Vincent Parrett

I would say no. It's not hard to guess what the next compiler version will be. However, publishing packages saved with that beta may well be an NDA violation.

Received my new OV token from Digicert today - it is a SafeNet 5110+ FIPS token (thankfully) and I am able to automate signing with it 😅 I spent some time messing with a self signed certificate on a yubikey token over the last week, but cannot for the life of me figure out how to get it to sign without prompting for a password. This was just an experiment with the yubikey (which I already had for other purposes).

I ended up purchasing an 3yr OV certificate (EV seems like a waste to me) from GoGetSSL.com which was substantially cheaper (USD$730 including $120 shipping - better come wrapped in a vault!) than anywhere else - turns out they are owned by digicert and once you order you they create an account for you on Digicert and the request process is done on the digicert site.

I also bought a yubikey to test with self signed certificates - but haven't found a way to automate signing without the password prompt (bought it just to research this).

I have received so much conflicting infomation from the CA's (much like their terrible websites) - codesigningstore.com (sslstore.com) sent this in response to my enquiry So if they send me a Safenet token, all good, but if I buy a sectigo cert and want to renew using the same token in 3 yrs time - I cannot? I'm seeing similar vague/ambiguous responses from other sellers. I have asked for clarification, but none so far.

In the original RFC it was proposed that qualification of a device had to be done by an independant qualified person - but I am seeing CA's list which devices they will support. Unfortunatley that changes over time so the token I have is no longer usable. Looks interesting, although Digicert's are the most expensive certificates you can buy, eye watering prices for small business to absorb.

It's certainly at odds with the notion that we should automate things so they work correctly every time. I for one am not going to sit there typing a pin and pushing a button for every file that I sign. If I cannot automate, then I will either not sign at all, or sign with a self signed certificate and provide the public key on my website for customers to install (to avoid the invalid certificate error). Of course microsoft, who has a big hand in this push to hardware storage of certificates, just happens to own a whole bunch of HSM's (azure key vault) and it working on a code signing service for azure - which they would like us all to use eventually - for a fee.

I can confirm it works, if you have a safenet token. So far I have not found out how to do this with a yubikey token. https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

Who did you purchase through. I contacted a bunch of sellers and they all said it's yubikey for sectigo certs.

I just tried it in postman and it fails there too.. looks like it might be an issue with a cloudfare challenge - hard to get around that without js.

I would look at setting the UserAgent to something that mimicks a browser, often servers look at that as part of their ddos defence Try this Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0

Sectigo and any Sectigo resellers supply YubiKey's Digicert supply Safenet tokens No reply from the other CA's I have contacted so far. FYI - Safenet good (can automate), YubiKey bad (password prompts cannot be avoided).

Project Loom looks really interesting https://developer.okta.com/blog/2022/08/26/state-of-java-project-loom They are calling them Virtual Threads - but the effect is the same - I actually quite like the design they have come up with. Coroutines/fibers/virtualthreads etc are really useful in high concurrency server applications, or under the hood in other libraries - if you are still dropping db components on forms then they probably would not impact you (directly at least).

Just getting back to purchasing a new certificate - finding it very difficult to determine which usb tokens the CA's are providing with the certificates. If anyone has purchased recently, can you post from which site and token kind you got? Also, do not recommend this site - they have substantially ripped off my blog post from Oct 2022 with no attribution at all - I was actually browsing their site looking to buy when I came across the blog post and immediately recognised my work - at least one image was directly taken from my post (byte for byte idendical). Anyway back to the tokens - I do see a lot more references to CA's using Yubikeys now than I did last year - but have still yet to find a resource on automating code signing using one. Hence my concern about which phyical token kind they are issuing.

Of course I am biased, but everyone should have a build server 😉 FinalBuilder makes setting version info trivial https://www.finalbuilder.com/resources/blogs/managing-delphi-version-info-with-finalbuilder

I have a loading flag variable that I set in the form create and then check in the event handlers - clear the flag when done initialising the controls. Crude, but simple.

