Sign executable for windows

Hi guys

I’m packaging a game for release and I just can’t get it signed so that it passes the Microsoft SmartScreen (“Running this app might put your PC at risk”).
For signing I bought an official code signing certificate. I’m using Unreal Engine 4.26 and packaging it as 64-bit shipping build for Windows.
When I try to sign the resulting executable “myGame.exe” it always throws an error.

I use the command:
“C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe” sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a /f mycertificate.pfx /p MY_CERT_PASSWORD “myGame.exe”.

The error message is:
SignTool Error: SignedCode::Sign returned error: 0x800700C1

After some research I found out that the executable in the root folder is a bootstrap-exe that does some sanity checks and calls a second executable in “root\myGame\Binaries\Win64\myGame-Win64-Shipping.exe”
Funny enough, this executable can be signed. This is not really useful though, since running the bootstrap-executable still is not recognized from Microsoft Smart Screen and shipping the signed but non-safe executable is not a good idea either.

We’re due to ship on Friday, and any help is greatly appreciated!

Hi Si Graf,

I don’t have any experience with Windows signing, but I’ve banged my head against keyboard plenty for Android + iOS signing so this piqued my interest.

I did a little bit of googling for that error, have you attempted to un-sign your exe first? (I wonder if Unreal tries to put some sort of signature on it, and that signature is interfering with the Microsoft Sign Tool)

Cheers

hi Astrotonic
Thanks for the fast reply!
I did check if the executable is already signed (in the properties window) and it‘s not. I also tried stripping any existing signatures with an utility called Delcert (delcert - Sign strip tool | XDA Forums) with no luck.

Hi si.graf
Have you found a solution for this issue?
I am having the same issue.

Hi @bayar513
We never managed to sign the executable in the root folder. Instead we decided to delete that exe. We now sign and use the executable in “root\myGame\Binaries\Win64\myGame-Win64-Shipping.exe”. This works fine for us so far.
I hope this helps!

3 Likes

Hi

@si.graf thanks for this valuable tip.

I would like to mention another solution. Its a bit more complicated, but it explains the problem. Described by @DethNinja at Why does windows signtool report packaged .exe as invalid?

1 Like