SignTool Suite - File Signing & Verification for Windows

[BLACKFIRE69]

SignTool Suite v1.0.0
RSA-2048 / SHA-256 File Signing & Verification for Windows
Windows Vista or later · no Certificate Authority needed · by BLACKFIRE69

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━

▌ OVERVIEW
SignTool Suite is a lightweight signing toolkit for Windows that lets you sign your own files (DLLs, EXEs, data — anything) with an RSA-2048 / SHA-256 signature and verify them on the client side — without buying a commercial code-signing certificate.

You keep a private key on the signer side and distribute an encrypted public key to clients. Tamper with a signed file by a single byte and verification fails. Verification runs from a ready-made tool, or from your own application via a DLL with an Inno Setup installer.

▌ TECHNICAL SPECIFICATIONS

• Version — v1.0.0
• Author — BLACKFIRE69
• Platform — Windows Vista or later
• Crypto — RSA-2048 signing, SHA-256 hashing; .ekey wrapped with AES + HMAC keys derived via PBKDF2-HMAC-SHA256 (100,000 iterations)

Components (signer side / client side):

Code:

╭───────────────┬──────────────┬───────────────────────────────────────────╮
│ Component     │ Type         │ Role                                      │
├───────────────┼──────────────┼───────────────────────────────────────────┤
│ SigCore.dll   │ Signing DLL  │ Key generation, signing, key export       │
│ SigTool.exe   │ Signer CLI   │ Front-end for SigCore (drag-and-drop)     │
│ SigVerify.dll │ Verify DLL   │ Client-side signature verification        │
│ SigCheck.exe  │ Verifier CLI │ Front-end for SigVerify (drag-and-drop)   │
╰───────────────┴──────────────┴───────────────────────────────────────────╯

▌ KEY FEATURES

✦ No Certificate Authority Required
Generate your own RSA-2048 key pair and start signing immediately. No annual CA fees, no enrollment, no expiring certificates.

✦ Tamper Detection
Any modification to a signed file — even one byte — causes verification to return VFY_TAMPERED. Signatures are SHA-256 over the file contents, signed with the private key.

✦ Encrypted Public Key Distribution (.ekey)
The public key is never shipped in the clear. It is wrapped in an .ekey blob — AES + HMAC keys derived from a password via PBKDF2-HMAC-SHA256 at 100,000 iterations.

✦ Two Ways to Verify

• SigCheck.exe — ready-made tool, just drag files onto it
• SigVerify.dll — call from your own application

✦ Drag-and-Drop on Both Sides
Drop files onto SigTool.exe to sign them; drop files onto SigCheck.exe (or Verify.bat) to verify them. Keys auto-generate on first use.

✦ Zero Runtime Dependencies for Verification
SigVerify.dll needs nothing on the client — no OpenSSL, no VC++ runtime, no extra redistributables.

✦ Portable OpenSSL on the Signer Side
Signing uses a portable OpenSSL build (openssl.exe + libssl/libcrypto) kept in an OpenSSL\ subfolder beside SigTool.exe. Nothing is installed system-wide.

✦ CI / Automation Friendly
SigCheck.exe reads the password from the SIGCHECK_PW environment variable and returns meaningful process exit codes, so verification slots straight into build pipelines.

▌ SIGNER WORKFLOW
Code colors: program · command · flag · input path · produced file · env / dest

1 — Generate keys (one time)

Code:

SigTool.exe --init

Creates keys\private.pem and keys\public.pem. Safe to re-run — existing keys are never overwritten.

2 — Sign a file

Code:

SigTool.exe --sign "C:\Release\plugin.dll"

Produces plugin.dll.sig. Or just drag files onto SigTool.exe.

3 — Export the encrypted public key

Code:

SigTool.exe --export-key "C:\Release\public.ekey"

Prompts for a password (not echoed). The .ekey is safe to distribute.

4 — Distribute to clients

• plugin.dll — your payload
• plugin.dll.sig — its signature
• public.ekey — the encrypted public key
• SigVerify.dll — the verification DLL
• the password — send via a secure side-channel

▌ CLIENT VERIFICATION

Ready-made tool

Code:

SigCheck.exe --verify "plugin.dll"
SigCheck.exe --verify "plugin.dll" --key "C:\keys\public.ekey"

Looks for public.ekey beside the EXE (or in dist\), prompts for the password, verifies plugin.dll against plugin.dll.sig. Files can also be dragged onto SigCheck.exe or Verify.bat.

Embedded in your own Inno Setup installer

Code:

ExtractTemporaryFile('SigVerify.dll');
ExtractTemporaryFile('public.ekey');
ExtractTemporaryFile('plugin1.dll');   ExtractTemporaryFile('plugin1.dll.sig');
ExtractTemporaryFile('plugin2.dll');   ExtractTemporaryFile('plugin2.dll.sig');

// Load the public key ONCE, then verify as many files as you like.
InitRet := VFYInitialize(EKeyPath, Password);

if (InitRet = 1)
   and (VFYCheckFile(DLLPath1) = VFY_OK)
   and (VFYCheckFile(DLLPath2) = VFY_OK) then
  { all files authentic - proceed }
else
  { abort };

▌ DISTRIBUTION FILES

Signer side (keep private)

• SigTool.exe — signer front-end (CLI + drag-and-drop)
• SigCore.dll — signing engine (keygen, sign, key export)
• OpenSSL\openssl.exe — portable OpenSSL (+ libssl-3 / libcrypto-3)
• keys\private.pem — NEVER distribute
• keys\public.pem

Client side (distribute)

• SigVerify.dll — verification DLL (Win32)
• SigCheck.exe — ready-made verifier (optional)
• public.ekey — encrypted public key

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━

Feedback, bug reports, and edge cases are all welcome.