Jump to content
CarloM

SSL certificate for VCL Application Exe

By CarloM, in VCL

Recommended Posts

Angus Robertson    574

Angus Robertson
Posted

I just use a simple batch file:

 

cd C:\Program Files (x86)\Windows Kits\10\bin\x86
signtool sign /p "password" /f "c:\certificates\magenta-systems-certkey.pfx"  /d "WebApp Server - Telecom" /fd sha1 /t http://timestamp.verisign.com/scripts/timstamp.dll "d:\webapps\webapp_telecom.exe"
signtool sign /p "password" /f "c:\certificates\magenta-systems-certkey.pfx"  /d "WebApp Server - Telecom" /as /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp "d:\webapps\webapp_telecom.exe"
signtool verify /all /pa d:\webapps\webapp_telecom.exe
 

This assumes you can buy a code signing certificate as a file, some authorities only sell them on dongles when you need a slightly different command line and you may find Windows demands a password each time you sign a file, so not very automated.

 

EV certificates are only needed for kernel drivers. If you start your order at

 

https://msdn.microsoft.com/windows/hardware/drivers/dashboard/get-a-code-signing-certificate

 

you will find most authorities offer substantially cheaper prices than their web sites, Digicert sells EV for $104 a year, non-EV for $74.  

 

Angus
 

 

Share this post

Link to post

CarloM    3

CarloM
Posted

Hello Again,

 

when I sign a .exe file... in the resulting exe icon is lost.

 

Any idea ?

Share this post

Link to post

Angus Robertson    574

Angus Robertson
Posted

Never seen the icon lost, been signing files for 15 years. Are you using the latest signtool?  No other EXE manglers?

 

Angus

Share this post

Link to post

rvk    33

rvk
Posted (edited)
On 6/27/2019 at 9:05 AM, CarloM said:

How can I sign digitally my *.exe with a SSL EV ?

...

I would like use a cert like this 

https://www.digicert.com/code-signing/

It is expensive, any recommendation?

 

YIKES. $474/year for a Code signing certificate ?????

Shouldn't be any more than $100/Year or so via some Sectigo reseller.

Examples here and here.

You'll need a Code signing certificate ("SSL" EV won't do and I've never needed an EV Code certificate).

 

I also never seen the icon disappear. What tool do you use to sign and what command line options?

 

Edited by rvk
  • Like 1

Share this post

Link to post

CarloM    3

CarloM
Posted

Hello,

 

Digicert says that Microsoft has discontinued their SysDev program.

 

Any cheap alternative  for EV SSL code signing ?

 

Thank you

Share this post

Link to post

mvanrijnen    123

mvanrijnen
Posted (edited)

A small bump and topic hack.

Will code signing also prevent from virusscanners see an executable as malicious ?

We do have  that with some applications here sometimes.

(we only write software for use within our own company)

 

Edited by mvanrijnen

Share this post

Link to post

Vincent Parrett    750

Vincent Parrett
Posted

https://www.ksoftware.net/code-signing-certificates/ 

 

OV certificates for $84 per year  - EV for $349 per year. 

 

Either way, be prepared to jump through hoops to prove you are who you say you are. EV's are typically issued on a dongle and are a pain. You can automate them to a degree - but not when running from a windows service (ie on a ci server)

 

https://www.finalbuilder.com/forums/t/signtool-with-ev-certificate-fails/6535/22 

Share this post

Link to post

mvanrijnen    123

mvanrijnen
Posted (edited)

Yes but because it's for our own internal software, which is copied to the clients from an "applauncher" with versiion control etc, it does not add that much for us if it does nothing with the malware/virusscan software.

 

 

Edited by mvanrijnen

Share this post

Link to post

DelphiUdIT    176

DelphiUdIT
Posted

I live in Italy and I have a digital signature device (USB) that allows me to also sign programs (I use signtool as already indicated in previous posts). The cost is about thirty Euros for the physical USB device (legal duration 6 years) and 20 Euros every 3 years for the renewal of the digital signature. This means an indicative cost of 12 Euros per year.
This is not an EV device, so I sign the programs but not the drivers.
Precisely for the problem of personal recognition (to be done every 3 years) I have entrusted myself to a government structure spread throughout the territory, so I have no problems with renewals.

