Application Behavior - Code Signing (Digital Signatures)

When you digitally sign a publication or ebook (this is called code signing), you ensure end users that the code within this publication they are to receive has not been tampered with or altered. Digital signing is based on Microsoft Authenticode® technology. This enables end users and the operating system to verify that program code comes from the rightful owner. With HTML Executable, it is easy to sign your compiled publication .exe files as HTML Executable calls the necessary programs itself.

If you digitally sign your software, end users are generally presented with a digital certificate when your publication is downloaded from the web to their system:

img

For signed publications, the publisher's name is displayed. Your end users know that the .exe file is authentic, and has not been tampered with or altered.

For unsigned publications, Windows shows the following warning message:

img

If you would like to digitally sign your publication, enable "Digitally sign my publication" in HTML Executable (Security => Code signing). Then, follow the steps below.

img

You can read this article explaining you most everything you need to know about code signing with Authenticode:
Introduction to Code Signing

How to obtain a code signing certificate

You have to obtain a valid code signing certificate from a certificate authority (CA), a third party trusted by the industry, akin to a notary who handles electronic IDs. Comodo and Verisign are two examples of CA.

img

As an HTML Executable customer, you can purchase a valid code signing certificate at a discounted price from our partner, K Software, a Comodo Strategic Partner.
If you are interested in purchasing or renewing a certificate, please go to the HTML Executable's My Account page and choose "Purchase a code signing certificate" in order to get a coupon code for applying the discount with K Software.

Code signing steps

You can digitally sign your publication .EXE only if you have received your personal Software Publishing Certificate (SPC) and a private key (PVK) from a Certificate Authority; or a Personal Information Exchange file (PFX).

HTML Executable calls an integrated code signing utility (GSignCode.exe available in the HTML Executable's folder). No need to install third-party software: GSignCode is shipped with HTML Executable. The result of the signing process is included in the compilation log.

imgPersonal Information Exchange file (PFX)

Specify the path to the Personal Information Exchange file you want to use to generate the digital signature for your package. This file type is given the .pfx extension.

To create a PFX file from a CER (or SPC) and PVK file, you need to use the pvk2pfx tool shipped in the Windows SDK; more information at http://msdn.microsoft.com/en-us/library/ff550672%28v=vs.85%29.aspx.
The PFX file combines your public and private keys into a single file. Example: pvk2pfx.exe -pvk MyPrivateKey.pvk -spc MyPublicKey.cer -pfx MyPFX.pfx -po your_password

imgAssociated Password

If the Personal Information Exchange file is protected by a password, specify the password. Passwords are automatically hidden, however do not leave the password in your project if you plan to share the latter.

imgTimestamp URL

Optionally, a timestamp can be added to the publication file. A timestamp should always be added when signing a file, thus the embedded digital signature will never expire.

You should have an Internet connection on the system in which you are building the publication. The code signing utility requires an Internet connection in order to timestamp the publication's signature, so check that your firewall does not block the outgoing connection.

By default HTML Executable can use this URL (example provided in the SDK): http://timestamp.verisign.com/scripts/timstamp.dll. It is the URL for VeriSign's timestamping service. Please note that "timstamp.dll" does not contain the letter "e".

Note: click the button near the field to automatically use this URL.

If you do not want to timestamp the .EXE file, you can prevent this by disabling the "Time stamp feature" option in the Environment Options.

imgPublication Information URL

This URL is used in your digital certificate to link to a location you would like end users to visit in order to learn more about your product or company. If you do not specify a URL, then HTML Executable will use the default one from the Icon / Version page.

Using SignTool instead of GSignCode

If GSignCode does not work for you, you can use Microsoft Sign Tool (signtool.exe). Choose SignTool as your preferred code signing method in the Environment Options. For further information about SignTool, go to http://msdn2.microsoft.com/en-us/library/8s9b9yaz(VS.80).aspx. When the Windows SDK (2003, Vista or 7) is installed, HTML Executable should automatically find the path to signtool.exe; otherwise, you will need to manually enter the path to signtool.exe in the Environment Options.

Checking the signature

You can check whether the publication was successfully signed by using => "Build|Check digital signature". This requires SignTool (see above).

About

This is the online documentation of HTML Executable.

About HTML Executable

HTML Executable is a versatile HTML compiler and ebook compiler: it lets you create secure ebooks and desktop applications with your websites, HTML or PDF documents.

You can easily create attractive ebooks, full-featured HTML applications (RIA) and software, digital publications from your websites, PDF files and HTML documents for online or offline distribution.

Learn more - Free Trial