What is Code Signing and why do you need it?
Security is becoming increasingly important for software and media developers.
"Code Signing" enables end users of your software to verify that the software you provide comes from the rightful source
and that it has not been maliciously altered or accidentally corrupted.
Code signing technology is available for many years, but many software vendors refrained from using it
because of the complexity involved in the process.
However - since the release of "Windows XP Service Pack 2", "Vista", "Windows 7" and "Windows 8" - code signing can not be ignored any more.
Today, when downloading an UN-SIGNED program with Internet Explorer and choosing to open it
(or even if saved to a file and later opened via Windows Explorer), the browser will display the following
"Security Warning" dialog:
BUT - when downloading a SIGNED program the browser will display the following dialog:
When you sign your file you actually add a small digest of information (1-5 KB) to the end of the file.
When the browser download the file it reads this digest and verifies the authenticity of the file.
This article discusses the following topics:
Software Publishing Certificate
Where to get a Software Publishing Certificate?
To be able to sign your code you will need a certificate. Certificates are issued by special Internet organizations
called CA (Certificate Authority). There are many such organizations, the most prominent ones are: verisign.com and tawthe.com.
You can get a full list of CAs by going to:
Microsoft Root Certificate Program Members
However - acquiring a certificate is quite a tedious and time consuming process,
(The CA has to identify you or your organization before it can issue a certificate)
and you should expect to pay few hundred of dollars for the certificate.
Purchase Software Publishing Certificate
How to purchase a Software Publishing Certificate?
You purchase a certificate from one of the CAs (Ceritificate Authority) listed in the following link:
Microsoft Root Certificate Program Members.
Once you select a CA, log to his website and navigate to the page where the CA offers a "Code Signing Certificate".
When you click the [Buy] button, the CA will lead you through a process that include the following steps:
During the creation of the Private Key file you will be prompted for a password
(we will call this password PVK-Password).
You should remember this password so that you can use it later when you sign your application.
You must also copy the Private Key file to a safe place.
When creating the Private Key file on your computer, the applet will also create a complimentary
"Public Key" file, and send it to the CA.
Now the CA will start a process that will verify and approve your organization and domain.
This process usually takes few days. During this time the CA might approach you by phone or
other means and request some identifying documents.
When the verification process is concluded the CA will send you a link to a
Software Publishing Certificate file (*.SPC).
Download this file and stroe it in a safe place
At the end of this procedure you will have the following 3 items avaiable:
- Enter your personal and company details.
- Pay for the certificate.
- Run a special applet that will create a Private Key file (*.PVK) on your computer.
The procedure described above may vary in details from one CA to another.
- SPC File
- PVK File
- PVK Password
Create PFX File
Create Personal Information Exchange (PFX) file
The next step you must take is to create a PFX file.
To create the PFX file download the program
MakePFX.exe from our webiste.
When you run this program the following dialog will be displayed:
In this dialog do the following:
The program will prompt you for a name and location to save the PFX file you are about to create.
- Enter the full path of the SPC file.
- Enter the full path of the PVK file.
- Enter the PVK-Password. (the excat password you used when you created the PVK file)
- Enter a PFX-Password. (this password can be the same as the PVK-Password, or you may invent a new one)
- Click the [OK] button.
A PFX file can also be created using one of the following Microsoft command-line tools:
Detailed instructions on where to find those tools and how to use them can be found by searching the net.
At the end of this procedure you will have the following 2 items avaiable:
QSetup Sign Code Dialog
How to use the QSetup "Sign Code" dialog to sign your Self Extract setup file?
QSetup includes a special "Sign Code" dialog that will help you sign your Self Extract setup file.
To open the "Sign Code" dialog, click the [Sign Code] button at the bottom/right of the Composer screen.
The following dialog will be displayed:
QSetup will automatically fill Most of the fields in this dialog with data from the Composer pages.
You will only need to enter the full path of the PFX file you created in the previous step
and the PFX-Password you entered when you created the PFX file.
Click the [Sign] button to sign your Self Extract setup file.
Click the [Verify...] button to verify that your Self Extract setup file is properely signed.
Click the [Properties...] button to display the "Properties" dialog of your Self Extract setup file.
Use the following links to learn more about Code Signing and Authenticode
Last edited: 25-FEB-2013 Copyright © 2002-2013 Pantaray Research, All Rights Reserved.