When you digitally sign a publication (code signing), you ensure end users that the code within this publication they are to receive has not been tampered with or altered. Digital signing is based on Microsoft Authenticode® technology. This enables end users and the operating system to verify that program code comes from the rightful owner. With HTML Executable, it is easy to sign your compiled publication .exe files as HTML Executable calls the necessary programs itself.
If you digitally sign your software, end users are generally presented with a digital certificate when your publication is downloaded from the web to their system:
For signed publications, the publisher's name is displayed. Your end users know that the .exe file is authentic, and has not been tampered with or altered.
For unsigned publications, Windows shows the following warning message:
If you would like to digitally sign your publication, enable "Digitally sign my publication" in HTML Executable (Publication Output -> Advanced Options -> Code signing). Then, enter information provided for you by a Certificate Authority (CA). A CA is a third party trusted by the industry, akin to a notary who handles electronic IDs. www.verisign.com or www.thawte.com are two examples of CA.
You may digitally sign your publication if you have received your Software Publishing Certificate (SPC) and a private key (PVK) from a Certificate Authority; or a Personal Information Exchange file (PFX).
| You can read this article explaining you most everything you need to know about code signing with Authenticode: Introduction to Code Signing |
How to set up signtool.exe
HTML Executable requires Microsoft SignTool (signtool.exe). For further information about SignTool, go to http://msdn2.microsoft.com/en-us/library/8s9b9yaz(VS.80).aspx
 Important: signtool.exe is required in order to sign publications; however this file is not shipped with HTML Executable. You will find it in the Windows SDK package for instance; you can freely download this package from Microsoft; go to this address for the latest download URLs available: http://en.wikipedia.org/wiki/Microsoft_Windows_SDK |
When the Windows SDK (2003 or Vista) is installed, HTML Executable should automatically find the path to signtool.exe; otherwise, you will need to manually enter the path to signtool.exe in the Environment Options.
Code signing steps
The program SignTool is automatically called by HTML Executable when finalizing the publication's executable file. The result of the signing process is included in the compilation log.
Personal Information Exchange file (PFX)
Specify the path to the Personal Information Exchange file you want to use to generate the digital signature for your package. This file type is given the .pfx extension.
To create a PFX file from a CER (or SPC) and PVK file, you need to use the pvk2pfx tool shipped in the Windows SDK (see above); more information at http://msdn2.microsoft.com/en-us/library/aa906332.aspx.
The PFX file combines your public and private keys into a single file. Example: pvk2pfx.exe -pvk MyPrivateKey.pvk -spc MyPublicKey.cer -pfx MyPFX.pfx -po your_password
If the Personal Information Exchange file is protected by a password, you can specify the password. Otherwise you can be prompted. Useful if you automated HTML Executable in a daily build process. Passwords are automatically hidden.
Optionally, a timestamp can be added to the publication file. A timestamp should always be added when signing a file, thus the embedded digital signature will never expire. In this case you should have an Internet connection on the system in which you are building the publication (SignTool needs to open an Internet connection in order to timestamp the publication's signature).
By default HTML Executable can use this URL (example provided in the SDK): http://timestamp.verisign.com/scripts/timstamp.dll. It is the URL for VeriSign's timestamping service. Please note that "timstamp.dll" does not contain the letter "e". Click on the button near the field to automatically use this URL.
HTML Executable will normally let SignTool timestamp the package file. You can prevent this by disabling the "Time stamp feature" option in the Environment Options.
This URL is used in your digital certificate to link to a location you would like end users to visit in order to learn more about your product or company. If you do not specify a URL, then HTML Executable will use the default one from the Basic Settings page.
Checking the signature
You can check whether the publication was successfully signed by using "Build|Check digital signature" from the menu bar.