Preferences

Code Signing Defaults

These settings are the default values that will be used on the Code Signing tab of the Build Settings dialog when new projects are started.

The settings below allow you to sign or dual-sign the setup and uninstall during the build process using SHA-1 and/or SHA-256. When both Sign with SHA-256 and Sign with SHA-1 are selected, Setup Factory will run the specified signing tool twice, first signing with SHA-1 and then a second time to append your SHA-256 signature. To support the widest variety of OS's, we recommend dual-signing your setups.

As of January 1, 2016 Windows 7 and higher will no longer trust new code that is signed with a SHA-1 certificate. All files should be signed with a SHA-256 certificate. To be compatible with Windows XP SP3 and Windows Vista you must dual-sign your setups by also enabling the Sign with SHA-1 option. To be compatible with OS's prior to Windows XP SP3 that don't support SHA-256 signatures, you may dual-sign using two different certificates (SHA-256 and a full SHA-1 certificate - if one can be obtained). See Windows Enforcement of Authenticode Code Signing and Timestamping, and Authenticode Code Signing for more information.

Note: The minimum requirements for signing with SHA-256 using SignTool is Windows 7 SP1, and SignTool version 6.1.7600.16385 or higher, which comes with the Windows 7.1 SDK. As a result Setup Factory's design environment must be run on Windows 7 SP1 or higher to perform SHA-256 signing using SignTool.

Dual-signing using SignTool is only supported in version 6.3 or higher of SignTool.exe which comes with the Windows 8.1 SDK. We recommend using the version found in either the Windows Software Development Kit (SDK) for Windows 8.1, or the Windows Software Development Kit (SDK) for Windows 10 in Setup Factory for full functionality.

See Authenticode Code Signing for more information on code signing.

Tip: If you're using a different code signing tool that contains different options, or you require further control, you may leave the settings fields blank (except for the tool), and instead specify the options in the Additional arguments field. If "SignTool.exe" is detected as the tool, Setup Factory will automatically passes the "sign" command. If you're not using SignTool and require a different command, add it as the first value in the Additional arguments field.

Code sign setups

Code sign all new setups/uninstalls during the build process. See Authenticode Code Signing for more information.

SignTool location:

The full path and filename of the code signing tool SignTool.exe on your system. You can click the Browse button to select the file. This tool could not be distributed, but is available in the \Windows Kits\XX\bin\x86 folder of the Windows Software Development Kit (SDK). For more information, see MSDN: SignTool (Windows), Windows Software Development Kit (SDK) for Windows 8.1 , Windows Software Development Kit (SDK) for Windows 10.

Tip: If you're using a different code signing tool that contains different options, or you require further control, you may leave the settings fields blank (except for the tool), and instead specify the options in the Additional arguments field. If "SignTool.exe" is detected as the tool, Setup Factory will automatically passes the "sign" command. If you're not using SignTool and require a different command, add it as the first value in the Additional arguments field.

Sign with SHA-256

Sign the setup using a SHA-256 certificate. As of January 1, 2016 Windows 7 and higher will no longer trust new code that is signed with a SHA-1 certificate. All files should be signed with a SHA-256 certificate. To be compatible with Windows XP SP3 and Windows Vista you must dual-sign your setups by also enabling the Sign with SHA-1 option.

SHA-256 certificate:

The full path and filename of the SHA-256 certificate to use when signing the setup file. This file must be a "Personal Information Exchange" file (*.PFX, *.P12). You can click the Browse button to select the file.

If the SHA-256 certificate is provided, /f <certificate_path> /fd sha256 will be added to the signing command.
If the SHA-256 certificate is provided and Sign with SHA-1 is also enabled (dual-signing), /as will also be added to the signing command.

Certificate password:

The password to use for opening your SHA-256 certificate file (*.PFX, *.P12) if it's password protected. You can leave this value blank if your certificate is not password protected.

If this value is provided, /p <password_value> will be added to the signing command.

SHA-256 timestamp URL:

The URL of a SHA-256 timestamp server such as: http://timestamp.comodoca.com/?td=sha256. Refer to your certificate provider's documentation for the server URL to use.

If this value is provided, /tr <timestamp_url> /td sha256 will be added to the signing command.

Additional arguments:

This field allows you to enter any additional options you would like to pass to the code signing tool beyond Setup Factory's automatic parameters. If you leave any of the SHA-256 related fields blank (except for tool location), you can manually pass their values using this field. The values entered here are appended to the beginning of the parameter list. When "SignTool.exe" is the chosen tool, Setup Factory automatically passes the "sign" command as the first argument.

Sign with SHA-1 (for pre Windows 7 compatibility)

Sign the setup using a SHA-1 based signature or SHA-1 file digest. As of January 1, 2016 Windows 7 and higher will no longer trust new code that is signed with only a SHA-1 certificate. To be compatible with Windows 7 or higher and Windows XP SP3 and Windows Vista you must dual-sign your setups by enabling both SHA-1 and SHA-256 signing. See Authenticode Code Signing for more information.

SHA-1 timestamp URL:

The URL of a SHA-1 timestamp server such as: http://timestamp.comodoca.com. Refer to your certificate provider's documentation for the server URL to use.

If this value is provided, /t <timestamp_url> will be added to the signing command.

Additional arguments:

This field allows you to enter any additional options you would like to pass to the code signing tool beyond Setup Factory's automatic parameters. If you leave any of the SHA-1 related fields blank (except for tool location), you can manually pass their values using this field. The values entered here are appended to the beginning of the parameter list. When "SignTool.exe" is the chosen tool, Setup Factory automatically passes the "sign" command as the first argument.

Use SHA-256 certificate

Use your provided SHA-256 certificate and password when signing with SHA-1. This option is only available when dual-signing (when Sign with SHA-256 is enabled). When dual-signing, this option also provides compatibility with Windows XP SP3 and Windows Vista by including a SHA-1 file digest.

If the SHA-256 certificate is provided, /f <certificate_path> will be added to the signing command.
If the SHA-256 password is provided, /p <password_value> will be added to the signing command.

Use 'legacy' SHA-1 certificate

Use a SHA-1 certificate and password. This option enables you to sign with a full SHA-1 certificate (if one can be obtained), or dual-sign with different certificates (SHA-256 and a full SHA1 signature - if one can be obtained). When dual-signing this option also provides compatibility with versions of Windows prior to Windows XP SP3.

SHA-1 certificate:

The full path and filename of the SHA-1 certificate to use when signing the setup file. This file must be a "Personal Information Exchange" file (*.PFX, *.P12). You can click the Browse button to select the file. This value is only available when Use 'legacy' SHA-1 certificate is selected.

If the SHA-1 certificate is provided, /f <certificate_path> will be added to the signing command.

Certificate password:

The password to use for opening your SHA-1 certificate file (*.PFX, *.P12) if it's password protected. You can leave this value blank if your certificate is not password protected. This value is only available when Use 'legacy' SHA-1 certificate is selected.

If this value is provided, /p <password_value> will be added to the signing command.

Description:

The description of the signed content.

If this value is provided, /d <description_value> will be added to both signing executions (SHA-1 and SHA-256 signing steps).

Description URL:

A URL that provides further information about the signed content.

If this value is provided, /du <description_url> will be added to both signing executions (SHA-1 and SHA-256 signing steps).