Vincent Parrett

Using a TScrollbox with thousands of child controls is a terrible idea, apart from the memory overhead the performance would not be greate. As others have said, using a virtual list control is much better solution. This is what I use for these scenarios - you do have to wite the paint code yourself but it's very lightweight https://github.com/VSoftTechnologies/VSoft.VirtualListView - supports XE2 - D12 and vcl themes - although I have only tested themes within an IDE plugin There is a demo app and you can also see it in use here https://github.com/DelphiPackageManager/DPM/blob/master/Source/IDE/EditorView/DPM.IDE.EditorViewFrame.pas

Mine didn't have a pin, but when I try to set a pin it asks for the PUK - which I do not have and they will not provide. Each email to their support results in 2 emails - an auto responder and a canned response telling me to login to my account - all pointless since there are no certs in my account and no puk available. Wasted $200 for nothing.

@Angus Robertson answered that question - using a certificate signing request - like we used to do for SSL certs before LetsEncrypt came along. Whether it is the same certificate (ie with the same thumbprint) or not I am unsure.

I had a terrible experience with Certum - I bought a sim and card reader from them for testing Signotaur - however I didn't purchase a certificate - I can test with self signed certificates - however they refused to provide the pin to the card because I didn't purchase a certificate - rendering it completely useless. I do not recommend them at all.

When I looked at it, it also forced us to use Entra ID for 2 factor authentication - which pushed up the price considerably - if I were using Azure for anything else it wouldn't be a big deal - but I'm not.

This is not quite right. YOU cannot just copy it, the private key cannot be exported from the token (the whole point of using hardware to store the key) - however the CA's you purchase the certificate from can issue you multiple tokens with the same certificate/private key - at a cost of course.

https://www.finalbuilder.com/resources/blogs/introducing-signotaur-remote-code-signing-server

Hi All 40% off on new licenses until midnight 4th December - no need for a coupon, the discount will be applied automatically. We have opened up sales on our code/document signing server Signotaur - although the actual release is not until next week the release canidate is available for download. https://www.finalbuilder.com/store

Hi Ross We are investigating this, we had another report - but so far have not been able to find the cause or reproduce this error. Please contact support @ finalbuilder.com so we can help resolve this. never mind - just saw that you did already.

There is no special magic that will convert a string into an exception object in Delphi, you have to do that yourself. Test cases just create an array of TValue and attempt to pass those as args, using the rtl conversion functions to convert TValuue to the argument type. This really only works for strings and ordinal types, it won't construct an object for you. You could use a TTestDataProvider class, take a look at the ProviderExample unit in the examples folder.

Thanks for the heads up - restarted the site and it seems to be working again.

My preferred stack for web dev is asp dotnet for the back end and React for the front end. If you must use delphi - https://github.com/danieleteti/delphimvcframework would be a good option for the back end. I hadn't looked at it in a long while, but it's come a long way in the last few years. asp dotnet and delphi mvc have a ton of functionality which scale really well. I steer clear of asp dotnet for the UI part because it changes too often and updating applications becomes a major task (ask anyone who updated from asp.net 4.x to asp dotnet core). On the front end, you could use what ever web ui framework you want, React, Vue and Svelte are all good options - but they all come with a learning curve.

Great. That will be the easy bit Good luck - last time we got a cert it was the most painful admin process I have ever endured. Make sure your companies DUN's details match up - in particular the phone number - that is the only number they would call and since we had closed the office to go fully remote - major drama - I had to add my cell number to our DUNs details - that was another mission.

Hi All We have developed a client/server product to handle code signing. This makes it simple to code sign from any machine and avoid the dreaded token password prompts. It also supports file based certificates for those who still have valid ones! The client is a single exe (with a similar command line interface to signtool.exe) - 64 bit windows 10/Server 2016 or later (may run on earlier versions but not tested). The server is supported on Windows 10/Server 2016 or later (may run on earlier versions but not tested). Linux support for the server is planned (we have it building but have not tested yet). The server has a web interface for configuring it (adding certificates, managing users etc). We have tested with Safenet tokens (with our own cert) and with Yubikey tokens (with self signed cert). It should work with any token that provides a 64bit pkcs#11 2.4 library dll. We are especially interested in hearing from people with Yubikey tokens (since we have only tested with self signed cert). The token needs to be available to the server machine, either plugged in directly or via usb passthrough for vms, or via virtualhere. We’re still working on docs but it’s pretty simple to get up and running with it, we’ll provide some instructions with the download info etc. If you are interested in testing this product email support @ finalbuilder.com - let us know what kind of token you have.

