# Code Signing

Code signing ensures that scripts and executables have not been tampered with and originate from a trusted source (Internal Developer).

## Supported Formats
- **Microsoft Authenticode** (Executables, PowerShell scripts)
- **Java Archive** (JAR files)

## Signing with SignTool (Windows)

1. **Install SignTool**: Included in the Windows SDK.
2. **Download PFX**: Get your Code Signing certificate in `.pfx` format.
3. **Run Command**:

```powershell
signtool sign /f "MyCert.pfx" /p "password" /tr http://timestamp.digicert.com /td sha256 /fd sha256 .\MyApp.exe
```

- `/tr`: Timestamp Server (Recommended so the signature is valid even after cert expiry).
- `/fd`: File Digest algorithm (Use SHA256).

## Verifying Signature
Right-click the `.exe` file -> **Properties** -> **Digital Signatures** tab. You should see "TrustLab Internal CA" in the certificate path.