)OverviewSetup FileConstantsCode SigningResourcesPre/Post Build
The settings below allow you to sign or dual-sign the setup and uninstall during the build process using SHA-1 and/or SHA-256. When both Sign with SHA-256 and Sign with SHA-1 are selected, Setup Factory will run the specified signing tool twice, first signing with SHA-1 and then a second time to append your SHA-256 signature. To support the widest variety of OS's, we recommend dual-signing your setups.
As of January 1, 2016 Windows 7 and higher will no longer trust new code that is signed with a SHA-1 certificate. All files should be signed with a SHA-256 certificate. To be compatible with Windows XP SP3 and Windows Vista you must dual-sign your setups by also enabling the Sign with SHA-1 option. To be compatible with OS's prior to Windows XP SP3 that don't support SHA-256 signatures, you may dual-sign using two different certificates (SHA-256 and a full SHA-1 certificate - if one can be obtained). See Windows Enforcement of Authenticode Code Signing and Timestamping, and Authenticode Code Signing for more information.
Note: The minimum
requirements for signing with SHA-256 using SignTool is Windows 7 SP1,
and SignTool version 6.1.7600.16385 or higher, which comes with the Windows
7.1 SDK. As a result Setup Factory's design environment must be run on
Windows 7 SP1 or higher to perform SHA-256 signing using SignTool.
Dual-signing using SignTool is only supported in version 6.3 or higher
of SignTool.exe which comes with the Windows 8.1 SDK. We recommend using
the version found in either the Windows Software Development
Kit (SDK) for Windows 8.1, or the Windows Software
Development Kit (SDK) for Windows 10 in Setup Factory for full functionality.
See Authenticode Code Signing for more information on code signing.
Tip: See the Code Signing Defaults section of the build preferences (Edit > Preferences, Code Signing) to configure default values when creating new projects.
Tip: If you're using a different code signing tool that contains different options, or you require further control, you may leave the settings fields blank (except for the tool), and instead specify the options in the Additional arguments field. If "SignTool.exe" is detected as the tool, Setup Factory will automatically passes the "sign" command. If you're not using SignTool and require a different command, add it as the first value in the Additional arguments field.
Tip: If you're having trouble with the signing step and want to see the resulting signing commands that are being used, you can find the full command in the setup's build log file.
The build configuration you want to use when generating your final setup. The drop down contains all of the current build configurations. A build configuration contains all previously saved information on the Setup File, Constants, Code Signing, Resources, and Pre/Post Build tabs. Beyond the information on the build settings dialog, build configurations also include dependency modules, primer files, script files, plugins, serial number lists, file lists, and folder reference lists.
)Opens the New Build Configuration dialog where you can create a new build configuration in your project.
)Removes the current build configuration from your project.
Note: There must be at least one build configuration in your project.
)Renames the current build configuration.
If checked, the setup and uninstall will be code signed during the build process using the settings below. See Authenticode Code Signing for more information.
The full path and filename of the code signing tool SignTool.exe on your system. You can click the Browse button to select the file. This tool could not be distributed, but is available in the \Windows Kits\XX\bin\x86 folder of the Windows Software Development Kit (SDK). For more information, see MSDN: SignTool (Windows), Windows Software Development Kit (SDK) for Windows 8.1, Windows Software Development Kit (SDK) for Windows 10.
Tip: If you're using a different code signing tool that contains different options, or you require further control, you may leave the settings fields blank (except for the tool), and instead specify the options in the Additional arguments field. If "SignTool.exe" is detected as the tool, Setup Factory will automatically passes the "sign" command. If you're not using SignTool and require a different command, add it as the first value in the Additional arguments field.
Sign the setup using a SHA-256 certificate. As of January 1, 2016 Windows 7 and higher will no longer trust new code that is signed with a SHA-1 certificate. All files should be signed with a SHA-256 certificate. To be compatible with Windows XP SP3 and Windows Vista you must dual-sign your setups by also enabling the Sign with SHA-1 option.
The full path and filename of the SHA-256 certificate to use when signing the setup file. This file must be a "Personal Information Exchange" file (*.PFX, *.P12). You can click the Browse button to select the file.
If the SHA-256 certificate is provided, /f
<certificate_path> /fd sha256
will be added to the signing command.
If the SHA-256 certificate is provided and Sign
with SHA-1 is also enabled (dual-signing), /as
will also be added to the signing command.
The password to use for opening your SHA-256 certificate file (*.PFX, *.P12) if it's password protected. You can leave this value blank if your certificate is not password protected.
If this value is provided, /p <password_value> will be added to the signing command.
The URL of a SHA-256 timestamp server such as: http://timestamp.comodoca.com/?td=sha256. Refer to your certificate provider's documentation for the server URL to use.
If this value is provided, /tr <timestamp_url> /td sha256 will be added to the signing command.
This field allows you to enter any additional options you would like to pass to the code signing tool beyond Setup Factory's automatic parameters. If you leave any of the SHA-256 related fields blank (except for tool location), you can manually pass their values using this field. The values entered here are appended to the beginning of the parameter list. When "SignTool.exe" is the chosen tool, Setup Factory automatically passes the "sign" command as the first argument.
Sign the setup using a SHA-1 based signature or SHA-1 file digest. As of January 1, 2016 Windows 7 and higher will no longer trust new code that is signed with only a SHA-1 certificate. To be compatible with Windows 7 or higher and Windows XP SP3 and Windows Vista you must dual-sign your setups by enabling both SHA-1 and SHA-256 signing. See Authenticode Code Signing for more information.
The URL of a SHA-1 timestamp server such as: http://timestamp.comodoca.com. Refer to your certificate provider's documentation for the server URL to use.
If this value is provided, /t <timestamp_url> will be added to the signing command.
This field allows you to enter any additional options you would like to pass to the code signing tool beyond Setup Factory's automatic parameters. If you leave any of the SHA-1 related fields blank (except for tool location), you can manually pass their values using this field. The values entered here are appended to the beginning of the parameter list. When "SignTool.exe" is the chosen tool, Setup Factory automatically passes the "sign" command as the first argument.
Use your provided SHA-256 certificate and password when signing with SHA-1. This option is only available when dual-signing (when Sign with SHA-256 is enabled). When dual-signing, this option also provides compatibility with Windows XP SP3 and Windows Vista by including a SHA-1 file digest.
If the SHA-256 certificate is provided, /f
<certificate_path> will be added to the signing command.
If the SHA-256 password is provided, /p
<password_value> will be added to the signing command.
Use a SHA-1 certificate and password. This option enables you to sign with a full SHA-1 certificate (if one can be obtained), or dual-sign with different certificates (SHA-256 and a full SHA1 signature - if one can be obtained). When dual-signing this option also provides compatibility with versions of Windows prior to Windows XP SP3.
The full path and filename of the SHA-1 certificate to use when signing the setup file. This file must be a "Personal Information Exchange" file (*.PFX, *.P12). You can click the Browse button to select the file. This value is only available when Use 'legacy' SHA-1 certificate is selected.
If the SHA-1 certificate is provided, /f <certificate_path> will be added to the signing command.
The password to use for opening your SHA-1 certificate file (*.PFX, *.P12) if it's password protected. You can leave this value blank if your certificate is not password protected. This value is only available when Use 'legacy' SHA-1 certificate is selected.
If this value is provided, /p <password_value> will be added to the signing command.
The description of the signed content.
If this value is provided, /d <description_value> will be added to both signing executions (SHA-1 and SHA-256 signing steps).
A URL that provides further information about the signed content.
If this value is provided, /du <description_url> will be added to both signing executions (SHA-1 and SHA-256 signing steps).