Leaderboard

I decided to purchase a 3yr OV certificate from SSL.com and load it onto a Yubikey token to be 100% sure they work with Signotaur (have tested with self signed certs before). I had 2 tokens already and bought another one locally - SSL.com are overcharging a lot for them (USD$297 vs USD$106 locally). You need the FIPS versions (e.g 5C FIPS ) for code signing. Note that by default on the order page, they add their cloud service to the price - make sure to de-select that! You do have to go through the process of generating a Certificate Signing Request and then exporting the the attestation certificate and intermediate from the token to upload to their portal. This is quite well documented and pretty easy to follow. Their web portal is pretty horrible (tiny text and links - even with my glasses on). I had some issues initially - the first time they generated an RSA cert instead of an ECDSA (yubikey only supports 2048bit RSA, code signing needs at least 3072bit) - contacted support and then went through the attestation process again, eventually got an ECDSA cert - but that did not work either - signtool sign said success but verify said failed. Important - I discovered that if you change the yubikey pin/puk/managementpin after doing the attestation and before importing the cert, that will cause it to fail (doh!) - so had to go through the process again. It only takes a few minutes on your end, then an email to support for them to generated the cert again - and then you download and import the certificate onto the token. Remember to unplug and plug the token in again after importing (this triggers the import of the public key into the windows certificate store). Third time lucky, everything works fine. Note that to use Yubikeys with Signtool - you need to have the MiniDriver installed (you will get the smartcard pin prompt when calling sign tool) - you don't need the mini driver with Signotaur - you just need the PIV Tool (which has the pkcs#11 driver). I then enquired about backup tokens, and was told to delete the attestation on their portal and redo it for the backup token. So over the course of a few days and some back and forth (timezones make everything slow down under) - I now have 3 yubkey tokens with my certificate installed. This gives me a lot of comfort as I have a backup in case of hardware failure or theft - I have a Nano token which I can deploy in the data center where are servers live - much less likely to be stolen than the safenet token (which has a bright blue led that screams "take me"). Also thanks to @DelphiUdIT we have now confirmed that Signotaur also works fine with Certum tokens.

Thanks to @DelphiUdIT I can now confirm that Signotaur works with Certum code signing tokens 😀

Today I have - for the first time - used ChatGPT and then Claude in earnest. Everything before that was just testing. Actually I didn't expect this time to be of much help either, but it turned out that it was helpful up to a point. I have now got some code to give a the guy who applies for a Delphi position today to refactor, debug and explain. And then explain what's wrong with the "fixed" version of the code generated by ChatGPT. That's going to be interesting.

That would have been nice to know...but alas, just finished the verification process. Note to self: always read a thread to the end, before responding.

Yes I knew about the hardware token but I honestly tough that they apply only to the EV (my first certificate was an EV). Maybe because of the wording? Even the article that rvk pointed to, uses some strange wording "for standard code signing certificates" instead of the "OV". Basically, those 300 words of that article can be summarized as: "the rules for storing EV now also apply to OV". Dang it! _____________ PS: for completeness of information, the missing parameter from the command line to sing an exe file WITH a time server is: /tr http://timestamp.digicert.com /td SHA256 😞

Yes, but then I couldn't have claimed I use AI for that. 😉

I renewed my Sectigo code signing certificate last Saturday, submitted documents on Monday, which the web site said were rejected, yet the order was approved and shipped Tuesday morning via UPS, and arrived Thursday, quite impressed. Although the Sectigo London office is a few miles away, the token was shipped from Sectigo's Lille office in France to London, with an invoice valuing the 'electronic document' at $10 so no customs duty to pay. Perhaps Sectigo has an arrangement with Thales (a large French company) who sell the Safenet tokens to provision them as well. Plugged the token into my PC, and the new certificate appears in the Windows Store, as reported by the ICS Delphi PemTool. All much less painful than I was expecting, except the massive cost increase over electronic certificates, and no invoice yet from K Software. Angus

In the "Project/Deployement" window you can set the files that you don't want overwrite (deploy) ("ovewrite" column options). By default all newer local files will be deployed and overwrite the remote ones. Bye

By default? No, it does not. Check that your project does not have the -cleaninstall parameter as per the documentation.

