Signing your executables with SignTool

SignTool is a part of the Windows 10 SDK that you can download from Microsoft or through Visual Studio setup, but the entire SDK is 2GB+. I've extracted the SignTool installer from the latest SDK (10.0.17763.0) together with its .cab dependencies to install ONLY SignTool. You can download it here.

A sample script for simple signing
(TIP: Shift+Right-click will provide you a "copy as path" option in explorer for each file you want to sign.)

@ECHO OFF
MODE CON CODEPAGE SELECT=1252 >nul 2>&1
COLOR 1F 

set SignCertFile="C:\path\to\certfile.pfx"
set TimestampURL=http://timestamp.comodoca.com/authenticode
set SignCertFilePass="mypass"

:MainLoop
set /p "url=Paste full path to file to be signed: "
echo.

cd "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64"
signtool sign /f %SignCertFile% /p %SignCertFilePass% /v /t %TimestampURL% %url%

echo.
echo Done...
echo.
pause
cls
goto MainLoop

A reasonable certificate can be purchased at e.g. ksoftware. After purchase you'll receive a mail from Comodo either requiring more information to verify your identity and/or just a callback phone request if they're able to do the background check without it.

When ready they'll send an e-mail with a link that must be shown in IE or Firefox as Chrome, Edge and Safari is not currently supported. From that link you'll accept and import the certificate to your browser and export it from there. Choosing to also export private key and password protect it so it can be easily imported to another computer if needed, to be able to sign files from there as well.