Vincent Parrett

Not sure C++ builder would save you any time, most c++ libraries do not compile with c++ builder, and c++ builder doesn't support all the platforms that delphi does (missing android).

https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

I didn't have any issues with that last time.. but that was 3 yrs ago. I'm sure these dongles will be a nice little earner for thales and the CA's - the cost of certificates is already outrageous without the added expense of the dongle. CA's say the cost is for the time spent validating the applicants - my guess is much of that is automated - and they have minimum wage call centers doing the rest. License to print money.

Thanks. One thing to bear in mind with usb is that it is very sensitve to latency - so not sure how it would work in high latency connections. I have fiber at home and get 6ms pings to the data center where our servers live - which is fine. I suspect anything over 30ms might be a problem for some devices.

Blogged - https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

LOL - no. There is - you create a certificate request which you send to the CA - they send back a certificate that can only be installed on the HSM that generated the certificate request. The CA websites do a really bad job at explaining things.

I hadn't seen that one, and based on what I have found out about it so far I'm just going to ignore it. Nice idea but will likely fail with hardware tokens - the private key stays on the token - so you need client software to allow the code signing tool to access it.

Yup, have to a gree, and it doesn't help that the sites that sell certificates are just plain sh1te - I've never seem so much unhelpful content in one place. Working on a blog post about this, hoping to get it out tonight (it's almost 8pm here) or tomorrow. I'm trying to edit it down to a reasonable size and reduce the jargon where possible.

Good luck doing that when your build process runs from a windows service where you are not logged in.

I suspect this would be wasted money - my guess is OV certificates will eventually be discontinued.

I have been researching this for some time, since it will impact most of our customers. I really do wonder if they have considered the impact this will have on build automation. One thing I would point out is do not get a certificate that is issued on a Yubikey - there is absolutely zero way to automate signing - the yubikey uses the windows smart card api and absolutely prompts on every file you sign! So far in my research, it seems only SSL.com (also the cheapest) use Yubikeys - everyone else I have looked at so far uses SafeNet tokens, which do have a work around. If anyone has a token other than SafeNet or Yuibkey please let me know (brand and where it was issued). I did buy a Yubikey (without a cert) to experiment with but didn't get far with that yet. https://www.finalbuilder.com/forums/t/signtool-with-ev-certificate-fails/6535/22 I have yet to confirm if this work around works from a windows service (which is typically how CI servers run). More testing to be done in the next few days before my EV cert expires (we are still using our OV cert that expires next year in production).

Routing a support/install/licensing issue to sales (often 5 different people) to try and strong arm you into paying money doesn't make it a sales issue. I don't know of any other software company that sells perpetual licenses that does this. I've had issues installing old software before, but never once have I been strongarmed to buy again like embarcadero does. Hell, I sell software, and if you came to me an told me you had lost your v1 license key from 2001 I would help you get it installed at no charge (this happens multiple times a week). Of course I might suggest that you upgrade (and even offer a discount to get you on board), but I'm not going to route you to different people or employ used car sales tactics to get you to upgrade, I'll make the offer while helping you. Embarcadero need to do better if they want to retain customers and get old customers back on board, because right now their tactics are driving people away.

Licensing is not a sales problem, and yes the product is dying when you have to coerce former customers to keep paying for something they already paid for. Not a great way to build customer loyalty - so they don't have a currenty software assurance contract, now they probably never will.

This is imho an unconscionable business practice - either the licenses are perpetual or they expire when the subscription expires, embarcadero can't have it both ways. I can't imagine how many customers they have turned away with this practice - pretty much every delphi dev I have met has encountered this issue - several gave up and walked away from delphi because of this license insecurity. Some went back to D7 because they could always get their license to work. If a company is going to use node locked activation (which is what this is), then they have to provide a way to unregister/move/transfer licenses. It's not that hard.

Not so - they used helpers to avoid breaking dcu compatibility between the other 11.x releases - those helper methods will be merged into the classes in the next major release. Without the binary compatibility, third party vendors would find it next to impossible to support the varions .x releases.

If that were the case, then you wouln't need to change anything at all in SynEdit - but you do as it cannot see SetAdditionalPCREOptions. True, but with the regex they have created 2 helpers, and the TPerlRegex helper is the one causing the issue.

FWIW, the helpers embarcadero introduces in an update should disappear in the next major version, as those helpers were only used to avoid breaking dcu compatibility - so their methods will be rolled into the classes. At least that's the plan.

The one that embarcadero created will be used first, the synedit one will be ignored. Which helper is used is dependant on where they are decleared, since embarcadero declared theirs closest to the actual class declaration theirs will be seen first rather than the one on synedit.

Not sure you can.. the best option would be to change SetAdditionalPCREOptions to AddRawOptions - then it will compile in all supported versions.

Unfortunately they were implemented using a class helper, which now breaks Turbopack/SynEdit https://github.com/TurboPack/SynEdit/issues/229

I had the same issue, we closed our office and went full remote - the address with our DUNS number was still the old office/phone - so I wasn't able to verify via phone call - getting the DUNS details updated outside the US was a nightmare - we eventually got our new certficate a day or so before the old one expired. I won't leave it so late next time. The whole process is very unsatisfactory to say the least - they really need to find a (secure) way to streamline the process. Renewing should not be as hard as getting an entirely new certificate.

This is going to be a nightmare for us. Our CI servers are in a data center in another city (3hr drive) in a shared cage - so there is absolutely no way I can leave a dongle plugged into a server that other companies might have access to. Then there is the issue of sharing the dongle amongst multiple vm's - any of our CI agent vm's can do code signing at the moment - there is also the hassle involved in automating signing with the EV certificates We're currently investigating how this will impact us and our customers.

Does it stop working when you stop paying?

I'm too cheap, Fork is $50, gitraken is a subscription tool.

Yeah I know, pretty sure I was one of them. I've used a lot of version control systems over the years in my day job and git is certainly not my favourite - like it or not it has won the version control wars (for now). FWIW inhouse we use Mercurial (with tortoisehg) - which while similar to git, is simpler - with real error messages! I chose to learn enough git to get by, and with good tools like Fork I get by ok. The days of developers only needing to know one version control systems are long gone, just like the days of only needing to know one programming language.