Vincent Parrett

Hi All We have developed a client/server product to handle code signing. This makes it simple to code sign from any machine and avoid the dreaded token password prompts. It also supports file based certificates for those who still have valid ones! The client is a single exe (with a similar command line interface to signtool.exe) - 64 bit windows 10/Server 2016 or later (may run on earlier versions but not tested). The server is supported on Windows 10/Server 2016 or later (may run on earlier versions but not tested). Linux support for the server is planned (we have it building but have not tested yet). The server has a web interface for configuring it (adding certificates, managing users etc). We have tested with Safenet tokens (with our own cert) and with Yubikey tokens (with self signed cert). It should work with any token that provides a 64bit pkcs#11 2.4 library dll. We are especially interested in hearing from people with Yubikey tokens (since we have only tested with self signed cert). The token needs to be available to the server machine, either plugged in directly or via usb passthrough for vms, or via virtualhere. We’re still working on docs but it’s pretty simple to get up and running with it, we’ll provide some instructions with the download info etc. If you are interested in testing this product email support @ finalbuilder.com - let us know what kind of token you have.

It's more about the first time you launch the exe - I have seen warnings even with apps signed with EV certs - possibly it because it was a new update of an app - I was surprised - so I checked that the exe was signed just in case - it was - launched it again and no popup 💁‍♂️

Of course I'd love to be charging more, but the market probably wouldn't agree. I have been agonising over this for months - naming and pricing - both difficult aspects of turning projects into products. It's all about the provenance of the executable - does it come from who it says it does. Codesigning is ok, smartscreen isn't so smart - I see popups even with EV signed exe's just because not msany people have downloaded a file. Can't say I have heard of it but I like it!

We're still fleshing out the web pages (and working on a new website at the same time).

They will get smartscreen popup's about how dangerous it is to use your product.

Obviously we have to take into account the competition (cloud), the fact that potential customers have already dropped $$$ on certificates, the cost of supporting it and of course we need to make a profit to make this all worthwhile (10 monthss of R&D). USD$199 is our current thinking.

Hi All Signotaur Code Signing Server - Release Candidate 1 is available https://www.finalbuilder.com/downloads/signotaur To get a license key, once installed and logged in, go to the Admin\Licenses page and click on the "Request a 14-day trial license" button - the server will contact our website and download an install a trial key automatically. Docs are here https://docs.finalbuilder.com/sn/1.0/ Note - only tested with Safenet and Yubikey tokens, pfx files and certificate stores so far.

Any yubikey capable of containing a code signing certificate and supported by the yubikey pkcs#11 driver (installed with their PIV tool). We have tested with a 5C and a 5 Nano. Yes, that's the main reason we developed the product (for our own use initially) - once you have configured the token/certificate on the server (via the web interface) then signing is done using the client with an api key - no password prompts. PM me if you are interested in testing - we're currently working on documentation and the website with a view to releasing as soon as they are done ( we have had some great feedback already). Also if anyone has a certificate issued by Certum and wants to test Signotuar please message me - I have a certum token/smartcard - but they didn't provide the puk so I can install certs on it for testing.

I have never seen page hashing even mentioned before I started working on our product. I doubt many people even know about it - there is almost no documentation on it other than the signtool command line page . I added it to our client tool because I signtool has it 🤷‍♂️

Hi All As I mentioned previously, we have been working on a Code Signing server product that makes codesigning remotely really easy. I posted another thread with the details.

Awesome stuff - I wish the Rad Studio editor had this functionality (not holding my breath). Perhaps Rad studio should switch to synedit!

I have never seen it used and couldn't really find any doco on it either, but since they were easy to implement we added it anyway 🤷‍♂️

We'll look at this. I haven't seen any api's to make this easy, so will likely have to resort to manipulating the PE file. That said, if you sign without using the -as option I think it will replace the existing certificate - I will have to test that. We are planning on adding a timestamp command but that is not yet implemented (mostly because we haven't gotten to it yet). Should be simple to add - I had it in there originally but couldn't figure out why it would be needed - signtool doco doesn't say much We went around in circles with this, we needed something unique to identify the certificate - IssuedTo/SubjectName is not unique if more than one token is enabled (ie old cert and new cert). I'll talk to the lead dev about this when he is back from vacation next week - I did the initial r&d and then handed the project off to another dev to make it into a product and this is one of the areas he worked on. Thanks for the feedback.

