Use signtool.exe to sign your target file. Adjust the command depending on your key source:
Example: Signing with Local PFX File
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "C:\path\to\cert.pfx" /p "<pfx-password>" /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 "C:\path\to\file.exe"
Example: Signing with AWS-integrated key (via middleware)
"C:\...\signtool.exe" sign /kc "<KSP container name>" /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 "C:\file\to\sign.exe"
You may need to configure a Key Storage Provider (KSP) or CNG provider that integrates with AWS KMS or CloudHSM for SignTool to access the key.
