Since this is something I’ve stumbled over several times now and since it is discussed in Microsoft’s documentation only as if there is only the option to import it into your store, i.e. within your user account. Now, I was going to have a designated signing machine with some other precautions in place, but users allowed into that machine would also be allowed to sign code. So how do I import the certificate so it can be used for code-signing regardless of the user account? The solution is remarkably trivial:
certutil -importPFX your.pfx
instead of the canonical
certutil -user -importPFX your.pfx
that Microsoft mentions all over its documentation. After that it should work to tell signtool
signtool sign ... /sm ... file
to pick a valid code-signing certificate from the machine store (/sm) with the latest expiry date. If you prefer to control which particular certificate gets picked, make sure to pass its hash or other traits that will help signtool to figure out what you want it to do.