Code Signing (Digital Signatures)

When you digitally sign a publication or ebook (this is called code signing), you ensure end users that the code within this publication they are to receive has not been tampered with or altered. Digital signing is based on Microsoft Authenticode® technology. This enables end users and the operating system to verify that program code comes from the rightful owner. With HTML Executable, it is easy to sign your compiled publication .exe files as HTML Executable calls the necessary programs itself.

If you digitally sign your software, end users are generally presented with a digital certificate when your publication is downloaded from the web to their system:

img

For signed publications, the publisher’s name is displayed. Your end users know that the .exe file is authentic, and has not been tampered with or altered.

For unsigned publications, Windows shows the following warning message:

img

If you would like to digitally sign your publication, enable “Digitally sign my publication” in HTML Executable (Security => Code signing). Then, follow the steps below.

You can read this article explaining you most everything you need to know about code signing with Authenticode: Introduction to Code Signing

Current limitations in Windows do not allow signing EXE files larger than 2 GB. If code signing is a requirement for you, and your EXE file is larger than 2 GB, consider keeping files external.

How to obtain a code signing certificate

You have to obtain a valid code signing certificate from a certificate authority (CA), a third party trusted by the industry, akin to a notary who handles electronic IDs. Comodo and Verisign are two examples of CA.

As an HTML Executable customer, you can purchase a valid code signing certificate at a discounted price from our partner, K Software, a Comodo Strategic Partner. If you are interested in purchasing or renewing a certificate, please go to the HTML Executable’s My Account page and choose “Purchase a code signing certificatein order to get a coupon code for applying the discount with K Software.

Code signing steps

You can digitally sign your publication .EXE only if you have received your personal Software Publishing Certificate (SPC) and a private key (PVK) from a Certificate Authority; or a Personal Information Exchange file (PFX).

HTML Executable calls an integrated code signing utility (GSignCode.exe available in the HTML Executable’s folder). No need to install third-party software: GSignCode is shipped with HTML Executable. The result of the signing process is included in the compilation log.

Certificate Location

In order to sign the package .EXE file, HTML Executable requires the location to your code signing certificate. It can be stored in an external file (.PFX) or in the Windows Certificate Store (Local Computer, Personal section). You must select the certificate’s location, and provide either the path to the PFX file, the certificate’s subject name, or the certificate’s thumbprint.

Personal Information Exchange file (PFX)

Specify the path to the Personal Information Exchange file you want to use to generate the digital signature for your publication. This file type is given the .pfx extension.

To create a PFX file from a CER (or SPC) and PVK file, you need to use the pvk2pfx tool shipped in the Windows SDK. The PFX file combines your public and private keys into a single file. Example: pvk2pfx.exe -pvk MyPrivateKey.pvk -spc MyPublicKey.cer -pfx MyPFX.pfx -po your_password

Associated Password

If the Personal Information Exchange file is protected by a password, specify the password. Passwords are automatically hidden, however do not leave the password in your project if you plan to share the latter.

Certificate Subject Name

If your code signing certificate is available in the Windows Certificate Store, HTML Executable can use it if you give the correct subject name. There should be only one certificate with that subject name in the store, otherwise an error will be raised.

HTML Executable will first look for the certificate in the Current User store => Personal substore (this is the default one) and if not found, in the local machine store => Personal substore. If the certificate is somewhere else, please export it as a .PFX file.


Copyright G.D.G. Software 2016. All rights reserved