Those who live in Italy and have a business can easily have this device (among other things it is practically mandatory with us).

Share this post

Link to post

Der schöne Günther    316

Der schöne Günther
Posted (edited)

@DelphiUdIT, can you give us a product name? Sounds interesting, especially the costs.

 

I also still struggle to understand if an EV certificate is really good for anything besides drivers. I don't have a source at hand, but I remember that Microsoft SmartScreen will automatically grant an EV signed application a higher reputation than with a regular certificate.

 

PS: MSIX files MUST be signed, there's no way around it.

Edited by Der schöne Günther

Share this post

Link to post

DelphiUdIT    176

DelphiUdIT
Posted
22 minutes ago, Der schöne Günther said:

@DelphiUdIT, can you give us a product name? Sounds interesting, especially the costs.

To buy and use the device you must have a business in Italy (through the provincial Chamber of Commerce ) or live in Italy. It should be the same for the other Italian providers too, they issue the digital signature on permission of the Italian authority. I don't know if someone in Italy can release a digitally sign to a foreign people.

 

Bye

Share this post

Link to post

Wil van Antwerpen    25

Wil van Antwerpen
Posted (edited)

Hi,

Quote

I also still struggle to understand if an EV certificate is really good for anything besides drivers. I don't have a source at hand, but I remember that Microsoft SmartScreen will automatically grant an EV signed application a higher reputation than with a regular certificate.

Exactly that.. if you offer your software as a download then SmartScreen will be a real PITA for your users unless your software was signed with an EV certificate. About 3 times a user gets asked if they really want to do this. First deny the download, then popup a "not often installed" warning with cancel as default choice, then another warning of which I forgot the details.


Sorry, can't test that now as Microsoft has finally started accepting my normal certificate again (after 5 months of pain)

 

There I was just coming to the conclusion that one of these days I have to accept that the certificate I had bought for 3 years is worthless and that only an EV code signing certificate is going to offer a painless installation for end users. (pffff... )

 

edit: you asked for a link: https://www.ssl.com/faqs/which-code-signing-certificate-do-i-need-ev-ov/

Quote

Microsoft SmartScreen Reputation

 

According to Microsoft’s FAQ, its reputation-based SmartScreen filter “checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you’re downloading isn’t on that list, SmartScreen will warn you.”

Signing your code is not required to earn a SmartScreen reputation, but EV-signed code’s extra level of trust lets developers skip this hurdle altogether:

  • An EV code signing certificate offers an immediate reputation with Microsoft SmartScreen, so your users will never have to click through a SmartScreen warning in Windows.
  • With an OV certificate, SmartScreen reputation must be built organically, as users download and install your files. SmartScreen warnings may occur until enough software proves sufficiently popular with Windows users for SmartScreen to view it as “well known.”

I have lost so much time (and sales) on this that when the next renewal comes I will not doubt and buy an EV certificate instead of the -much cheaper- OV one.

Edited by Wil van Antwerpen
  • Thanks 1

Share this post

Link to post

Der schöne Günther    316

Der schöne Günther
Posted

Thank you for clearing this up. Absolutely. As far as I understand, an OV certificate might be sufficient for Freeware tools, but for something you sell, it seems it should most definitely be an EV one.

 

An alternative would be using the App store which is something I am considering. Cost is a one-time fee of 100 US $ for a company developer account, after that, Microsofts infrastructure takes care of hosting, certificates and so on.

Share this post

Link to post

Davide Angeli    44

Davide Angeli
Posted

We have been using this one from several years: https://www.certum.eu/en/code-signing-certificates/

 

They give us an usb token containing the certificate. To apply the certificate to our exe, dll, bpl, installers etc I've created a small custom internal delphi tool using this library: SecureBlackBox, its not cheap but we are using it for other digital sign purposes and it works fine interacting with tokens and certificates.

Share this post

Link to post

corneliusdavid    214

corneliusdavid
Posted

Lots of good information in this thread but I'll add a blog I wrote a couple of months ago that explains how I use a certificate from K Software (less than $100 year) to sign both Delphi apps and installs built with InnoSetup: 

 

What can Code Signing do for you?

 

Perhaps it'll add something useful for someone.

 

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing VCL
×