Skip to content

Digitally sign packages - Code Signing

Digitally signing a Self-Extracting package or installer ensures end users that the code has not been tampered with or altered. Based on Microsoft Authenticode® technology, digital signing verifies the source of the code and its integrity. With Paquet Builder, signing installer .exe files is straightforward, as it includes the necessary tools.

Benefits of Code Signing

  • For signed packages: End users see a certificate indicating the software's origin and authenticity, reducing security warnings:

  • For unsigned packages: Windows displays a warning, which may discourage users from proceeding:

👉 To enable digital signing in Paquet Builder, activate the "Digitally sign my package" option and follow the steps outlined below.

Info

Learn more about code signing with Authenticode in this Introduction to Code Signing.

Warning

Windows cannot sign EXE files larger than 2 GB. If needed, consider creating a multi-volume archive.

How to Obtain a Code Signing Certificate

To sign your application, you need a valid code signing certificate from a trusted Certificate Authority (CA) such as Sectigo or Digicert. Certification authorities offer different types of certificates, but only code signing certificates are compatible with Authenticode.

Token-Based Certificates and Hardware Security Modules

As of June 1, 2023, code signing certificate keys must be stored on a hardware security module (HSM) or a token that meets Federal Information Processing Standards (FIPS) 140-2 Level 2 or Common Criteria EAL 4+. This change prevents misuse of stolen keys. The traditional PFX format is being phased out.

Paquet Builder supports signing with token-based certificates. Ensure that your token is connected to your computer during the signing process.

Tip

If your token uses the Safenet client, enable the "Single Logon" option to enter your password only once per session, streamlining the signing process.

Steps to Sign Your Package

Requirements

A code signing certificate stored as either:

  • A Personal Information Exchange file (PFX)
  • A hardware token
  • A certificate installed in the Windows Certificate Store

Paquet Builder includes GSignCode, an integrated utility for signing packages. The signing process results are shown in the compilation log.

Configuring the Certificate

  1. Using a PFX File: Specify the path to your .pfx file and its associated password (if protected). To create a .pfx file, use the pvk2pfx tool: 

    pvk2pfx.exe -pvk MyPrivateKey.pvk -spc MyPublicKey.cer -pfx MyPFX.pfx -po your_password

  2. Using the Windows Certificate Store: Provide either the subject name or thumbprint of your certificate installed in the store. Paquet Builder will search for the certificate in the Current User or Local Computer store.

  3. Token-Based Certificates: Connect your token containing the private key and ensure it is accessible during the signing process. GSignCode automatically adapts to the token’s capabilities, including support for Elliptic Curve Cryptography (ECC).

Digest Algorithms

Paquet Builder supports modern digest algorithms, including:

  • SHA-256: The default and recommended standard for security.
  • Dual Code Signing: Combines SHA-256 and SHA-1 to support older systems like Windows XP or Vista.

Note

While ECC is not a selectable digest algorithm, it is used internally by certain tokens. GSignCode adapts to the token’s requirements for signing operations.

Warning

Dual code signing is supported on Windows 8 and higher. On Windows 7, only SHA-256 is used by default.

Additional Options

Application Information URL

Specify a URL in your digital certificate to direct users to your website or product information. If left blank, the default URL from the package settings will be used.

Force Integrity Check at Startup

Enables a mandatory signature validation by the operating system. Unsigned files will fail to execute without error messages but will log events in the Windows Event Viewer.

Digital Signature Timestamp

A timestamp ensures that the digital signature does not expire. Paquet Builder supports both Authenticode-compatible and RFC-3161-compatible timestamp servers. Configure their URLs in the Environment Options.

Digitally Sign the Uninstaller

This option signs the uninstaller EXE file. Highly recommended.

Digitally Sign Internal DLL Files

This option signs internal runtime libraries used temporarily by your package.

Troubleshooting Code Signing

If errors occur during code signing, refer to the compilation log for detailed messages. Ensure that your certificate is accessible and correctly configured, and verify your Internet connection for timestamping.

By keeping your packages digitally signed and up-to-date with modern standards like SHA-256 and ECC, you ensure both security and user trust.