You must have the hardware token that Sectigo (formerly Comodo) ships you, as well as the SafeNet Authentication client software installed. Refer to your order instructions for the SafeNet download and the token password - both will arrive via email from Sectigo.

Please note that kSign does not currently support EV code signing certificates. 

Using signtool.exe (included in any Windows SDK, though the 6.1 or greater version is required for EV), plug your token in and issue a signtool.exe command line like this : 

signtool.exe sign /tr http://timestamp.comodoca.com /td sha256 /fd sha256 /a C:\path\to\program.exe

Type your token password into the SafeNet authentication client and the signing process should begin immediately. Check the command line for any status messages. 

That's it! 

If you need to sign kernel mode drivers with your EV certificate, please see Sectigo's instructions at this link : https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFK6