Skip to content

Security - Code Signing (Digital Signatures)

When you digitally sign an application (this is called code signing), you ensure end users that the code within the application they receive has not been tampered with or altered. Digital signing is based on Microsoft Authenticode® technology. This enables end users and the operating system to verify that the program code comes from the rightful owner. With ExeOutput for PHP, it is easy to sign your compiled application .exe files as ExeOutput for PHP calls the necessary programs itself.

If you digitally sign your software, end users are generally presented with a digital certificate when your application is downloaded from the web to their system:

img

For signed applications, the publisher's name is displayed. Your end users know that the .exe file is authentic and has not been tampered with or altered.

For unsigned applications, Windows shows the following warning message:

img

If you would like to digitally sign your application, enable "Digitally sign my application" in ExeOutput for PHP (Security -> Code signing). Then, follow the steps below.

Info

You can read this article explaining most everything you need to know about code signing with Authenticode: Introduction to Code Signing

Warning

Current limitations in Windows do not allow signing EXE files larger than 2 GB. If code signing is a requirement for you, and your EXE file is larger than 2 GB, consider keeping files external.

How to Obtain a Code Signing Certificate

To sign your application, you need a valid code signing certificate from a trusted certificate authority (CA) such as Sectigo or Digicert. Certification authorities offer different types of certificates, but only code signing certificates are compatible with Authenticode.

You can digitally sign your .EXE only if you have received your certificate and token from a Certificate Authority.

Steps for Code Signing

ExeOutput for PHP simplifies the code signing process with an integrated utility, GSignCode.exe. No third-party software installation is required. Follow these steps to sign your application:

  1. Specify the location of your code signing certificate, either by providing the path to the Personal Information Exchange (PFX) file or selecting the certificate from the Windows Certificate Store (Local Computer, Personal section). You must provide either the path to the PFX file, the certificate’s subject name, or the certificate’s thumbprint.
  2. If using a PFX file, enter the associated password for added security.
  3. Alternatively, specify the certificate's subject name or thumbprint for direct access from the Windows Certificate Store.

Application Information URL

This URL is used in your digital certificate to link to a location you would like end users to visit in order to learn more about your product or company. If you do not specify a URL, then ExeOutput for PHP will use the default one from the Icon / Version page.

Code Signing with a Token in ExeOutput for PHP

Following the changes implemented by the Certificate Authority/Browser (CA/B) Forum, effective June 1, 2023, there has been a significant shift in the code signing process. The forum now mandates that code signing certificate keys be stored on a hardware security module (HSM) or a token that meets or exceeds the Federal Information Processing Standards (FIPS) 140-2 Level 2 or Common Criteria EAL 4+. This change is primarily aimed at combating the increasing issue of stolen code signing keys being used maliciously to sign and distribute malware.

With this new requirement, the traditional PFX (Personal Information Exchange) format, which could be stored and accessed digitally, is becoming obsolete. Instead, it's recommended to work with the subject name or the thumbprint of the certificate after installing the certificate (.CER file) in the personal Windows certificate store.

ExeOutput for PHP handles code signing requiring a token fine. Just make sure that the token containing the private key is physically inserted into the computer for access.

Tip

For users of the Safenet client, if your certification authority employs it, you will be prompted to enter your password with each instance of code signing. To streamline the process, the "Enable single logon" option can be activated. This setting allows the password to be entered just once per session, rather than with each signature, thereby reducing redundancy.

Digest Algorithms

While SHA-1 is being deprecated due to security vulnerabilities, newer algorithms like SHA-256, SHA-384, and SHA-512 are recommended. These provide stronger security and are supported across modern Windows systems. It’s important to note that SHA-128 is deprecated and should no longer be used. Please choose the algorithm according to your CA vendor specifications.

Signatures with SHA-256 and SHA-1 Digests

It is now mandatory to use signatures with an SHA-256 instead of an SHA-1 message digest. However, old Windows versions such as Vista or XP do not recognize SHA-256 signatures. In that situation, it is possible to add two signatures to the .EXE file: this is called “dual code signing”.

Warning

By default, ExeOutput for PHP will work with "dual code signing" if it is run on Windows 8 or later. On Windows 7, an SHA-256 signature is used by default and on previous Windows versions, an SHA-1 signature. In that case, it is recommended to use ExeOutput for PHP on Windows 8 or higher to benefit from all code signing features!

Elliptic Curve Cryptography (ECC) Support

In addition to RSA, ExeOutput for PHP now supports certificates using Elliptic Curve Cryptography (ECC). ECC certificates offer stronger security with shorter key lengths, making them more efficient. For instance, a 256-bit ECC key provides comparable security to a 3072-bit RSA key, enhancing both performance and security.

Application Information URL

This URL is used in your digital certificate to link to a location you would like end users to visit in order to learn more about your product or company. It is optional.

Digital Signature Timestamp

A timestamp is added to your application, ensuring that the embedded digital signature never expires. Ensure that your system has an Internet connection during the signing process for time-stamping purposes.

Two timestamp servers are used: an Authenticode-compatible server and an RFC-3161-compatible server. You can configure their URLs in the Environment Options.

If an error occurs while performing code signing, you can look into the compilation log.

Two timestamp servers are used: an Authenticode-compatible server and an RFC-3161-compatible server. You can configure their URLs in the Environment Options.