Security - Code Signing (Digital Signatures)

When you digitally sign an application (this is called code signing), you ensure end users that the code within the application they are to receive has not been tampered with or altered. Digital signing is based on Microsoft Authenticode® technology. This enables end users and the operating system to verify that program code comes from the rightful owner. With ExeOutput for PHP, it is easy to sign your compiled application .exe files as ExeOutput for PHP calls the necessary programs itself.

If you digitally sign your software, end users are generally presented with a digital certificate when your application is downloaded from the web to their system:

img

For signed applications, the publisher’s name is displayed. Your end users know that the .exe file is authentic, and has not been tampered with or altered.

For unsigned applications, Windows shows the following warning message:

img

If you would like to digitally sign your application, enable “Digitally sign my application” in ExeOutput for PHP (Security -> Code signing). Then, follow the steps below.

You can read this article explaining you most everything you need to know about code signing with Authenticode: Introduction to Code Signing

Current limitations in Windows do not allow signing EXE files larger than 2 GB. If code signing is a requirement for you, and your EXE file is larger than 2 GB, consider keeping files external.

How to obtain a code signing certificate

You have to obtain a valid code signing certificate from a certificate authority (CA), a third party trusted by the industry, akin to a notary who handles electronic IDs. Comodo and Verisign are two examples of CA.

As an ExeOutput for PHP customer, you can purchase a valid code signing certificate at a discounted price from our partner, K Software, a Comodo Strategic Partner. If you are interested in purchasing or renewing a certificate, please go to the ExeOutput for PHP’s My Account page and choose “Purchase a code signing certificate” in order to get a coupon code for applying the discount with K Software.

Code signing steps

You can digitally sign your application .EXE only if you have received your personal Software Publishing Certificate (SPC) and a private key (PVK) from a Certificate Authority; or a Personal Information Exchange file (PFX).

ExeOutput for PHP calls an integrated code signing utility (GSignCode.exe available in the ExeOutput for PHP’s folder). No need to install third-party software: GSignCode is shipped with ExeOutput for PHP. The result of the signing process is included in the compilation log.

Certificate Location

In order to sign the package .EXE file, ExeOutput for PHP requires the location to your code signing certificate. It can be stored in an external file (.PFX) or in the Windows Certificate Store (Local Computer, Personal section). You must select the certificate’s location, and provide either the path to the PFX file, the certificate’s subject name, or the certificate’s thumbprint.

Personal Information Exchange file (PFX)

Specify the path to the Personal Information Exchange file you want to use to generate the digital signature for your application EXE. This file type is given the .pfx extension.

To create a PFX file from a CER (or SPC) and PVK file, you need to use the pvk2pfx tool shipped in the Windows SDK. The PFX file combines your public and private keys into a single file. Example: pvk2pfx.exe -pvk MyPrivateKey.pvk -spc MyPublicKey.cer -pfx MyPFX.pfx -po your_password

Associated Password

If the Personal Information Exchange file is protected by a password, specify the password. Passwords are automatically hidden, however do not leave the password in your project if you plan to share the latter.

Certificate Subject Name

If your code signing certificate is available in the Windows Certificate Store, ExeOutput for PHP can use it if you give the correct subject name. There should be only one certificate with that subject name in the store, otherwise an error will be raised.

ExeOutput for PHP will first look for the certificate in the Current User store => Personal substore (this is the default one) and if not found, in the local machine store => Personal substore. If the certificate is somewhere else, please export it as a .PFX file.

Certificate Thumbprint

Same as before, but this time ExeOutput for PHP will look for the certificate based on its unique thumbprint. Learn more at https://msdn.microsoft.com/en-us/library/ms734695%28v=vs.110%29.aspx

Signatures with SHA-256 and SHA-1 digests

It is now recommended to use signatures with an SHA-256 instead of an SHA-1 message digest. However, old Windows versions such as Vista or XP do not recognize SHA-256 signatures. In that case, it is possible to add two signatures to the application .EXE file: this is called “dual code signing”.

By default, ExeOutput for PHP will work with “dual code signing” if it is run on Windows 8 or later. On Windows 7, an SHA-256 signature is used by default and on previous Windows versions, an SHA-1 signature.

In that case, it is recommended to use ExeOutput for PHP on Windows 8 or higher to benefit from all code signing features!

You can also choose to sign your application with SHA-256 or SHA-1 only. But keep in mind that SHA-1 is being deprecated: http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Application Information URL

This URL is used in your digital certificate to link to a location you would like end users to visit in order to learn more about your product or company. If you do not specify a URL, then ExeOutput for PHP will use the default one from the Icon / Version page.

Digital Signature Timestamp

A timestamp is added to the application, thus the embedded digital signature will never expire. You should have an Internet connection on the system in which you are building the application. The GSignCode code signing utility requires an Internet connection in order to timestamp the application’s signature, so check that your firewall does not block the outgoing connection. By default, time stamping using RFC 3161 is automatically selected on Windows 8 or higher for SHA-2 signatures. Two timestamp servers are used: an Authenticode-compatible server and a RFC-3161-compatible server. You can configure their URLs in the Environment Options.


Copyright G.D.G. Software 2018. All Rights Reserved.