Build - Code signing
The Build - Code signing dialog box is one of the pages that appears when you click Advanced... on the Package attributes pane. It allows you to set the options that InstallMate uses when it runs the Microsoft SignTool tool to sign the installation packages for the current package.
Note: The per-configuration code signing settings are only used if you check the Use configuration-private settings box (see below). If that box is not checked, then InstallMate will use the global Code signing settings if it needs to sign the installation package.
See Digital Signatures for background information about code signing and digital signatures.
Converting SPC/PVK files to PFX
If your code signing certificate consists of separate .spc and .pvk files, you must convert this to a single .pfx file using Microsoft's pvk2pfx.exe tool that is included in the InstallMate 9\Tools folder on your system. The basic syntax is:
pvk2pfx -pvk c:\path\to\private.pvk -spc c:\path\to\certificate.spc -pfx c:\path\to\certificate.pfx
In this command, the -pvk and -spc parameters specify input files, and the -pfx parameter specifies the output file. Consult the Microsoft documentation for pvk2pfx.exe for details of its usage.
Dialog fields and options
This dialog box contains the following fields and options.
|Code signing certificate for installer signing|
Select this option if your code signing certificate is contained in a PFX file, then enter the path to your PFX (Personal Information Exchange) file that contains your code signing certificate, or click the ... (browse) button to open a standard Windows Open dialog to browse for the file. This file contains the credentials (certificate information) that will be included with the signature.
Enter the password for the private key inside the PFX file, if any. This password is stored in encrypted format on the system. You must specify this password if your PFX file is protected by one, or SignTool with fail with exit code 1.
Enter the name of the Cryptographic Service Provider that contains the private key container if the PFX file does not contain the private key.
Enter the name of the private key container within the CSP that contains the private key container if the PFX file does not contain the private key.
Select this option if your code signing certificate is contained in a stored container, including most token-based certificates. Enter the name of your stored certificate, also known as the Subject name. This name is visible in the Windows Certificate Manager.
Select this option if you want to let SignTool choose the best available certificate. The certificate(s) must be stored in the Windows certificate store, as accessible through Windows Certificate Manager.
|Code signing options|
The following options are implicitly added to the SignTool command line:
|Sign with SHA-1||
Sign the installer using Secure Hash Algorithm revision 1, a 160-bit (20-byte) digest algorithm. This was the default and still is the most commonly used algorithm, but is being phased out as of 2016 and replaced by SHA-256.
It is recommended that your installers be signed with both SHA-1 and SHA-256 signatures to ensure backward compatibility, unless you are certain that your installers will only be deployed on Windows 7 or later systems.
Note: If you select the option Add MSI wrapper in the Package settings, then the MSI wrapper will always be signed with a SHA-1 digest if you enable code signing. This is done because the MSI format does not support SHA-256 signatures. For more information, see Concerns with MSIs on the Microsoft web site. The main .exe installer will use all signature(s) that you specify: SHA-1 and/or SHA-256.
Check this box to include a timestamp in the SHA-1 signature; clear it to sign the distribution package without timestamp. In general, it is recommended to include a timestamp in your signature. This allows customers to verify that your certificate was valid at the time of signing, even if it has since expired (Software Publishing Certificates and others have a built-in expiry date).
Enter the fully qualified URL of the timestamping server. This should be a trusted server (usually associated with a Certification Authority) that offers a certified timestamping service. The default value is http://timestamp.verisign.com/scripts/timstamp.dll, the VeriSign Inc. timestamping server.
|Sign with SHA-256||
Sign the installer using Secure Hash Algorithm revision 2, with a 256-bit (32-byte) digest algorithm. As of 2016, this is the recommended signature algorithm, but it is only supported from Windows 7 onwards. For that reason, it is recommended that your installers be signed with both SHA-1 and SHA-256 signatures.
Warning: SHA-2 signatures are not universally supported and your system or your code signing certificate might not support signing with these digests. If you see a diagnostic message BLD:E0039 Code signing failed - SignTool returned nonzero exit code 1 after code signing when you have selected SHA-256, then you may have to upgrade your code signing certificate (or your Windows system, if you are still using a pre-Windows 7 system).
Check this box to include a timestamp in the SHA-256 signature; clear it to sign the distribution package without timestamp. As with the SHA-1 timestamp above, it is recommended that you include a timestamp in your digital signature.
Enter the fully qualified URL of the timestamping server. This should be a trusted RFC-3161 compliant timestamping server (usually associated with a Certification Authority) that offers a certified timestamping service. The default value is http://timestamp.geotrust.com/tsa, the GeoTrust Inc. RFC-3161 timestamping server.
Note 1: SHA-256 timestamping can be very slow at times; it may occasionally take 30-60 seconds. Nevertheless, we recommend that you include the SHA-256 timestamp to ensure that your signature remains valid even after the expiry of your code signing certificate.
Note 2: SHA-256 timestamps require an RFC-3161 compliant timestamping server, which is not the same as the timestamping servers used for SHA-1 (and MD5) signatures.
Enter any custom command line options that your code signing certificate or process requires. These options will be added verbatim to the SignTool command line, except that any symbolic references will be expanded first.
|Show console window||
Check this box to show the console window in which SignTool.exe runs; clear the box to keep that hidden.
Note: The console window must be kept visible if your code signing certificate requires interaction during the code signing process, for example to enter a token-based password as is the case for some types of EV certificates. An invisible console window precludes the display of the password prompt, even if that takes place in a separate popup window.
|Verbose output||Check this box to make SignTool produce more verbose output; clear it for minimal output. The output is briefly visible in the console window (see Show console window) but is also captured in the code signing log file, which you can find in the file PackageName.SignCode.log in your InstallMate project folder.|
|Debug info||Check this box to make SignTool produce debug output; clear it for standard output. The output is briefly visible in the console window (see Show console window) but is also captured in the code signing log file, which you can find in the file PackageName.SignCode.log in your InstallMate project folder.|
|Use configuration-private settings||Check this box to use code signing settings that are specific to the current package; clear the box to use the global settings.|
|Edit global settings||Click this button to open the Preferences - Code signing dialog box that allows you to edit the global code signing settings.|