How to sign a Windows batch (.bat) file?

I'm running Windows 7 and when I try to run a batch file, it says, "The publisher could not be verified. Are you sure you want to run this software?"

So when I try to sign it with my code signing certificate, it says "SignTool Error: This file format cannot be signed because it is not recognized."

So I'm stuck between a rock an a hard place. Is there a way to eliminate either message?

screenshot


I get a similar message if I run batch files (or other executables) from a network location. If this is the case, you may want to consider moving it to a local drive. Another alternative is to use a separate batch file on the local drive to launch the one on the network. The launching batch file need only have one line in it:

@call \\network\folder\batch.bat

Windows won't balk at the local file, and once that file is running, it can call the network version without issue.


What you are seeing is a general prompt that Windows provides whenever you try to open any time of file that has been downloaded. What happens is that when you download a file, it is tagged with a flag that indicates that it came from the Internet and is thus potentially dangerous. When you try to run such a file, Windows checks to see if it has a valid signature in order to determine if it can be trusted.

What you can do is to strip the flag from the file by using the Unblock button in the file’s properties, after which, Windows will leave you alone whenever you try to run it:

enter image description here


The problem is that batch-files are text-files that can be executed. While it is possible to sign a text-file, it will end up appending a bunch of binary data to the file which for a batch-file is bad because it is gibberish and will cause problems when the command-interpreter tries to execute it. Commenting out the signature will not work either because then the signature becomes corrupt.

Therefore, signing a batch file is not going to work.

What you need to do is to figure out why the system is prompting you when trying to run it. By default, Windows does not ask before running batch-files, so you must have a either a special policy or security program blocking it. Check your security program(s) to see if there is a verification setting that you can disable or add an exclusion for.

Also check the batch-file’s contents to see if it is running an executable that is not signed (though again, by default, Windows does not prompt for executables unless it was downloaded or requires elevated privileges, so check your settings).