Preferences - SignCode
The Preferences - SignCode dialog box is one of the pages that appears when you choose the Edit > Preferences command on the main menu bar. It allows you to set the options that InstallMate uses when it runs the Microsoft SignCode or SignTool tool to sign your installation packages.
Note: The options in this dialog box are used as global defaults. You can also choose to have per-configuration SignCode settings, which are accessible through the Advanced... button on the Build Configuration attributes pane.
See Digital Signatures for background information about SignCode and digital signatures.
SignCode.exe versus SignTool.exe
The choice between using SignCode.exe or SignTool.exe depends on the format of your code signing certificate:
- If your code signing certificate consists of separate .spc and .pvk files, use SignCode.exe
- If your code signing certificate consists of a single .pfx file, use SignTool.exe
SignTool.exe allows you to specify the password for the private key of your code signing certificate as part of its command line (SignCode.exe does not), and the InstallMate build environment supports that option. It may therefore be more convenient to use SignTool.exe even if you have a .spc/.pvk file pair.
To convert a .spc/.pvk file pair to a .pfx file, use Microsoft's pvk2pfx.exe tool that is included in the InstallMate 7\Tools folder on your system. The basic syntax is:
pvk2pfx -pvk c:\path\to\private.pvk -spc c:\path\to\certificate.spc -pfx c:\path\to\certificate.pfx
In this command, the -pvk and -spc parameters specify input files, and the -pfx parameter specifies the output file. Consult the Microsoft documentation for pvk2pfx.exe for details of its usage.
Dialog fields and options
This dialog box contains the following fields and options.
| Attribute | Description |
|---|---|
| SignCode-related options | |
| Use SignCode | Select this option and enter the fully qualified path to the SignCode.exe program, or click the ... (browse) button to open a standard Windows Open dialog to browse for the file. The default value for this field is SignCode.exe, which might be sufficient if SignCode is installed in a PATH folder (but it usually is not). |
| Digest algorithm |
Choose the message digest algorithm that SignCode should use when signing the distribution package. The available options are:
|
| SPC file path | Enter the path to your SPC (Software Publisher Certificate) file, or click the ... (browse) button to open a standard Windows Open dialog to browse for the file. This file contains the credentials (certificate information) that will be included with the signature. SignCode command line option: -spc filepath |
| PVK storage |
Choose the private key storage method and enter the corresponding key path. The available options are:
Note: The private key storage contains your private signing key in encrypted form. SignCode will prompt you for your private key password when it needs to decrypt the private key during the signing process. |
| SignTool-related options | |
| Use SignTool | Select this option and enter the fully qualified path to the SignTool.exe program, or click the ... (browse) button to open a standard Windows Open dialog to browse for the file. The default value for this field is SignTool.exe, which might be sufficient if SignTool is installed in a PATH folder (but it usually is not). |
| PFX file path | Enter the path to your PFX (Personal Information Exchange) file that contains your code signing certificate, or click the ... (browse) button to open a standard Windows Open dialog to browse for the file. This file contains the credentials (certificate information) that will be included with the signature. SignTool command line option: /f filepath |
| Password | Enter the password for the private key inside the PFX file, if any. This password is stored in encrypted format on the system. You must specify this password if your PFX file is protected by one, or SignTool with fail with exit code 1. SignTool command line option: /p password |
| PVK storage |
If your PFX file does not contain the private key information, you must specify the private key CSP and container separately.
You must specify either both fields, or neither. In the latter case, SignTool will attempt to use the private key from the PFX file. |
| Common options | |
| Timestamp |
Check this box to include a timestamp in the signature; clear it to sign the distribution package without timestamp. In general, it is recommended to include a timestamp in your signature. This allows customers to verify that your certificate was valid at the time of signing, even if it has since expired (Software Publishing Certificates and others have a built-in expiry date). However, timestamping requires an Internet connection at the time of signing in order to access the timestamping server. The timestamping options below are only passed to SignCode or SignTool if the Timestamp box is checked. |
| Server URL | Enter the fully qualified URL of the timestamping server. This should be a trusted server (usually associated with a Certification Authority) that offers a certified timestamping service. The default value is http://timestamp.verisign.com/scripts/timstamp.dll, the VeriSign Inc. timestamping server. SignCode command line option: -t serverURL, SignTool command line option: /t serverURL |
| Attempts | [Only for SignCode.exe] Enter the maximum number of times (at least 1) SignCode should attempt to contact the timestamping server during the signing process. SignCode command line option: -tr number |
| Wait |
[Only for SignCode.exe] Enter the number of seconds that SignCode should wait until the next timestamping attempt if the previous one failed. SignCode command line option: -tw seconds |