Overview
How can users trust code that is published on the Internet? Two issues that must be addressed are those of ensuring integrity and authenticity. Authenticity assures users that they know where the code came from. Integrity verifies that the code hasn't been tampered with since its publication.
In the Microsoft article titled Introduction to Code Signing, they write:
Microsoft's solution to these issues is Microsoft Authenticode coupled with an infrastructure of trusted entities. Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures.
While Authenticode itself cannot guarantee that signed code is safe to run, Authenticode is the mechanism by which users can be informed of whether the software publisher is participating in the infrastructure of trusted entities. Thus, Authenticode serves the needs of both software publishers and users who rely upon the Internet for the downloading of software.
If you plan to distribute your software over the Internet it's highly recommended that you sign your setups and software. When a customer downloads and runs your software, they will be presented with a security warning dialog asking the user if they really want to run your software as it may pose a security risk. On that dialog, they will see "Unknown Publisher" if it is not signed. On the other hand, if you do sign your code, they will instead see your company name and an optional web link to follow for more information.
Another point of consideration beyond user experience is the fact that more recent versions of Windows have the ability to prevent any unsigned applications from launching with full privileges. This may impact both the installing and application functionality.
In the Microsoft article titled Windows Enforcement of Authenticode Code Signing and Timestamping they state:
Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.
This restriction will not apply to the time-stamp certificate used to time-stamp the code-signing certificate or the certificate’s signature hash (thumbprint) until January 1, 2017. After this time, Windows will treat any code with a SHA-1 time-stamp or SHA-1 signature hash (thumbprint) as if the code did not have a time-stamp signature. (The January 1, 2017 timeline may change).
This means that any files signed after Jan 1, 2016 must be signed with a SHA-256 based signature. If you're still using a SHA-1 certificate and haven't gotten a replacement signature yet, you should do so as soon as possible.
SHA-256 signatures are only supported on Windows 7 or later. In order to also support Windows XP SP3 and Windows Vista you need to dual-sign your setups and include a SHA-1 file digest. In Setup Factory this means using the following settings:
"Sign with SHA-256" checked, and providing your SHA-256 certificate, password, and SHA-256 timestamp URL (refer to your certificate provider's documentation for the server URL to use).
"Sign with SHA-1" checked and providing the SHA-1 timestamp URL (refer to your certificate provider's documentation for the server URL to use).
"Use SHA-256 certificate" selected.
Description and Description URL.
In order to support all versions of Windows including those prior to Windows XP SP3 you would need to dual-sign your setups by including a full SHA-1 signature (if one can be obtained). This means using two different certificates (SHA-256 and SHA-1). In Setup Factory this means using the following settings:
"Sign with SHA-256" checked, and providing your SHA-256 certificate, password, and SHA-256 timestamp URL (refer to your certificate provider's documentation for the server URL to use).
"Sign with SHA-1" checked and providing the SHA-1 timestamp URL (refer to your certificate provider's documentation for the server URL to use).
"Use 'legacy' SHA-1 certificate" selected.
Provide your SHA-1 certificate and password.
Description and Description URL.
If you would like to purchase a code signing certificate, they are available from a number of companies such as Verisign, Symantec, Thawte, Comodo etc.
It can take from a few days to a couple weeks for your application to be approved and your certificate issued. Keep in mind that you will likely need to provide supporting documentation to prove you actually are who you say you are. It's not something to be taken lightly and will likely require senior management to be involved.
Further instructions are provided by the certificate issuer.
Now that you have a code signing certificate, you'll need to download some software from Microsoft so you can start using it.
The current tool available from Microsoft to digitally sign files is called "SignTool.exe". This tool is installed in the \Windows Kits\XX\bin\x86 folder (or x64) of the Windows Software Development Kit (SDK). The minimum version you should use that supports dual-signing can be found in the Windows Software Development Kit (SDK) for Windows 8.1, or you can use a later version such as the Windows Software Development Kit (SDK) for Windows 10.
Install the package to your system and locate the tool "signtool.exe" found in the \Windows Kits\XX\bin\x86 folder.
Once the Authenticode file signing tool is installed on your system, you are ready to start signing your setup The following settings will provide compatibility with Windows XP SP3 and later OSs.
Before publishing your final setup, select Publish > Settings from the menu and click on the Code Signing tab.
Check the "Code sign setups" checkbox and browse for "signtool.exe" on your system.
Check "Sign with SHA-256" and browse for your SHA-256 certificate, enter your certificate password (if it's password protected), and enter the "SHA-256 timestamp URL" provided to you by your certificate issuer (refer to your certificate provider's documentation for the server URL to use).
Check "Sign with SHA-1" and enter the "SHA-1 timestamp URL" provided by your certificate issuer (refer to your certificate provider's documentation for the server URL to use).
Select the "Use SHA-256 certificate" radio button.
Enter your "Description" and "Description URL".
Save the changes and then publish your final setup by selecting Publish > Build.
Tip: See the Code Signing Defaults section of the Preferences (Edit > Preferences, Code Signing page) for configuring defaults to use for code signing your setups every time you start a new project.
To verify that everything went according to plan and view your signature, SignTool.exe contains the verify command that determines whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy. Simply run SignTool.exe and pass it the option verify followed by the full path to the setup file.
Alternatively, you could simply upload the setup to a web site and then download and run it from a computer. You'll see the same information.
There are many good resources on the Internet for finding out more about code signing, Authenticode, Windows XP/Vista or later, Security and related issues. Here are a few places to start.
Windows Enforcement of Authenticode Code Signing and Timestamping
Certify your Software Integrity with Thawte Code Signing Certificates
Copyright © 2019 Indigo Rose Software. All rights reserved.