Vincent Parrett

Hi All Signotaur Code Signing Server - Release Candidate 1 is available https://www.finalbuilder.com/downloads/signotaur To get a license key, once installed and logged in, go to the Admin\Licenses page and click on the "Request a 14-day trial license" button - the server will contact our website and download an install a trial key automatically. Docs are here https://docs.finalbuilder.com/sn/1.0/ Note - only tested with Safenet and Yubikey tokens, pfx files and certificate stores so far.

Any yubikey capable of containing a code signing certificate and supported by the yubikey pkcs#11 driver (installed with their PIV tool). We have tested with a 5C and a 5 Nano. Yes, that's the main reason we developed the product (for our own use initially) - once you have configured the token/certificate on the server (via the web interface) then signing is done using the client with an api key - no password prompts. PM me if you are interested in testing - we're currently working on documentation and the website with a view to releasing as soon as they are done ( we have had some great feedback already). Also if anyone has a certificate issued by Certum and wants to test Signotuar please message me - I have a certum token/smartcard - but they didn't provide the puk so I can install certs on it for testing.

I have never seen page hashing even mentioned before I started working on our product. I doubt many people even know about it - there is almost no documentation on it other than the signtool command line page . I added it to our client tool because I signtool has it 🤷‍♂️

Hi All As I mentioned previously, we have been working on a Code Signing server product that makes codesigning remotely really easy. I posted another thread with the details.

Awesome stuff - I wish the Rad Studio editor had this functionality (not holding my breath). Perhaps Rad studio should switch to synedit!

I have never seen it used and couldn't really find any doco on it either, but since they were easy to implement we added it anyway 🤷‍♂️

We'll look at this. I haven't seen any api's to make this easy, so will likely have to resort to manipulating the PE file. That said, if you sign without using the -as option I think it will replace the existing certificate - I will have to test that. We are planning on adding a timestamp command but that is not yet implemented (mostly because we haven't gotten to it yet). Should be simple to add - I had it in there originally but couldn't figure out why it would be needed - signtool doco doesn't say much We went around in circles with this, we needed something unique to identify the certificate - IssuedTo/SubjectName is not unique if more than one token is enabled (ie old cert and new cert). I'll talk to the lead dev about this when he is back from vacation next week - I did the initial r&d and then handed the project off to another dev to make it into a product and this is one of the areas he worked on. Thanks for the feedback.

Be aware that most of those cloud based services either charge per signing or impose monthly limits on the number of signings.

Timestamping happens on the client - just like with signtool, you specify the timestamp server url and digest algorithm - we caclulate the file digest, send that to the server, get back the signed digest/signature etc, apply that the the file and then perform the timestamp operation (simplified - quite a bit to it in reality). This is the command line interface (subject to change) We are using Signotaur to sign itself, here's an extract from the build log - running the sign command "C:\Program Files\VSoft Technologies\Signotaur\ClientTool\SignotaurTool.exe" sign --apikey ********** --thumbprint 56DFCD0B0C37DD1B9AB75FFCAB6627745E6E93B6 --signServer https://ciagent005:91 --file-digest SHA384 --tr http://timestamp.digicert.com --td SHA256 --allow-untrusted E:\CI_AWS\Ws\18154\Output\**\*.exe" and the output (logging needs some tuning). SignotaurClient Version : 1.0.0.182 © 2024 VSoft Technologies Pty Ltd 12:19:33 Fetching public key 12:19:33 Sending sign request to server... 12:19:36 Server responded : "Digest Signed OK" 12:19:36 "E:\CI_AWS\Ws\18154\Output\Client\win-x64\SignotaurTool.exe" signed. 12:19:36 Sending sign request to server... 12:19:38 Server responded : "Digest Signed OK" 12:19:39 "E:\CI_AWS\Ws\18154\Output\Server\win-x64\VSoft.Signotaur.Server.exe" signed. 12:19:39 Sending sign request to server... 12:19:41 Server responded : "Digest Signed OK" 12:19:41 "E:\CI_AWS\Ws\18154\Output\Server\win-x64\VSoft.SSLCertificate.Tool.exe" signed. 12:19:41 Returning result code: 0. 12:19:41 Result from Windows signing API "Operation successful." Exit code: 0 So signing and timestamping takes around 1-3 seconds per file (depends on file size etc).

