How to sign the executable on Windows

Self-signed certificate


Here is just a quick view. Read the official documentation.


  • Windows 10+

  • Powershell > 5 (ideally 7+)

  • the signtool.exe utility that can be installed along the Windows 10 SDK. Only the Windows SDK Signing Tools for Desktop Apps feature is required.

  1. Create a self-signed certificate:

    New-SelfSignedCertificate -Type Custom -Subject "CN=Oslandia, O=Oslandia, C=FR" -KeyUsage DigitalSignature -FriendlyName "QGIS Deployment Toolbelt" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("{text}", "{text}")
  2. Save the thumbprint into a variable:

    $thumbprint = (Get-ChildItem Cert:\CurrentUser\My -Recurse | Where-Object { $_.FriendlyName -like "QGIS Deployment*" }).Thumbprint
  3. Create a password to encrypt the certificate:

    $pass = Read-Host "Enter Password" -AsSecureString
  4. Export it with a password:

    Export-PfxCertificate -cert "Cert:\CurrentUser\My\$thumbprint" -FilePath ssc_oslandia_qdeploymenttoolbelt.pfx -Password $pass
  5. Sign it:


    Adapt the path to signtool.exe to your system (arch and SDK version) and the path to the executable.

    Try it with automatic mode:

    & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe' sign /a /fd SHA256 /td SHA256 /tr .\dist\QGISDeploymentToolbelt_0-1-0_Windows64bit_Python3-8.exe

    You should see a message like:

    Done Adding Additional Store
    Successfully signed: .\dist\QGISDeploymentToolbelt_0-1-0_Windows64bit_Python3-8.exe

    If you see an error, you can try again specifying the certificate to use and the password:

    & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe' sign /a /fd SHA256 /f ssc_oslandia_qdeploymenttoolbelt.pfx /P $pass /td SHA256 /tr  

Opening the properties of the executable, the related tab should look like this:

QGIS Deployment Toolbelt - Properties security