Be aware that most of those cloud based services either charge per signing or impose monthly limits on the number of signings.

Timestamping happens on the client - just like with signtool, you specify the timestamp server url and digest algorithm - we caclulate the file digest, send that to the server, get back the signed digest/signature etc, apply that the the file and then perform the timestamp operation (simplified - quite a bit to it in reality). This is the command line interface (subject to change) We are using Signotaur to sign itself, here's an extract from the build log - running the sign command "C:\Program Files\VSoft Technologies\Signotaur\ClientTool\SignotaurTool.exe" sign --apikey ********** --thumbprint 56DFCD0B0C37DD1B9AB75FFCAB6627745E6E93B6 --signServer https://ciagent005:91 --file-digest SHA384 --tr http://timestamp.digicert.com --td SHA256 --allow-untrusted E:\CI_AWS\Ws\18154\Output\**\*.exe" and the output (logging needs some tuning). SignotaurClient Version : 1.0.0.182 © 2024 VSoft Technologies Pty Ltd 12:19:33 Fetching public key 12:19:33 Sending sign request to server... 12:19:36 Server responded : "Digest Signed OK" 12:19:36 "E:\CI_AWS\Ws\18154\Output\Client\win-x64\SignotaurTool.exe" signed. 12:19:36 Sending sign request to server... 12:19:38 Server responded : "Digest Signed OK" 12:19:39 "E:\CI_AWS\Ws\18154\Output\Server\win-x64\VSoft.Signotaur.Server.exe" signed. 12:19:39 Sending sign request to server... 12:19:41 Server responded : "Digest Signed OK" 12:19:41 "E:\CI_AWS\Ws\18154\Output\Server\win-x64\VSoft.SSLCertificate.Tool.exe" signed. 12:19:41 Returning result code: 0. 12:19:41 Result from Windows signing API "Operation successful." Exit code: 0 So signing and timestamping takes around 1-3 seconds per file (depends on file size etc).

Thanks - yeah we spent a lot of time looking for a name that was relatable and googleable.

This is on the todo list but not for the initial release - actually pretty simple to add. Oh and it does work with old school pfx certificates too.

I'll make an announcement here when we have a beta ready.

Yeah for years we have been told (and I have been telling everyone) to automate everything.. then some numpty decides to throw in a manual spanner🤦‍♂️- and yes, the cost of certificates increased a lot - way more than the cost of the physical tokens. There are work arounds and we currently use one - but it has it's limitations - for example right now using the old work around we can still only code sign from one virtual machine in our build environment - so lots of file copying happens which slows down builds - with our new solution code signing can be done from any build agent machine that has the client installed. FWIW, we have only tested using Yubikey and Safenet tokens - but any token with a 64bit pkcs#11 driver dll should work. Preview of the server web interface - product name may or may not change - naming is hard! Edit : forgot to mention, server will be for 64bit windows and linux - client 64bit windows only.

No, that would be terribly wasteful - we calculate the digest on the client and send that to the server to be signed.

We're working on a code signing server that supports tokens/pfx etc - allows you to do remote code signing very easily. All you need is network access to the server from a remote location (ideally over a vpn) and the client (a command line tool, which FinalBuilder will support). We're just tidying up loose ends (like the installer) before beta - hopefully in a few weeks.

If you want an easy way to build for multiple compiler versions, take a look at https://www.finalbuilder.com/finalbuilder - supports Delphi 3 - 12.2

If you are using the type library editor to create your RIDL - delphi should be mapping those methods as safecall. Check your options Edit : the default is only dual interfaces - this is something I change when ever I install a new version of delphi.

A gross generalisation on their part. It's entirely possible to create large applications without using a single Enterprise/Archtect feature.

Hi All I created a Delphi implementation of UUIDv7 - RFC 9562 UUIDv7 values are time-sortable, which means you can sort them in increasing order based on when they were generated. https://github.com/VSoftTechnologies/VSoft.UUIDv7 Should work with XE2=12.x Win32/Win64 and all platforms on 11.3 or later. Usage : var guid : TGuid; begin guid := TUUIDv7Helper.CreateV7; writeln(guid.ToString); end;