My client has a streamlined automated 'dev ops' kind build and post build process. My objective is to keep builds clean, and don't sign files a second time because not only the date is changed, but the is binary different after that. One may ask: Why this is important? I just sign the files (again) which shall be signed and it works. (For verbose out put, add a '/v' after '/pa'.) If %ERRORLEVEL% GEQ 1 echo This file is not signed. with the simple line: signtool verify /pa myfile.exe Yes, with the well known signtool.exe you can also find out, if a file is signed.
The important missing part of the answer mentioning signtool is:
