When you digitally sign a standalone workbook EXE file (this is called code signing), you ensure end users that the code within the EXE file they are to receive has not been tampered with or altered. Digital signing is based on Microsoft Authenticode® technology. This enables end users and the operating system to verify that program code comes from the rightful owner.

Thanks to XLS Padlock, it is easy to sign your .exe files since XLS Padlock handles everything itself.

 

If you plan to distribute your standalone EXE files on the Internet, code signing is strongly recommended. Thus, web browsers and Windows will not show “Unidentified Publisher” warnings (see screenshot below), and this will also help to avoid false positives from antivirus programs.

 

 

Steps to apply a digital signature to the EXE file

You have to obtain a valid code signing certificate from a certificate authority (CA), a third party trusted by the industry, akin to a notary who handles electronic IDs. Sectigo and Digicert are two examples of CA.

 

Certification authorities offer different types of certificates to buy. Only code signing certificates are handled by Authenticode, don't be mistaken in the type to buy.

 

You can digitally sign your .EXE only if you have received your certificate and token from a Certificate Authority.

 

In order to sign the standalone .EXE file, XLS Padlock requires the location to your code signing certificate. It can be stored in an external file (.PFX) (obsolete) or in the Windows Certificate Store (Local Computer, Personal section). You must select the certificate’s location, and provide either the path to the PFX file, the certificate’s subject name, or the certificate’s thumbprint.

Information URL is embedded in your digital signature to link to a location you would like end users to visit in order to learn more about your workbook or company.

Click Sign EXE File now to code sign the protected workbook. Alternatively, if you want to automate this, you can enable “Automatically sign my EXE file” and XLS Padlock will do it for you when compiling the application.

Code signing with a token in XLS Padlock

Following the changes implemented by the Certificate Authority/Browser (CA/B) Forum, effective June 1, 2023, there has been a significant shift in the code signing process. The forum now mandates that code signing certificate keys be stored on a hardware security module (HSM) or a token that meets or exceeds the Federal Information Processing Standards (FIPS) 140-2 Level 2 or Common Criteria EAL 4+. This change is primarily aimed at combating the increasing issue of stolen code signing keys being used maliciously to sign and distribute malware.

With this new requirement, the traditional PFX (Personal Information Exchange) format, which could be stored and accessed digitally, is becoming obsolete. Instead, it's recommended to work with the subject name or the thumbprint of the certificate after installing the certificate (.CER file) in the personal Windows certificate store.

XLS Padlock handles code signing requiring a token fine. Just make sure that the token containing the private key is physically inserted into the computer for access.

 

ℹ️ For users of the Safenet client, if your certification authority employs it, you will be prompted to enter your password with each instance of code signing. This can be cumbersome, and to streamline the process, the Enable single logon option can be activated. This setting allows the password to be entered just once per session, rather than

with each signature, thereby reducing redundancy.

 

Signatures with SHA-256 and SHA-1 digests

It is now mandatory to use signatures with an SHA-256 instead of an SHA-1 message digest. However, old Windows versions such as Vista or XP do not recognize SHA-256 signatures. In that situation, it is possible to add two signatures to the .EXE file: this is called “dual code signing”.

By default, XLS Padlock will work with “dual code signing” if it is run on Windows 8 or later. On Windows 7, an SHA-256 signature is used by default and on previous Windows versions, an SHA-1 signature.

 

If an error occurs while performing code signing, you can look into the compilation log (file named your workbook filename .xplcompil.log).