kSign 3.0 Released!
*** Please Note that as of May 30, 2020, SHA1 signing and timestamping is no longer supported as the SHA1 root certificates have all expired. This does impact compatibility with older versions of Windows XP.
kSign 3.0 is a free code signing utility developed by K Software. We ask that if you use it you get your code signing certificate from us (we have the best prices anyway!).
kSign 3.0 is the first version that supports dual signing. If you don't know what dual signing is or why it might be important, check out the article on the move to SHA256 certificates and signatures.
In order to support dual-signing, kSign 3.0 requires Windows 7 64-bit+. The signatures you create with kSign are backwards compatible with XP and Vista but the signing process itself has to be performed on a new(er) Windows OS. If you need to make single SHA256 signatures on Vista, you can download kSign 2.5 here.
kSign 3.0 no longer contains kSignCMD.exe, the command-line version of kSign. This is largely because Microsoft's own tool, signtool, does everything (and more) kSignCMD did and is just as easy to use. You can download signtool.exe here : http://cdn1.ksoftware.net/signtool_8.1.zip
kSign 3.0 works much the same way as previous versions except that there is a space to configure a second certificate for SHA1 signing as well. You can use your SHA256 certificate in both places for dual signing but the second signature will still be a SHA256 signature but will use a SHA1 file digest and timestamp -- that makes sure that XP SP3 and Vista can read the digital signature properly. If you want a real SHA1 certificate for legacy signing, just email us.
Select your PFX file, set the PFX password if you protected your private key, set the description text and URL (optional), then click SIGN. You can do one file, or 1000 (yes, really, we tested it!). You can now save the settings all to individual project files and re-load with the click of a button too! Click here to download kSign 3.0.
The description and description URL are just that -- a description of the signed content. Most users either leave this information blank, or use their product or trade name in the description and a link to their main website in the URL field. That information is only used in a hand full of places, some versions of Windows will display the description (linked to the URL) in a UAC dialog, and some browsers will show it in their internal dialogs as well.