Navigation: Learn About All Features > Security >
|
|
Digitally signing your compiled publication or ebook .EXE file assures end users that the code has not been tampered with or altered since its release. Based on Microsoft Authenticode® technology, digital signing verifies the source of the code and its integrity. With HTML Executable, signing your .EXE files is straightforward, as it includes the necessary tools and supports modern signing methods like Azure Trusted Signing.
Benefits of Code Signing
•For signed applications: End users see a certificate indicating the software's origin and authenticity, reducing security warnings and building trust:
.png)
•For unsigned applications: Windows often displays a warning (like the SmartScreen filter), which may discourage users from proceeding:
.png)
To enable digital signing in HTML Executable, go to Security => Code Signing, activate the "Digitally sign my publication" option, and choose your signing method:
.png)
Learn more about code signing with Authenticode in this Introduction to Code Signing.
Windows cannot sign EXE files larger than 2 GB. If your publication EXE exceeds this limit, consider options to reduce its size or use alternative distribution methods. See Output Format for more details.
How to Obtain a Code Signing Certificate
To sign your application, you need a valid code signing certificate from a trusted Certificate Authority (CA) such as Sectigo or Digicert. CAs offer different types of certificates, but only code signing certificates are compatible with Authenticode.
Traditionally, obtaining these certificates could be expensive. However, a more cost-effective solution is now available:
💡 Azure Trusted Signing: Provided by Microsoft, Azure Trusted Signing offers several advantages, including potentially lower costs and no need for USB tokens for key storage. HTML Executable fully supports signing applications with Azure Trusted Signing.
Choose the signing method in HTML Executable:
▪PFX File
▪Certificate Subject Name (from local Certificate Store)
▪Certificate Thumbprint (from local Certificate Store)
▪SignTool Commands (for advanced scenarios such as cloud signing)
▪Azure Trusted Signing (cloud-based signing)
Token-Based Certificates and Hardware Security Modules (HSMs)
As of June 1, 2023, industry standards require that code signing certificate private keys be stored on a hardware security module (HSM) or a token that meets FIPS 140-2 Level 2 (or Common Criteria EAL 4+) or an equivalent standard. This change aims to prevent misuse of stolen keys. The traditional PFX format for distributing private keys is being phased out for newly-issued public certificates.
HTML Executable supports signing with token-based certificates (when using PFX or Certificate Store options, if your token makes the certificate available this way). Ensure your token is connected during the signing process.
Steps to Sign Your Publication with a Code Signing Certificate (PFX / Store)
HTML Executable includes GSignCode, an integrated utility for signing publications. No third-party software installation is required for this method (unless your certificate provider requires specific drivers for a hardware token).
Configuring the Certificate
1)Using a PFX File: Select "PFX File" from the dropdown. Specify the path to your `.pfx` file and its associated password (if protected).
2)Using the Windows Certificate Store: Select "Certificate Subject Name" or "Certificate Thumbprint". Provide the respective identifier. HTML Executable will search for the certificate in the Current User or Local Computer store.
3)Token-Based Certificates: If your certificate is on a hardware token, ensure it's connected. If it's accessible via the Windows Certificate Store, use that option. GSignCode automatically adapts to the token's capabilities.
Using SignTool Commands
For advanced scenarios, you can instruct HTML Executable to use Microsoft's SignTool.exe.
Select SignTool Commands from the dropdown list.
You need to provide the command(s) that SignTool should execute. You can use placeholders:
•{$OUTPUTFILE$}: Represents the full path to the executable file(s) to be signed.
•{$OUTPUTFOLDER$}: Represents the path to the output directory.
Example command:
sign /a /fd SHA256 /tr "http://timestamp.digicert.com" /td SHA256 "{$OUTPUTFILE$}"
The path to SignTool.exe must be configured in Environment Options.
Using Azure Trusted Signing
HTML Executable seamlessly integrates with Azure Trusted Signing.
Select Azure Trusted Signing from the dropdown list.
You will need to provide:
•Trusted Signing Account Endpoint: e.g., `https://eus.codesigning.azure.net` (choose your region).
•Trusted Signing Account Name: Your Azure account name for trusted signing.
•Certificate Profile Name: The name of your signing certificate profile in Azure.
Before using Azure Trusted Signing, ensure you have installed Microsoft Azure CLI and the Trusted Signing Client Tools. You must also be logged in via `az login`. The path to `Azure.CodeSigning.Dlib.dll` and `SignTool.exe` must be configured in Environment Options.
💡 For a detailed guide on setting up Azure Trusted Signing, please refer to tutorials like this one. |
Digest Algorithms
HTML Executable supports modern digest algorithms:
1)SHA-256: The default and recommended standard for security.
2)Dual Code Signing (SHA1-SHA256): This option combines SHA-256 and SHA-1 signatures to support older systems like Windows 7 or Vista, which may not fully support SHA-256 alone. When this is selected for GSignCode, it attempts to dual sign. On Windows 7, if dual signing is not explicitly chosen or possible, only SHA-256 is typically used by default for new signatures.
You can select the preferred digest algorithm from the dropdown list when using PFX/Store signing. For SignTool and Azure, the digest algorithm is usually specified in the command itself or handled automatically by the service.
Publication Information URL
Include a URL in your digital certificate to direct users to learn more about your product or company. If not specified, HTML Executable uses the default URL from the Icon / Version page.
Digital Signature Timestamp
A timestamp is added to your ebook or publication, ensuring that the embedded digital signature remains valid even after the signing certificate itself expires. Ensure that your system has an Internet connection during the signing process for time-stamping purposes.
Two timestamp servers are used: an Authenticode-compatible server and an RFC-3161-compatible server. You can configure their URLs in the Environment Options.
Troubleshooting Code Signing
If errors occur during code signing, refer to the compilation log for detailed messages. Ensure that your certificate is accessible and correctly configured, and verify your Internet connection for timestamping. For SignTool or Azure issues, ensure the respective tools are correctly installed and configured as per their documentation.