OverviewAppearanceVersionAdvancedCode SigningSkin
The settings below allow you to sign or dual-sign the application during the build process using SHA-256 and/or SHA-384 / SHA-512. When both Sign with SHA-256 and Append a second signature are selected, AutoPlay Media Studio will run the specified signing tool twice, first signing with SHA-256 and then a second time to append a SHA-384 or SHA-512 signature. To support the widest variety of OS's, we recommend dual-signing your applications.
As of January 1, 2016 Windows 7 and higher will no longer trust new code that is signed with a SHA-1 certificate. Since June 2023, timestamping of SHA-1 signatures was disabled by all certification authorities, and can no longer be used. From this date on, all files should be signed with a SHA-256 certificate. See Windows Enforcement of Authenticode Code Signing and Timestamping, and Authenticode Code Signing for more information.
Note: The minimum
requirements for signing with SHA-256 using SignTool is Windows 7 SP1,
and SignTool version 6.1.7600.16385 or higher, which comes with the Windows
7.1 SDK. As a result AutoPlay Media Studio's design environment must be
run on Windows 7 SP1 or higher to perform SHA-256 signing using SignTool.
Dual-signing using SignTool is only supported in version 6.3 or higher
of SignTool.exe which comes with the Windows 8.1 SDK. We recommend using
the version found in either the Windows Software Development
Kit (SDK) for Windows 8.1, or the Windows Software
Development Kit (SDK) for Windows 10 in AutoPlay Media Studio for
full functionality.
See Authenticode Code Signing for more information on code signing.
Tip: See the Code Signing Defaults section of the build preferences (Edit > Preferences, Code Signing) to configure default values when creating new projects.
Tip: If you're using a different code signing tool that contains different options, or you require further control, you may leave the settings fields blank (except for the tool), and instead specify the options in the Additional arguments field. If "SignTool.exe" is detected as the tool, AutoPlay Media Studio will automatically pass the "sign" command. If you're not using SignTool and require a different command, add it as the first value in the Additional arguments field.
Tip: If you're having trouble with the signing step and you're receiving an error, you can find the signing commands that are being used in the build log, along with any error information provided by the signing tool.
If checked, the application will be code signed during the build process using the settings below. See Authenticode Code Signing for more information.
The full path and filename of the code signing tool SignTool.exe on your system. You can click the Browse button to select the file. This tool could not be distributed, but is available in the \Windows Kits\XX\bin\x86 folder of the Windows Software Development Kit (SDK). For more information, see MSDN: SignTool (Windows), Windows Software Development Kit (SDK) for Windows 8.1, Windows Software Development Kit (SDK) for Windows 10.
Tip: If you're using a different code signing tool that contains different options, or you require further control, you may leave the settings fields blank (except for the tool), and instead specify the options in the Additional arguments field. If "SignTool.exe" is detected as the tool, AutoPlay Media Studio will automatically pass the "sign" command. If you're not using SignTool and require a different command, add it as the first value in the Additional arguments field.
If you use a certificate on a hardware token, and do not see the prompt for the PIN/password during the build process, then you may need to select this checkbox. A typical error message when you need this option is this:
Error information: "Error: SignerSign() failed." (-2147023673/0x800704c7)
The URL of a SHA-256 timestamp server such as: http://timestamp.comodoca.com/?td=sha256. Refer to your certificate provider's documentation for the server URL to use.
If this value is provided, /fd 256 /tr <timestamp_url> /td sha256 will be added to the signing command.
Select this option if your certificate is stored in a "Personal Information Exchange" file (*.PFX, *.P12).
The full path and filename of the SHA-256 certificate to use when signing the application file. This file must be a "Personal Information Exchange" file (*.PFX, *.P12). You can click the Browse button to select the file.
If the SHA-256 certificate is provided, /f
<certificate_path> /fd sha256
will be added to the signing command.
If the SHA-256 certificate is provided and Sign
with SHA-1 is also enabled (dual-signing), /as
will also be added to the signing command.
The password to use for opening your SHA-256 certificate file (*.PFX, *.P12) if it's password protected. You can leave this value blank if your certificate is not password protected.
If this value is provided, /p <password_value> will be added to the signing command.
Select this option if your certificate can be accessed via the Certificate Manager in Windows.
This field allows you to enter any the name shown in "Issued To" (partial strings are also allowed, if they are unique) to identify the certificate to be used during the code signing process.
If this value is provided, /n <subject_name> will be added to the signing command.
This field allows you to enter the SHA1 hash of the signing certificate. This may be used if you have more than one certificate with the same subject name.
If this value is provided, /sha1 <hash> will be added to the signing command.
In the future, it might become a requirement to double-sign your file with a second signature, such as SHA-384 or SHA-512. In this case, enable this option, and select the desired algorithm below.
Select this option if you want to double-sign with SHA-256 and SHA-384.
Select this option if you want to double-sign with SHA-256 and SHA-512.
The URL of a the timestamp server matching the chosen algorithm. Refer to your certificate provider's documentation for the server URL to use.
If this value is provided, the parameters /fd384 /tr <timestamp_url> /td sha384 or /fd512 /tr <timestamp_url> /td sha512 will be added to the signing command.
This field allows you to enter any additional options you would like to pass to the code signing tool beyond AutoPlay Media Studio's automatic parameters. If you leave any of the SHA-256 related fields blank (except for tool location), you can manually pass their values using this field. The values entered here are appended to the beginning of the parameter list. When "SignTool.exe" is the chosen tool, AutoPlay Media Studio automatically passes the "sign" command as the first argument.
The description of the signed content.
If this value is provided, /d <description_value> will be added to both signing executions (SHA-256 and SHA-384/SHA-512 signing steps).
A URL that provides further information about the signed content.
If this value is provided, /du <description_url> will be added to both signing executions (SHA-256 and SHA-384/SHA-512 signing steps).