Digitally signing an executable to prevent blocking by Symantec Endpoint

windows-10 security windows

No digital signature that you can locally generate will be accepted by Symantec Endpoint Protection.

The signature must to be one that is recognized by Symantec, meaning a code-signing signature that was bought from a seller known and trusted by Symantec.

One method for avoiding the message might be to contact the Symantec Endpoint Protection administrator of your company and ask to whitelist the context executable.


Although not shown in signtool's help text, the /fd option actually takes a hash algorithm name, e.g. /fd SHA256. In your case, "C:\…\context.exe" is indeed not a valid algorithm name.

You may also need some other options:

  • /a to make signtool auto-select a code-signing certificate. (This is assuming you have a code-signing certificate installed in certmgr.msc – if you don't, then you cannot sign things.)

  • /tr http://timestamp.digicert.com /td SHA256 to attach a timestamp that allows the signature to remain valid even after your code-signing certificate expires.

  • /v to make signtool more talkative about what it does.

If you do not have a code-signing certificate, there are 3 ways to obtain one:

  • Valid world-wide: buy one from a certificate authority (check the usual places that sell TLS/HTTPS certificates). You don't need the more expensive "EV Code Signing" variant in this case, just the regular (but still expensive) non-EV one.

  • Valid organization-wide: if the laptop is joined to a company's Active Directory (not Azure AD) domain, and if the company has AD Certificate Services available, try requesting one from there via certmgr.msc → Personal → All Tasks → Request New Certificate. Your admin may need to approve it. (If no templates show up in the list, means this option is not available.)

  • Valid on the computer only: create a self-signed certificate and install it in the computer's "Trusted Publishers" section (not Trusted Root!). The certreq command is indeed one way to create a self-signed certificate, but that's a separate topic. (This repository has examples.)

Related

Debian 10 udev rule not matching for bluetooth keyboard connect event
How do I add a prefix before all the data items that are in column B?
Disable ScreenTime on Mac OS without knowing passcode set on another device
Windows 10: Account removed from Administrators group, how to recover?
Firefox status bar is missing
I don't understand RAM Usage
Why some Windows process stay writing on disk even on system idle?
Exporting Thunderbird from Win7 32bit to Win7 64bit
how to protect udp packets from packets loss?
Why would I get an electric shock from a VGA cable connected to an LCD monitor?
Deleting specific rows/columns from excel
How do I format all hyperlinks in a Word document?