Note signing powershell files twice is not supported - see https://learn.microsoft.com/en-us/troubleshoot/windows/win32/signtool-corrupts-powershell-script We usethe same api's as Signtool so the same limitation applies Edit : note that the default is to replace the certificate so this should not be a factor.

Yes, it works in our testing here with the RC (v1.0.0.319) - what happens when you try it? C:\Temp>SignotaurTool.exe sign -a MYAPIKEY -s https://ciagent005:91 --allow-untrusted --fd=SHA256 -t 56DFCD0B0C37DD1B9AB75FFCAB6627745E6E93B6 -d="A Test" test.ps1 +----------------------------------------------------------------------------------------------------------------------+ | SignotaurClient | | Version : 1.0.0.324 | | © 2024 VSoft Technologies Pty Ltd | | | +----------------------------------------------------------------------------------------------------------------------+ 20:01:30 The following certificate was selected: Issued to: CN=VSoft Technologies Pty Ltd, O=VSoft Technologies Pty Ltd, L=Canberra, S=Australian Capital Territory, C=AU Issued by: CN=GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1, O=EnVers Group SIA, C=LV Expires: 09/05/2026 09:59:59 20:01:30 Signing 1 files. 20:01:30 Sending sign request to server for file C:\Temp\test.ps1 (size: 47 B) ... 20:01:32 C:\Temp\test.ps1 signed successfully. Exit code: 0 20:01:32 Execution time: 00:00:02.2759870 And when I test running the script PS C:\temp> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy allsigned PS C:\temp> .\test.ps1 Do you want to run software from this untrusted publisher? File C:\temp\test.ps1 is published by CN=VSoft Technologies Pty Ltd, O=VSoft Technologies Pty Ltd, L=Canberra, S=Australian Capital Territory, C=AU and is not trusted on your system. Only run scripts from trusted publishers. [V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is "D"): a I am signed thanks to Signotaur! PS C:\temp>

It's more about the first time you launch the exe - I have seen warnings even with apps signed with EV certs - possibly it because it was a new update of an app - I was surprised - so I checked that the exe was signed just in case - it was - launched it again and no popup 💁‍♂️

Of course I'd love to be charging more, but the market probably wouldn't agree. I have been agonising over this for months - naming and pricing - both difficult aspects of turning projects into products. It's all about the provenance of the executable - does it come from who it says it does. Codesigning is ok, smartscreen isn't so smart - I see popups even with EV signed exe's just because not msany people have downloaded a file. Can't say I have heard of it but I like it!

We're still fleshing out the web pages (and working on a new website at the same time).

They will get smartscreen popup's about how dangerous it is to use your product.

Obviously we have to take into account the competition (cloud), the fact that potential customers have already dropped $$$ on certificates, the cost of supporting it and of course we need to make a profit to make this all worthwhile (10 monthss of R&D). USD$199 is our current thinking.

Hi All Signotaur Code Signing Server - Release Candidate 1 is available https://www.finalbuilder.com/downloads/signotaur To get a license key, once installed and logged in, go to the Admin\Licenses page and click on the "Request a 14-day trial license" button - the server will contact our website and download an install a trial key automatically. Docs are here https://docs.finalbuilder.com/sn/1.0/ Note - only tested with Safenet and Yubikey tokens, pfx files and certificate stores so far.

Any yubikey capable of containing a code signing certificate and supported by the yubikey pkcs#11 driver (installed with their PIV tool). We have tested with a 5C and a 5 Nano. Yes, that's the main reason we developed the product (for our own use initially) - once you have configured the token/certificate on the server (via the web interface) then signing is done using the client with an api key - no password prompts. PM me if you are interested in testing - we're currently working on documentation and the website with a view to releasing as soon as they are done ( we have had some great feedback already). Also if anyone has a certificate issued by Certum and wants to test Signotuar please message me - I have a certum token/smartcard - but they didn't provide the puk so I can install certs on it for testing.

I have never seen page hashing even mentioned before I started working on our product. I doubt many people even know about it - there is almost no documentation on it other than the signtool command line page . I added it to our client tool because I signtool has it 🤷‍♂️

Hi All As I mentioned previously, we have been working on a Code Signing server product that makes codesigning remotely really easy. I posted another thread with the details.