command should be handling signing issue by itself, automatically. The only missing part is how I can indicate that my signing command is “this”, so that the tool automatically signs executables by calling “this” command automatically during its process.

Feel free to talk about my method, I’ve never done it before. BuildGraph solution seems the way to go for me, instead of manually signing each executables. I could be wrong approach, I don’t know…

Also please provide if there are alternative methods for this process.

Engine/Source/Programs/AutomationTool/AutomationUtils/CommandUtils.cs script is using CodeSignWindows.SigningIdendity as “Epic Games” and uses machine store for the certificate. Since it’s signing with allowing multiple signatures switch, you could use an automation script or a batch file to add your own signature. How did you proceed with it?

I modified source code of the file you mentione. There are some logic to sign the executables in that file, I modified those information with mine.
The code is like “signtool <other_arguments>”, other arguments part is specific to you. I modified that part accordingly