Automating code signing with signtool.exe, but without storing the certificate or password

A solution I've used before is similar to @Mikko's answer, but it's split into two pieces:

1. A local non-controlled script that just sets an environment variable containing the password. This is the file you give to each developer.

   @echo off
   set SIGNPASS=whatever
   

2. A source-controlled script that calls the previous script and the does the actual signing.

   @echo off
   setlocal
   call "C:\local\signing_password.bat"
   "C:\toolpath\signtool.exe" sign /f "c:\certpath\cert.p12" /p "%SIGNPASS%" "%1"
   endlocal
   

The setlocal/endlocal pair ensure that the password doesn't leak into the environment if the script is run manually.

The "%1" is the path to the executable passed as a script parameter in the Post Build step. ..

A different way is to import the certificate in each developers private certificate store and then use the thumbprint with signtool like this:

signtool ... /sha1 'hex thumbprint' ...

Then you only need the password during the initial import of the certificate and not during builds.

You could add a batch file in your Project directory, for example sign.bat.

@echo off
<path>\signtool.exe /f cert.p12 /p "password" "compiled.dll"
echo Signed with certificate

Add the file to your .gitignore but do not add it to Visual Studio project.

In your project's properties, call the batch as post-build event.