Thanks - yeah we spent a lot of time looking for a name that was relatable and googleable.

This is on the todo list but not for the initial release - actually pretty simple to add. Oh and it does work with old school pfx certificates too.

I'll make an announcement here when we have a beta ready.

Yeah for years we have been told (and I have been telling everyone) to automate everything.. then some numpty decides to throw in a manual spanner🤦‍♂️- and yes, the cost of certificates increased a lot - way more than the cost of the physical tokens. There are work arounds and we currently use one - but it has it's limitations - for example right now using the old work around we can still only code sign from one virtual machine in our build environment - so lots of file copying happens which slows down builds - with our new solution code signing can be done from any build agent machine that has the client installed. FWIW, we have only tested using Yubikey and Safenet tokens - but any token with a 64bit pkcs#11 driver dll should work. Preview of the server web interface - product name may or may not change - naming is hard! Edit : forgot to mention, server will be for 64bit windows and linux - client 64bit windows only.

No, that would be terribly wasteful - we calculate the digest on the client and send that to the server to be signed.

We're working on a code signing server that supports tokens/pfx etc - allows you to do remote code signing very easily. All you need is network access to the server from a remote location (ideally over a vpn) and the client (a command line tool, which FinalBuilder will support). We're just tidying up loose ends (like the installer) before beta - hopefully in a few weeks.

If you want an easy way to build for multiple compiler versions, take a look at https://www.finalbuilder.com/finalbuilder - supports Delphi 3 - 12.2

If you are using the type library editor to create your RIDL - delphi should be mapping those methods as safecall. Check your options Edit : the default is only dual interfaces - this is something I change when ever I install a new version of delphi.

A gross generalisation on their part. It's entirely possible to create large applications without using a single Enterprise/Archtect feature.

Hi All I created a Delphi implementation of UUIDv7 - RFC 9562 UUIDv7 values are time-sortable, which means you can sort them in increasing order based on when they were generated. https://github.com/VSoftTechnologies/VSoft.UUIDv7 Should work with XE2=12.x Win32/Win64 and all platforms on 11.3 or later. Usage : var guid : TGuid; begin guid := TUUIDv7Helper.CreateV7; writeln(guid.ToString); end;

I rely on TGUID.NewGuid to generate the random parts - under the hood it uses CoCreateGuid which uses windows cryptographic apis - which are far more random than Delphi's Random function (and faster).

Updated to add some new methods type TUUIDV7Helper = record class function CreateV7 : TGuid;overload;static; class function CreateV7(const dt : TDateTime) : TGuid;overload;static; class function CreatedUTC(const guid : TGUID) : TDateTime;static; class function IsV7(const guid : TGuid) : boolean;static;inline; class function Version(const guid : TGuid) : integer;static;inline; end;

for v7 yes - in theory just reverse the process that inserts the unix epoc timestamp and convert to datetime. I would have created a record helper for TGuid - except the rtl already has one (where all the useful methods are) - and only 1 helper per type can be in scope at a time.

Interesting how there is no mention that to use MFA you need to pay for Entra - so they have quietly just raised the cost of entry for Azure.

I got the same email and also see the "get a free preimium trial to use this feature" message. Typical Microsoft bait and switch - suck you in with what seems like a low priced offering, only to force another down your throat. So to use azure now in any form, you need to pay AU$9 per user per month just for Entra ID (previously Azure Active Directory).

I don't see the source to any of the dll's in those repos. I get that you are using those projects to build the dll's, but the fact remains that they are black boxes - I cannot tell exactly what they do, what their provenance is and whether I can trust them. I'm not trying to dismiss your work as invalid, just pointing out that and open source project distributing dll's need to provide a way for them to be built, or they must come from a trusted source (and usually code signed).