Skip to content

Code Signing

Executable Signing

Adding digital signatures to a project executable provides a way to determine the identity of the creator of the executable, know that the executable has not been altered since it was signed, and verify when it was signed.

With modern Windows platforms and the increased sensitivities of AV technologies, deploying signed executables is strongly recommended. In addition to being more likely to trigger AV systems, if your executable is unsigned, users may see a dialog pop up asking for their permission to run. The dialog shows the author of the executable as unknown if it is not signed.

To improve these behaviors:

  1. Download Code Signing Tools
  2. Get a Code Signing certificate

Code Signing Tools

The code signing tools consist of several security-related tools. If you have Microsoft Visual Studio 2005 (or higher) installed, the tools will already be available on your machine. If you don't have the tools, you can download the Windows Software Development Kit from Microsoft. There are several versions available. To download, search for "SignTool download" and use the one that is appropriate for your operating system. The SDK contains all that is needed to use certificates.

Digital certificates on your machine can be viewed via the certmgr.exe tool from the Developer Command Prompt for Visual Studio. Starting the tool shows a list of logical store names. The tool can be used to import and export certificates.

You need to download the Windows Software Development Kit 8.1 or higher for SHA256.

Get a Code Signing Certificate

Get a code signing certificate from a certification authority (CA) such as VeriSign, Thawte, or others. Obtain a class 3 digital certificate for signing executables.

During the sign-up process, a private key will be generated; make sure to mark the key as exportable. During this process, you will need to provide an email address, password, and challenge phrase, as well as additional information about your company. Save the private key to a local .pvk file and store it and the information associated with it in a secure location. Once your company information has been verified, the CA will issue the public portion of your digital certificate; you should save this to a local .cer or .spc file during the installation process and also store it in a safe place.

It is possible to create test certificates with the makecert.exe tool from Microsoft.

Newer (SHA256) certificates have the ability to sign with both SHA1 and SHA256 encryption.

Sign Your Executable

There are two ways to sign your executable:

  1. Via SignCode.exe
  2. Via SignTool.exe

The main advantage of SignTool.exe is that the password for the certificate does not need to be entered manually each time you want to sign the executable. To use SignTool.exe, you need to do the following:

  1. Convert the certificate to a software publishing certificate.
  2. Convert the software publishing certificate to a Personal Information Exchange file.
  3. Import the PFX file into a certificate store.

Convert the Certificate to a Software Publishing Certificate

Use the cert2spc tool to convert the certificate (.cer) file to a software publishing certificate (.spc). Open a Developer Command Prompt for Visual Studio and enter:

cert2spc yourcerfile yourspcfile

Convert the Software Publishing Certificate to a Personal Information Exchange File

Use the pvk2pfx tool to convert the SPC file to a PFX file. Open a Developer Command Prompt for Visual Studio and enter:

pvk2pfx -pvk yourpvkfile -pi yourpvkpassword -spc yourspcfile -pfx yourpfxfilename -po yourpfxpassword -f

Store the PFX file in a secure location.

Import the PFX File into a Certificate Store

Import the .pfx file into a certificate store on the machine where you want to sign your executables. This can be your development machine. Importing is done via the certmgr.exe tool. In the tool, choose for import; enter the pfxfilename, pfxpassword, and disable the option "Enable strong private key encryption".

Signing from the Studio

Data Access provides a small tool installed in the DataFlex Bin64 folder which makes it easier to perform the signing from the Studio. The tool calls Signtool.exe. You can specify the path to Signtool.exe and the arguments to pass via the SignDataFlexProjectExe.Ini file. With the tool provided, you can easily debug a signed DataFlex application via the DataFlex Studio.

Add the tool to your Studio's Tools menu via the Configure Tools Menu choice. Enter the following information in the Configure Tools dialog that pops up.

Sign configuration

Now all you have to do is select "sign" from the tools menu after you've compiled a project.

You can also use the "After Compilation Process" mechanism in the Studio to further automate this process (assuming you want the executable signed after each compilation).

After Compilation Process

INI File

The SignDataFlexProjectExe tool uses an INI file (SignDataFlexProjectExe.Ini) for the configuration of the paths and arguments of SignTool.exe.

The INI file contains two sections (default names are Sha1 and Sha256) and has the following keys:

SignDataFlexProjectsExe.Ini

If you alter the INI file, take the following actions:

  • Change the SignToolPath value if the path to SignTool.exe is different.
  • Change the Arguments value if different arguments are desired. Look up the possible and required arguments in the documentation for the tool. For SignCode.exe, check Microsoft MSDN. The keyword will be replaced by the value passed by the Studio.

Note that you may perform multiple sign operations by creating multiple sections. The INI file in the Bin64 folder shows two sections (Sha1 and Sha256). The names of the sections have no specific meaning but must be unique.

Example

The following shows the use of four signing certificates where the PFX is no longer imported:

[Sha1]
SignToolPath=C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\
Arguments=sign /q /a /f "C:\Signing\YourCertificate.pfx" /p /fd sha1 /t http://timestamp.comodoca.com/authenticode

[Sha256]
SignToolPath=C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\
Arguments=sign /q /a /f "C:\Signing\YourCertificate.pfx" /p /as /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256

[Sha384]
SignToolPath=C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\
Arguments=sign /q /a /f "C:\Signing\YourCertificate.pfx" /p /as /fd sha384 /tr http://timestamp.comodoca.com/?td=sha384 /td sha384

[Sha512]
SignToolPath=C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\
Arguments=sign /q /a /f "C:\Signing\YourCertificate.pfx" /p /as /fd sha512 /tr http://timestamp.comodoca.com/?td=sha512 /td sha512

See Also

Deploying Applications