Sign executable for windows

si.graf · July 27, 2022, 6:20pm

Hi guys

I’m packaging a game for release and I just can’t get it signed so that it passes the Microsoft SmartScreen (“Running this app might put your PC at risk”).
For signing I bought an official code signing certificate. I’m using Unreal Engine 4.26 and packaging it as 64-bit shipping build for Windows.
When I try to sign the resulting executable “myGame.exe” it always throws an error.

I use the command:
“C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe” sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a /f mycertificate.pfx /p MY_CERT_PASSWORD “myGame.exe”.

The error message is:
SignTool Error: SignedCode::Sign returned error: 0x800700C1

After some research I found out that the executable in the root folder is a bootstrap-exe that does some sanity checks and calls a second executable in “root\myGame\Binaries\Win64\myGame-Win64-Shipping.exe”
Funny enough, this executable can be signed. This is not really useful though, since running the bootstrap-executable still is not recognized from Microsoft Smart Screen and shipping the signed but non-safe executable is not a good idea either.

We’re due to ship on Friday, and any help is greatly appreciated!

Astrotronic · July 27, 2022, 6:50pm

Hi Si Graf,

I don’t have any experience with Windows signing, but I’ve banged my head against keyboard plenty for Android + iOS signing so this piqued my interest.

I did a little bit of googling for that error, have you attempted to un-sign your exe first? (I wonder if Unreal tries to put some sort of signature on it, and that signature is interfering with the Microsoft Sign Tool)

Cheers

si.graf · July 27, 2022, 7:25pm

hi Astrotonic
Thanks for the fast reply!
I did check if the executable is already signed (in the properties window) and it‘s not. I also tried stripping any existing signatures with an utility called Delcert (delcert - Sign strip tool | XDA Forums) with no luck.

bayar513 · September 19, 2022, 10:56am

Hi si.graf
Have you found a solution for this issue?
I am having the same issue.

si.graf · September 21, 2022, 12:59pm

Hi @bayar513
We never managed to sign the executable in the root folder. Instead we decided to delete that exe. We now sign and use the executable in “root\myGame\Binaries\Win64\myGame-Win64-Shipping.exe”. This works fine for us so far.
I hope this helps!

solarisx · November 10, 2023, 11:36am

Hi

@si.graf thanks for this valuable tip.

I would like to mention another solution. Its a bit more complicated, but it explains the problem. Described by @DethNinja at Why does windows signtool report packaged .exe as invalid?