OverviewCode Signing
These settings are the default values that will be used on the Code Signing tab of the Project Settings dialog when new projects are started.
The settings below allow you to sign or dual-sign the application during the build process using SHA-1 and/or SHA-256. When both Sign with SHA-256 and Sign with SHA-1 are selected, AutoPlay Media Studio will run the specified signing tool twice, first signing with SHA-1 and then a second time to append your SHA-256 signature. To support the widest variety of OS's, we recommend dual-signing your applications.
As of January 1, 2016 Windows 7 and higher will no longer trust new code that is signed with a SHA-1 certificate. All files should be signed with a SHA-256 certificate. To be compatible with Windows XP SP3 and Windows Vista you must dual-sign your applications by also enabling the Sign with SHA-1 option. To be compatible with OS's prior to Windows XP SP3 that don't support SHA-256 signatures, you may dual-sign using two different certificates (SHA-256 and a full SHA-1 certificate - if one can be obtained). See Windows Enforcement of Authenticode Code Signing and Timestamping, and Authenticode Code Signing for more information.
Note: The minimum
requirements for signing with SHA-256 using SignTool is Windows 7 SP1,
and SignTool version 6.1.7600.16385 or higher, which comes with the Windows
7.1 SDK. As a result AutoPlay Media Studio's design environment must be
run on Windows 7 SP1 or higher to perform SHA-256 signing using SignTool.
Dual-signing using SignTool is only supported in version 6.3 or higher
of SignTool.exe which comes with the Windows 8.1 SDK. We recommend using
the version found in either the Windows Software Development
Kit (SDK) for Windows 8.1, or the Windows Software
Development Kit (SDK) for Windows 10 in AutoPlay for full functionality.
See Authenticode Code Signing for more information on code signing.
Tip: If you're using a different code signing tool that contains different options, or you require further control, you may leave the settings fields blank (except for the tool), and instead specify the options in the Additional arguments field. If "SignTool.exe" is detected as the tool, AutoPlay Media Studio will automatically passes the "sign" command. If you're not using SignTool and require a different command, add it as the first value in the Additional arguments field.
Code sign all new AutoPlay applications during the build process. See Authenticode Code Signing for more information.
The full path and filename of the code signing tool SignTool.exe on your system. You can click the Browse button to select the file. This tool could not be distributed, but is available in the \Windows Kits\XX\bin\x86 folder of the Windows Software Development Kit (SDK). For more information, see MSDN: SignTool (Windows), Windows Software Development Kit (SDK) for Windows 8.1 , Windows Software Development Kit (SDK) for Windows 10.
Tip: If you're using a different code signing tool that contains different options, or you require further control, you may leave the settings fields blank (except for the tool), and instead specify the options in the Additional arguments field. If "SignTool.exe" is detected as the tool, AutoPlay Media Studio will automatically passes the "sign" command. If you're not using SignTool and require a different command, add it as the first value in the Additional arguments field.
Sign the applications using a SHA-256 certificate. As of January 1, 2016 Windows 7 and higher will no longer trust new code that is signed with a SHA-1 certificate. All files should be signed with a SHA-256 certificate. To be compatible with Windows XP SP3 and Windows Vista you must dual-sign your applications by also enabling the Sign with SHA-1 option.
The full path and filename of the SHA-256 certificate to use when signing the application file. This file must be a "Personal Information Exchange" file (*.PFX, *.P12). You can click the Browse button to select the file.
If the SHA-256 certificate is provided, /f
<certificate_path> /fd sha256
will be added to the signing command.
If the SHA-256 certificate is provided and Sign
with SHA-1 is also enabled (dual-signing), /as
will also be added to the signing command.
The password to use for opening your SHA-256 certificate file (*.PFX, *.P12) if it's password protected. You can leave this value blank if your certificate is not password protected.
If this value is provided, /p <password_value> will be added to the signing command.
The URL of a SHA-256 timestamp server such as: http://timestamp.comodoca.com/?td=sha256. Refer to your certificate provider's documentation for the server URL to use.
If this value is provided, /tr <timestamp_url> /td sha256 will be added to the signing command.
This field allows you to enter any additional options you would like to pass to the code signing tool beyond AutoPlay Media Studio's automatic parameters. If you leave any of the SHA-256 related fields blank (except for tool location), you can manually pass their values using this field. The values entered here are appended to the beginning of the parameter list. When "SignTool.exe" is the chosen tool, AutoPlay automatically passes the "sign" command as the first argument.
Sign the application using a SHA-1 based signature or SHA-1 file digest. As of January 1, 2016 Windows 7 and higher will no longer trust new code that is signed with only a SHA-1 certificate. To be compatible with Windows 7 or higher and Windows XP SP3 and Windows Vista you must dual-sign your applications by enabling both SHA-1 and SHA-256 signing. See Authenticode Code Signing for more information.
The URL of a SHA-1 timestamp server such as: http://timestamp.comodoca.com. Refer to your certificate provider's documentation for the server URL to use.
If this value is provided, /t <timestamp_url> will be added to the signing command.
This field allows you to enter any additional options you would like to pass to the code signing tool beyond AutoPlay Media Studio's automatic parameters. If you leave any of the SHA-1 related fields blank (except for tool location), you can manually pass their values using this field. The values entered here are appended to the beginning of the parameter list. When "SignTool.exe" is the chosen tool, AutoPlay automatically passes the "sign" command as the first argument.
Use your provided SHA-256 certificate and password when signing with SHA-1. This option is only available when dual-signing (when Sign with SHA-256 is enabled). When dual-signing, this option also provides compatibility with Windows XP SP3 and Windows Vista by including a SHA-1 file digest.
If the SHA-256 certificate is provided, /f
<certificate_path> will be added to the signing command.
If the SHA-256 password is provided, /p
<password_value> will be added to the signing command.
Use a SHA-1 certificate and password. This option enables you to sign with a full SHA-1 certificate (if one can be obtained), or dual-sign with different certificates (SHA-256 and a full SHA1 signature - if one can be obtained). When dual-signing this option also provides compatibility with versions of Windows prior to Windows XP SP3.
The full path and filename of the SHA-1 certificate to use when signing the application file. This file must be a "Personal Information Exchange" file (*.PFX, *.P12). You can click the Browse button to select the file. This value is only available when Use 'legacy' SHA-1 certificate is selected.
If the SHA-1 certificate is provided, /f <certificate_path> will be added to the signing command.
The password to use for opening your SHA-1 certificate file (*.PFX, *.P12) if it's password protected. You can leave this value blank if your certificate is not password protected. This value is only available when Use 'legacy' SHA-1 certificate is selected.
If this value is provided, /p <password_value> will be added to the signing command.
The description of the signed content.
If this value is provided, /d <description_value> will be added to both signing executions (SHA-1 and SHA-256 signing steps).
A URL that provides further information about the signed content.
If this value is provided, /du <description_url> will be added to both signing executions (SHA-1 and SHA-256 signing steps).