Preferences - SignCode

The Preferences - SignCode dialog box is one of the pages that appears when you choose the Edit > Preferences command on the main menu bar. It allows you to set the options that Tarma ExpertInstall uses when it runs the Microsoft SignCode tool to sign your installation packages.

See Digital Signatures for background information about SignCode and digital signatures.

Dialog fields and options

This dialog box contains the following fields and options.

SignCode path

Enter the fully qualified path to the SignCode.exe program, or click the ... (browse) button to open a standard Windows Open dialog to browse for the file. The default value for this field is SignCode.exe, which might be sufficient if SignCode is installed in a PATH folder (but it usually is not).

Digest algorithm

Choose the message digest algorithm that SignCode should use when signing the distribution package. The available options are:

• MD5 - Use Message Digest 5, a 128-bit (16-byte) digest algorithm. SignCode command line option: -a MD5
• SHA1 - Use Secure Hash Algorithm revision 1, a 160-bit (20-byte) digest algorithm. SignCode command line option: -a SHA1

SPC file path

Enter the path to your SPC (Software Publisher Certificate) file, or click the ... (browse) button to open a standard Windows Open dialog to browse for the file. This file contains the credentials (certificate information) that will be included with the signature. SignCode command line option: -spc filepath

PVK storage

Choose the private key storage method and enter the corresponding key path. The available options are:

• Container - Use a private key stored in the Windows registry. Enter the name of the registry key which contains the private key. SignCode command line option: -k container
• Disk file - Use a private key stored in a disk file. Enter the fully qualified path to the key file, or click the ... (browse) button to open a standard Windows Open dialog to browse for the file. SignCode command line option: -v filepath

Note: The private key storage contains your private signing key in encrypted form. SignCode will prompt you for your private key password when it needs to decrypt the private key during the signing process. For security reasons, Tarma ExpertInstall does not use, store, or even see either your private key password or the decrypted private key itself.

Timestamp

Check this box to include a timestamp in the signature; clear it to sign the distribution package without timestamp. In general, it is recommended to include a timestamp in your signature. This allows customers to verify that your certificate was valid at the time of signing, even if it has since expired (Software Publishing Certificates and others have a built-in expiry date). However, timestamping requires an Internet connection at the time of signing in order to access the timestamping server.

The timestamping options below are only passed to SignCode if the Timestamp box is checked.

Server URL

Enter the fully qualified URL of the timestamping server. This should be a trusted server (usually associated with a Certification Authority) that offers a certified timestamping service. The default value is http://timestamp.verisign.com/scripts/timstamp.dll, the VeriSign Inc. timestamping server. SignCode command line option: -t serverURL

Attempts

Enter the maximum number of times (at least 1) SignCode should attempt to contact the timestamping server during the signing process. SignCode command line option: -tr number

Wait

Enter the number of seconds that SignCode should wait until the next timestamping attempt if the previous one failed. SignCode command line option: -tw seconds