Vincent Parrett

There is a demo app on their github repo - https://github.com/appercept/aws-sdk-delphi-samples/tree/main/CognitoDemo I guess support for the getit version comes from embarcadero - the full version from https://www.appercept.com/ does indeed come with a help file. I believe support for the full version is by email at this stage. @Richard Hatherall will be able to answer that better than I can.

Not many complex third party components work with VCL styles, either because VCL Styles are too limited/buggy, or because they already did their own thing long before VCL Styles were released.

I decided to purchase a 3yr OV certificate from SSL.com and load it onto a Yubikey token to be 100% sure they work with Signotaur (have tested with self signed certs before). I had 2 tokens already and bought another one locally - SSL.com are overcharging a lot for them (USD$297 vs USD$106 locally). You need the FIPS versions (e.g 5C FIPS ) for code signing. Note that by default on the order page, they add their cloud service to the price - make sure to de-select that! You do have to go through the process of generating a Certificate Signing Request and then exporting the the attestation certificate and intermediate from the token to upload to their portal. This is quite well documented and pretty easy to follow. Their web portal is pretty horrible (tiny text and links - even with my glasses on). I had some issues initially - the first time they generated an RSA cert instead of an ECDSA (yubikey only supports 2048bit RSA, code signing needs at least 3072bit) - contacted support and then went through the attestation process again, eventually got an ECDSA cert - but that did not work either - signtool sign said success but verify said failed. Important - I discovered that if you change the yubikey pin/puk/managementpin after doing the attestation and before importing the cert, that will cause it to fail (doh!) - so had to go through the process again. It only takes a few minutes on your end, then an email to support for them to generated the cert again - and then you download and import the certificate onto the token. Remember to unplug and plug the token in again after importing (this triggers the import of the public key into the windows certificate store). Third time lucky, everything works fine. Note that to use Yubikeys with Signtool - you need to have the MiniDriver installed (you will get the smartcard pin prompt when calling sign tool) - you don't need the mini driver with Signotaur - you just need the PIV Tool (which has the pkcs#11 driver). I then enquired about backup tokens, and was told to delete the attestation on their portal and redo it for the backup token. So over the course of a few days and some back and forth (timezones make everything slow down under) - I now have 3 yubkey tokens with my certificate installed. This gives me a lot of comfort as I have a backup in case of hardware failure or theft - I have a Nano token which I can deploy in the data center where are servers live - much less likely to be stolen than the safenet token (which has a bright blue led that screams "take me"). Also thanks to @DelphiUdIT we have now confirmed that Signotaur also works fine with Certum tokens.

Thanks to @DelphiUdIT I can now confirm that Signotaur works with Certum code signing tokens 😀

I have hit this issue before, but didn't delve into it too far - I just made a point of not adding items to collections in the base form. TBH, I had so many issues with form inheritance getting messed up by the IDE that I tend to avoid it - more trouble than it's worth.

Keep it simple - create a class helper for TMemo and add an Assign method and just set the props you need. This will be quicker and easier than messing with RTTI (which can be a bit of a rabbit hole with some property types).

There is a type library you can import - would save a lot of casting C:\Windows\System32\inetsrv\nativerd.dll It's a pretty awful api to work with, it's been a while since I looked at it - Microsoft created a pretty extensive dotnet wrapper for it - https://www.nuget.org/packages/Microsoft.Web.Administration you could download the nuget package and use Ilspy to have a look at it - might help

https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens Also, if anyone with a Certum token is interested in seeing whether the pin prompt issue can be worked around, please PM about testing it with Signotaur - we have tested with Safenet and Yubikey tokens but I wasn't able to test with Certum - I did buy a token without a certificate thinking I could test with a self signed certificate (like I did with yubikey), however they they refused to let me reset the token (no PUK).

That works for Safenet tokens (which sectigo use), but not for Yubikey (which some other CA's use).

You say that, but in your blog post you mention you bought one and then you show a signtool example using a pfx - which is it? You cannot buy a certificate where the private key is provided in a pfx file these days - it has to be provided on a usb token or installed onto a HSM, both of which make the private key non exportable. I recently bought a 3 year OV certificate from SSL.com * for USD $328.95 - I specified no usb key as I already had a Yubikey 5 FIPS that I could use. I also have a certificate on a Safenet token - but wanted a certificate on a yubikey for testing purposes (and as a backup). * They initially issued the certificate incorrectly - I had to contact their support and go through the whole attestation again - however it's still not working (signtool succeeds but windows says "no signature present in the subject") - waiting to hear back from their support again.

I have noticed in the last few days the Condensed/Expanded buttons have no effect in the Activity view - it's always expanded.

That site has form - they plagurised my blog about signing with USB tokens and when I called them on it they flat out refused to take it down. They have a ton of blog posts that to me look to be mined from the web and reworded - perhaps with AI - DO NOT USE THEM. PS. I did some research and their blog posts rank really high on google (#1 for my blog they stole, mine is #7 grrrr) - that suggests to me it's the work of an SEO team creating content purely for the purpose of getting their site ranking on google - I very much doubt there is any original content.

Using a TScrollbox with thousands of child controls is a terrible idea, apart from the memory overhead the performance would not be greate. As others have said, using a virtual list control is much better solution. This is what I use for these scenarios - you do have to wite the paint code yourself but it's very lightweight https://github.com/VSoftTechnologies/VSoft.VirtualListView - supports XE2 - D12 and vcl themes - although I have only tested themes within an IDE plugin There is a demo app and you can also see it in use here https://github.com/DelphiPackageManager/DPM/blob/master/Source/IDE/EditorView/DPM.IDE.EditorViewFrame.pas

Mine didn't have a pin, but when I try to set a pin it asks for the PUK - which I do not have and they will not provide. Each email to their support results in 2 emails - an auto responder and a canned response telling me to login to my account - all pointless since there are no certs in my account and no puk available. Wasted $200 for nothing.

@Angus Robertson answered that question - using a certificate signing request - like we used to do for SSL certs before LetsEncrypt came along. Whether it is the same certificate (ie with the same thumbprint) or not I am unsure.