Triple-Year Trust, Single Click.
Create a self-signed code-signing certificate (PFX), export the public CER, optionally install it into Trusted Root (CurrentUser), and sign one or many .exe files with a timestamp — all from a tiny Windows GUI.
- Self-signed PFX in one click (RSA-3072, exportable key, 3-year validity)
- Export .cer (public certificate) to share/trust on other machines
- Install to Trusted Root (CurrentUser) — no admin required
- Sign EXE(s) with SHA-256 digest and RFC-3161 timestamp
- signtool.exe auto-discovery (local file →
tools\→ Windows SDK → PATH) - Batch signing + log output + optional auto-verify (via
signtool verify) - Compact UI with toggleable log and .cer tools
- Help (F1) and About built in; optional splash and app icon via base64
⚠️ Self-signed certificates are useful for internal/testing use. Other PCs must install your.certo trust the signature. Windows SmartScreen reputation is separate and usually requires a CA-issued cert plus reputation.
- Windows 10/11
- Python 3.9+ (Tkinter included in the standard Windows installer)
- PowerShell 5+ or 7+ (the app prefers
pwshif available) - signtool.exe (from Windows 10/11 SDK or Visual Studio Build Tools)
Optional: placesigntool.exenext to the app or in atools\folder.
- Clone:
git clone https://github.com/<you>/CertifiCat.git cd CertifiCat
🛡️ Security Notes
Protect your PFX password — the PFX contains your private key.
Export and share only the .cer (public certificate).
Timestamping preserves signature validity after the cert expires.
Installing to Trusted Root (CurrentUser) affects only the current user.
🖱️ UI Tips
F1 opens Instructions; Help → About shows app info.
Toggle Show log to expand the log area.
The window auto-fits height based on visible sections.
🧩 How it works (tech notes)
Creates a self-signed code-signing cert via PowerShell:
New-SelfSignedCertificate -Type CodeSigningCert -KeyAlgorithm RSA -KeyLength 3072 -NotAfter (Get-Date).AddYears(3)
Exports to PFX with your password.
Exports .cer from the PFX using Get-PfxData.
Installs CER to Cert:\CurrentUser\Root via Import-Certificate, or falls back to certutil / .NET X509Store API.
Signs EXEs with signtool sign /fd sha256 /td sha256 /tr .
🐞 Troubleshooting
“signtool not found” Install the Windows SDK or point the signtool.exe Path to a local copy.
Timestamp server errors Try an alternative URL (see above).
Another PC still shows “Unknown publisher” They must install your .cer in CurrentUser\Trusted Root (or use a CA-issued cert).
SmartScreen warning Self-signed certs typically show it. CA-issued certs + reputation reduce it.
🧪 Roadmap
Optional EV/CA-issued cert support (PFX import only)
More timestamp fallbacks + auto-rotate
Separate “Verify signatures” button with detailed report
MSI build script
🤝 Contributing
PRs and issues welcome! Keep UI tidy, avoid external deps, and test on Windows 10/11.
📄 License
GPL-3.0 — see LICENSE .
❤️ Credits
Icons & app by nikkpap / ALU DEV TEAM. Thanks to the Windows SDK team for signtool.exe.