Code Signing (Digital Signatures)

When you digitally sign a publication or ebook (this is called code signing), you ensure end users that the code within this publication they are to receive has not been tampered with or altered. Digital signing is based on Microsoft Authenticode® technology. This enables end users and the operating system to verify that program code comes from the rightful owner. With HTML Executable, it is easy to sign your compiled publication .exe files as HTML Executable calls the necessary programs itself.

If you digitally sign your software, end users are generally presented with a digital certificate when your publication is downloaded from the web to their system:

For signed publications, the publisher’s name is displayed. Your end users know that the .exe file is authentic, and has not been tampered with or altered.

For unsigned publications, Windows shows the following warning message:

If you would like to digitally sign your publication, enable “Digitally sign my publication” in HTML Executable (Security => Code signing). Then, follow the steps below.

How to obtain a code signing certificate

You have to obtain a valid code signing certificate from a certificate authority (CA), a third party trusted by the industry, akin to a notary who handles electronic IDs. Comodo and Verisign are two examples of CA.

Code signing steps

You can digitally sign your publication .EXE only if you have received your personal Software Publishing Certificate (SPC) and a private key (PVK) from a Certificate Authority; or a Personal Information Exchange file (PFX).

HTML Executable calls an integrated code signing utility (GSignCode.exe available in the HTML Executable’s folder). No need to install third-party software: GSignCode is shipped with HTML Executable. The result of the signing process is included in the compilation log.

Certificate Location

In order to sign the package .EXE file, HTML Executable requires the location to your code signing certificate. It can be stored in an external file (.PFX) or in the Windows Certificate Store (Local Computer, Personal section). You must select the certificate’s location, and provide either the path to the PFX file, the certificate’s subject name, or the certificate’s thumbprint.

Personal Information Exchange file (PFX)

Specify the path to the Personal Information Exchange file you want to use to generate the digital signature for your publication. This file type is given the .pfx extension.

To create a PFX file from a CER (or SPC) and PVK file, you need to use the pvk2pfx tool shipped in the Windows SDK. The PFX file combines your public and private keys into a single file. Example: pvk2pfx.exe -pvk MyPrivateKey.pvk -spc MyPublicKey.cer -pfx MyPFX.pfx -po your_password

Associated Password

If the Personal Information Exchange file is protected by a password, specify the password. Passwords are automatically hidden, however do not leave the password in your project if you plan to share the latter.

Certificate Subject Name

If your code signing certificate is available in the Windows Certificate Store, HTML Executable can use it if you give the correct subject name. There should be only one certificate with that subject name in the store, otherwise an error will be raised.

Copyright G.D.G. Software 2019. All rights reserved