Temporary Solution: By using Delphi's TValue type from the System.Rtti unit, I was able to implement a robust custom Writeln procedure usin overload. Here's how it works: Main Procedure to Process Arguments This procedure processes the arguments, determining their types and formatting them as needed: procedure DoCustomWriteln(const Args: array of TValue); var LArg: TValue; LOutput: string; I: Integer; begin LOutput := ''; for I := Low(Args) to High(Args) do begin LArg := Args[I]; case LArg.Kind of tkInteger: LOutput := LOutput + IntToStr(LArg.AsInteger); tkFloat: LOutput := LOutput + FloatToStr(LArg.AsExtended); tkString, tkLString, tkUString, tkWString: LOutput := LOutput + LArg.AsString; tkChar, tkWChar: LOutput := LOutput + LArg.AsString; tkVariant: try LOutput := LOutput + VarToStr(LArg.AsVariant); except LOutput := LOutput + '<invalid variant>'; end; else LOutput := LOutput + '<unsupported type>'; end; // Add a separator unless it's the last argument if I < High(Args) then LOutput := LOutput + ', '; end; Writeln(LOutput); end; Overloading Writeln To make calling this function straightforward without requiring brackets, I created multiple overloads for the CustomWriteln procedure: procedure CustomWriteln(A1: TValue); overload; begin DoCustomWriteln([A1]); end; procedure CustomWriteln(A1, A2: TValue); overload; begin DoCustomWriteln([A1, A2]); end; procedure CustomWriteln(A1, A2, A3: TValue); overload; begin DoCustomWriteln([A1, A2, A3]); end; // Add more overloads as needed for additional parameters Test in Project: begin try // Examples of usage with different types CustomWriteln(42); CustomWriteln(3.14, 'Hello'); CustomWriteln(1, 2.2, 'Text', True); CustomWriteln(1, 'Two', 3.3, 'Four', False, 6); except on E: Exception do Writeln(E.ClassName, ': ', E.Message); end; Readln; end. Example Output ------- 42 3,14, Hello 1, 2,2, Text, <unsupported type> 1, Two, 3,3, Four, <unsupported type>, 6 Advantages of This Approach: Flexible Input: Handles integers, floats, strings, characters, and variants. Type-Safe: Uses TValue to handle types dynamically. Scalable: Easy to extend by adding more overloads or enhancing DoCustomWriteln. --- Final Project: program CustomWritelnProj; {$APPTYPE CONSOLE} {$R *.res} uses System.SysUtils, System.Variants, System.Math, System.Rtti; procedure DoCustomWriteln(const Args: array of TValue); var LArg: TValue; LOutput: string; I: Integer; begin LOutput := ''; for I := Low(Args) to High(Args) do begin LArg := Args[I]; case LArg.Kind of tkInteger, tkInt64: LOutput := LOutput + LArg.AsInt64.ToString; tkFloat: LOutput := LOutput + LArg.AsExtended.ToString; tkEnumeration: LOutput := LOutput + BoolToStr(LArg.AsBoolean, True); tkString, tkLString, tkUString, tkWString, tkChar, tkWChar: LOutput := LOutput + LArg.AsString; tkVariant: try LOutput := LOutput + LArg.AsVariant.ToString; except LOutput := LOutput + '<invalid variant>'; end; else LOutput := LOutput + '<unsupported type>'; end; // Add a separator unless processing the last element if I < High(Args) then LOutput := LOutput + ', '; end; Writeln(LOutput); end; // Overloaded CustomWriteln implementations procedure CustomWriteln(A1: TValue); overload; begin DoCustomWriteln([A1]); end; procedure CustomWriteln(A1, A2: TValue); overload; begin DoCustomWriteln([A1, A2]); end; procedure CustomWriteln(A1, A2, A3: TValue); overload; begin DoCustomWriteln([A1, A2, A3]); end; procedure CustomWriteln(A1, A2, A3, A4: TValue); overload; begin DoCustomWriteln([A1, A2, A3, A4]); end; procedure CustomWriteln(A1, A2, A3, A4, A5: TValue); overload; begin DoCustomWriteln([A1, A2, A3, A4, A5]); end; procedure CustomWriteln(A1, A2, A3, A4, A5, A6: TValue); overload; begin DoCustomWriteln([A1, A2, A3, A4, A5, A6]); end; procedure CustomWriteln(A1, A2, A3, A4, A5, A6, A7: TValue); overload; begin DoCustomWriteln([A1, A2, A3, A4, A5, A6, A7]); end; procedure CustomWriteln(A1, A2, A3, A4, A5, A6, A7, A8: TValue); overload; begin DoCustomWriteln([A1, A2, A3, A4, A5, A6, A7, A8]); end; procedure CustomWriteln(A1, A2, A3, A4, A5, A6, A7, A8, A9: TValue); overload; begin DoCustomWriteln([A1, A2, A3, A4, A5, A6, A7, A8, A9]); end; begin try // Examples of usage with different types CustomWriteln(42); CustomWriteln(MaxComp,'The max value of Int64'); CustomWriteln(MaxComp,MinComp, 'Int64 Interval'); CustomWriteln(1, 2.2, 'Text', True); CustomWriteln(1, 'Two', 3.3, 'Four', False, 6); except on E: Exception do Writeln(E.ClassName, ': ', E.Message); end; Readln; end.

So your certificate has been issued in 2022 and thus doesn't fall under the new hardware rules. You can use it as long as it is valid, but then you need one of the new ones bound to a hardware token.

By now, like I write in another thread, I use Certum (since two days ) and they are compatible with the Windows certificate store. Of course they install they own drivers, but without calling them directly all applications view the certificate and can use it.

I finally received the EV certificate. It was an exhausting journey, where every day the certification body (Certum) asked me for a document, a clarification or something else. Having to follow the complete path (I had never purchased any certificate from them) they rightly verified everything and even more than everything. The installation of the certificate (keys and certificate itself) on the hardware key was done through their control panel via browser in two stages. Everything worked the first time and the cost was in line with that of direct competitors (at least for the three-year solution). The hardware key is seen directly through the "storage" of Windows certificates and so the certificate is visible and usable by any application. In the Rad Studio IDE I inserted a new Tool (under "tools menu") that allows me to immediately sign the executable file (or DLL) compiled from the project. Now the second step is to verify with Microsoft the pairing for signing the drivers.

AFAIK you can use any certificate (at least that used to be the case[*] - maybe a bug in signtool) but only code signing certificates will be validated as such so there's not much point in trying to use something else. What would be the point? *) Back in the day, when Denmark introduced digital IDs, every citizen got issued a certificate. So naturally I used my personal certificate to sign all my software 🙂 I think that the new certificates are still just files. They just need to be on a secure token in order to be usable. AFAIK once you have a token with a certificate on it you can copy it to other tokens. That's what we are planning on doing anyway; We just received an EV certificate on a token and two extra blank tokens yesterday. One is used by the build server (via Signotaur - works great!), one will go in the safe for backup, and one will be shipped to me for R&D (my client is in another country), and in the darkness bind them.

Let's Encrypt deliver only website certificates, they are not compatible with code signing on Windows.