When you digitally sign a package, you ensure end users that the code within this package they are to receive has not been tampered with or altered. Digital signing is based on Microsoft Authenticode® technology. This enables end users and the operating system to verify that program code comes from the rightful owner. With Paquet Builder, it is easy to sign your packages as Paquet Builder calls the necessary programs itself.
If you digitally sign your software, end users are generally presented with a digital certificate when your package is downloaded to their system:
You can also check the authenticity of a Self-Extracting package using Windows Explorer: select the executable file, then right click to get the context menu and finally click on Properties. The different file properties tabs are shown: select the "Digital Signature" tab to see whether the package is successfully recognized or was altered since its signing.
| You can read this article explaining you most everything you need to know about code signing with Authenticode: |
Digitally sign my package
If you would like to digitally sign your package, enable this option. Then, enter information provided for you by a Certificate Authority (CA). A CA is a third party trusted by the industry, akin to a notary who handles electronic IDs. More information: http://en.wikipedia.org/wiki/Certificate_authority
You may digitally sign your package if you have received your Software Publishing Certificate (SPC) and a private key (PVK) from a Certificate Authority; or a Personal Information Exchange file (PFX).
How to set up signcode.exe or signtool.exe
Two third-party tools can be used by Paquet Builder to sign your package: SignTool (signtool.exe) or SignCode (signcode.exe). For further information about SignTool, go to http://msdn2.microsoft.com/en-us/library/8s9b9yaz(VS.80).aspx
 Important: either signtool.exe or signcode.exe is required in order to sign your packages; however they are not shipped with Paquet Builder. You will find them in the Windows SDK package; you can freely download this package from Microsoft; go to this address for the latest download URLs available: http://en.wikipedia.org/wiki/Microsoft_Windows_SDK |
When the Windows SDK (2003 or Vista) is installed, Paquet Builder should automatically find the path to signtool.exe; otherwise, you will need to manually enter the path to signtool.exe or signcode.exe in the Environment Options.
Warning: as SignCode is deprecated, Paquet Builder is now by default working with SignTool. If you still want to use the old program signcode.exe, be sure to enable the "Use old signcode.exe" option in the Environment Options, as the two programs do not work with the same command line parameters.
Using SignTool
The program SignTool is automatically called by Paquet Builder when finalizing the package's executable file. The result of the signing process is included in the compilation log.
Personal Information Exchange file (PFX)
Specify the path to the Personal Information Exchange file you want to use to generate the digital signature for your package. This file type is given the .pfx extension.
To create a PFX file from a CER (or SPC) and PVK file, you need to use the pvk2pfx tool shipped in the Windows SDK (see above); more information at http://msdn2.microsoft.com/en-us/library/aa906332.aspx.
The PFX file combines your public and private keys into a single file. Example: pvk2pfx.exe -pvk MyPrivateKey.pvk -spc MyPublicKey.cer -pfx MyPFX.pfx -po your_password
If the Personal Information Exchange file is protected by a password, you can specify the password. Otherwise you can be prompted. Useful if you automated Paquet Builder in a daily build process. Passwords are automatically hidden.
Using SignCode
The program SignCode is automatically called by Paquet Builder when finalizing the package's executable file. Microsoft does not support this program anymore as it was superseded by SignTool.
During the signing process, signcode.exe may display the Enter Private Key Password dialog box. This dialog box is required if you are digitally signing your package and your digital certificate requires a password. The only way to suppress this dialog is to request a new certificate that does not require a password from the CA, OR you can use SignTool as explained above.
Specify the path to the Software Publishing Certificate file you want to use to generate the digital signature for your package. This file type is given the .spc extension.
A private key is also granted by a Certificate Authority. You may use the Browse button to navigate to the location of the Private Key file provided by a CA or enter the path to the file. Private key files are given the .pvk extension.
Other Options
Optionally, a timestamp can be added to the package file. A timestamp should always be added when signing a file, thus the embedded digital signature will never expire. In this case you should have an Internet connection on the system in which you are building the package (SignTool or SignCode needs to open an Internet connection in order to timestamp the package's signature).
By default Paquet Builder can use this URL (example provided in the SDK): http://timestamp.verisign.com/scripts/timstamp.dll. It is the URL for VeriSign's timestamping service. Please note that "timstamp.dll" does not contain the letter "e". Click on the button near the field to automatically use this URL.
Paquet Builder will normally let SignTool/SignCode timestamp the package file. You can prevent this by disabling the "Time stamp feature" option in the Environment Options.
This URL is used in your digital certificate to link to a location you would like end users to visit in order to learn more about your product or company. If you do not specify a URL, then Paquet Builder will use the default one from the Basic Information page.
You can check whether the package was successfully signed by going to the After Build page and selecting "Check digital signature". Paquet Builder uses SignTool or chktrust.exe if available.
Digital signing is not compatible with the "Enable package size check" option in the Protect package page. If you use a digital signature, the size check will be automatically ignored by Paquet Builder.