Yes, I'm aware of those, some things just couldn't be refactored out without major breaking changes. Some of those are also new since I last refactored 🤷‍♂️ That does indeed look like very useful information.

Does it actually support Delphi, couldn't find any mention of it on their site. Also, if I have to contact a vendor for a price I immediately lose interest... that always smells like their sales people rubbing hands - "ooh lets research the prospect and see how much they can afford to pay". There is a saying.. "If you have to ask, you can't afford it".

This ^^^ - it's one of the first things I look to do when refactoring code. Units with 15K lines - well that's a code smell - units that long are horrible to work with. As an example, VirtualTrees.pas from Virtual-TreeView used to be 38K lines long. Reviewing the code it was easy to see why it was so long.. because of circular references between classes (often unnecessarily) and the heavy use of friend access to private variables. Refactoring it was not easy and did require some minor breaking changes - but the code is now much more manageable - VirtualTrees.pas is now only 2K lines and code is split into units that make sense.

Is it just my delphi applications that behave poorly when handling dpi changes? This is when setting high dpi in the manifest to PerMonitorV2. I have verified that the controls (many of them mine) are handling this as they should (override ChangeScale). When dragging the application between monitors with different dpi's, it takes 3-4 seconds while the window flickers and repaints multiple times - the dragging operation pauses while it does this, and then the window eventually jumps to where you actually dragged it. I've been looking at other applications (that ssupport PerMonitorV2) to see how they behave, even explorer stutters a little, due I guess to the ribbon control - but the stutter is around the 200ms mark. Thunderbird seem to repaint twice but very fast. After some debugging, as far as I can tell, this is caused by all controls getting their ChangeScale method called (as you would expect) which results in calls to SetBounds, which invalidates the control causing more painting! TWinControl.ScaleControlsForDpi appears to be doing the right thing (control alignment is a perf hog), but calling EnableAlign inevitably invalidates the control, again. procedure TWinControl.ScaleControlsForDpi(NewPPI: Integer); var I: Integer; begin DisableAlign; try for I := 0 to ControlCount - 1 do Controls[I].ScaleForPPI(NewPPI); finally EnableAlign; end; end; This really show up an inherent design flaw in the vcl, there is no BeginUpdate/EndUpdate design pattern in the vcl that allows a control (or form) to disable child controls painting until it's done. Many controls implement this pattern individually, but that doesn't help in this scenario. The situation isn't helped by my using Vcl Themes either - resize (setbounds) causes serious flicker in some controls and I'm sure this is coming into play here too. I tried to fudge a BeginUpdate/EndUpdate with this : procedure TMainForm.WMDpiChanged(var Message: TWMDpi); begin SendMessage(Self.Handle, WM_SETREDRAW, NativeUInt(False), 0); try inherited; finally SendMessage(Self.Handle, WM_SETREDRAW, NativeUInt(true), 0); RedrawWindow(Self.Handle, nil, 0, RDW_INVALIDATE or RDW_UPDATENOW or RDW_ALLCHILDREN); end; end; It cut's out the visible repainting, but doesn't speed things up much If anyone has any ideas on how to tackle this I'm all ears.

Well kind of, since then I got a new pc which has an amd processor - uprof is nowhere near as useful as vtune 😞 But still, it's nice to have that option now!

Yes, works about as well as it did with my hack, it's essentially doing the same thing. Still nowhere near as smooth as other applications though.

I can't offer advice on where to buy from, but I am also about to go through this process again in the next few months, so interested to hear people's experiences. FWIW, I blogged about code signing with hardware based certificates last year - https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

If you use CI or automated builds, avoid using yubikeys as there is no way with the client software (built in windows smartkey client) to automate the code signing - you cannot get past the prompt for the certificate password.

This is a known issue with VCL Styles, there are several threads here where this is discussed. It's gotten slightly better with 11.x but still an issue with some controls. See also - https://quality.embarcadero.com/browse/RSP-30639