What is Code Signing?
Since XP, when you download an executable file from the Internet the browser checks the file’s Authenticode signature. This verifies who the publisher is. You get a dialog asking if you wish to download software from this publisher. If there is no signature the warning is more severe and it says something like:
The publisher could not be verified. Are you sure you want to run this software? This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust.
In some cases you will also get a similar warning when running applications that haven’t been signed, especially if the executable resides on a network drive. Apps that have been signed are trusted more by the operating system. Vista and Windows 7 are more fussy and certain types of app must be signed.
Code signing protects against tampering and impersonation. If a signed app is tampered with or modified in some way the signature becomes invalid and so the user will be warned when they try to run it.
How does it work?
A publisher applies for a digital certificate from a Certification Authority like Comodo or Verisign. Using the Microsoft Authenticode tools the publisher can sign their applications with their digital certificate. The signing tool basically makes a hash of the code and their private key and appends the signature to the end of the executable. If the code is later modified the signature will therefore be invalid as it is partially based on the application’s code itself.
Should I sign EXEs Compiled with Macro Scheduler?
If you distribute compiled macros to others, or let people download them from the web you should definitely be signing them. Users can then see who the publisher is and be sure that the file hasn’t been modified in any way, and will no longer see the unknown publisher warning presented by the web browser/operating system.
So how do I sign my EXEs?
First you need to obtain an Authenticode Certificate. We have negotiated a very helpful 10% discount for our customers off the price of Comodo Code Signing certificates supplied by K Software, an official Comodo Reseller. K Software prices are already extremely competitive and now, as a Macro Scheduler user, you get an extra 10% off.
The certificate used to sign our software, including Macro Scheduler was supplied by K Software. So you know you are in good company! 🙂
To find out more and place an order visit K Software’s Code Signing page. To get your 10% log into the Macro Scheduler Registered Customer area to obtain your special discount code.
You also need the code signing tools. These come with the Microsoft Platform SDK and can be downloaded here:
Platform SDK Redistributable: CAPICOM
Once installed, launch SignTool.exe to sign your EXE. For command line options see: Sign Tool (SignTool.exe)
For more step by step help Jeff Wilcox has written an excellent article about code signing and authenticode. It covers everything from the order process through the tools you’ll need to do the signing. Read the article about code signing here.
