CarloM 3 Posted June 27, 2019 Hello, How can I sign digitally my *.exe with a SSL EV ? RAD allows sign it for Windows Apps ? I would like use a cert like this https://www.digicert.com/code-signing/ It is expensive, any recommendation? thank you Share this post Link to post
Fred Ahrens 59 Posted June 27, 2019 You'll need a code signing certificate - SSL certificates can't be used for code signing. Developers can get a discounted code signing certificate from Digicert via this link -> https://www.digicert.com/friends/sysdev/ Share this post Link to post
CarloM 3 Posted June 27, 2019 thank you, but how can sign *.exe any tutorial ? Share this post Link to post
Angus Robertson 577 Posted June 27, 2019 I just use a simple batch file: cd C:\Program Files (x86)\Windows Kits\10\bin\x86 signtool sign /p "password" /f "c:\certificates\magenta-systems-certkey.pfx" /d "WebApp Server - Telecom" /fd sha1 /t http://timestamp.verisign.com/scripts/timstamp.dll "d:\webapps\webapp_telecom.exe" signtool sign /p "password" /f "c:\certificates\magenta-systems-certkey.pfx" /d "WebApp Server - Telecom" /as /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp "d:\webapps\webapp_telecom.exe" signtool verify /all /pa d:\webapps\webapp_telecom.exe This assumes you can buy a code signing certificate as a file, some authorities only sell them on dongles when you need a slightly different command line and you may find Windows demands a password each time you sign a file, so not very automated. EV certificates are only needed for kernel drivers. If you start your order at https://msdn.microsoft.com/windows/hardware/drivers/dashboard/get-a-code-signing-certificate you will find most authorities offer substantially cheaper prices than their web sites, Digicert sells EV for $104 a year, non-EV for $74. Angus Share this post Link to post
CarloM 3 Posted July 17, 2019 Hello Again, when I sign a .exe file... in the resulting exe icon is lost. Any idea ? Share this post Link to post
Angus Robertson 577 Posted July 17, 2019 Never seen the icon lost, been signing files for 15 years. Are you using the latest signtool? No other EXE manglers? Angus Share this post Link to post
David Schwartz 430 Posted July 17, 2019 I have not encountered this before. Why is it needed? (just curious) Share this post Link to post
rvk 44 Posted July 18, 2019 (edited) On 6/27/2019 at 9:05 AM, CarloM said: How can I sign digitally my *.exe with a SSL EV ? ... I would like use a cert like this https://www.digicert.com/code-signing/ It is expensive, any recommendation? YIKES. $474/year for a Code signing certificate ????? Shouldn't be any more than $100/Year or so via some Sectigo reseller. Examples here and here. You'll need a Code signing certificate ("SSL" EV won't do and I've never needed an EV Code certificate). I also never seen the icon disappear. What tool do you use to sign and what command line options? Edited July 18, 2019 by rvk 1 Share this post Link to post
CarloM 3 Posted April 15, 2020 Hello, Digicert says that Microsoft has discontinued their SysDev program. Any cheap alternative for EV SSL code signing ? Thank you Share this post Link to post
Alexander Sviridenkov 360 Posted April 15, 2020 gogetssl.com - $248 for EV Share this post Link to post
mvanrijnen 123 Posted June 2, 2021 (edited) A small bump and topic hack. Will code signing also prevent from virusscanners see an executable as malicious ? We do have that with some applications here sometimes. (we only write software for use within our own company) Edited June 2, 2021 by mvanrijnen Share this post Link to post
Alexander Sviridenkov 360 Posted June 2, 2021 4 minutes ago, mvanrijnen said: Will code signing also prevent from virusscanners see an executable as malicious ? No. Even EV sertificate. Share this post Link to post
Vincent Parrett 764 Posted June 2, 2021 https://www.ksoftware.net/code-signing-certificates/ OV certificates for $84 per year - EV for $349 per year. Either way, be prepared to jump through hoops to prove you are who you say you are. EV's are typically issued on a dongle and are a pain. You can automate them to a degree - but not when running from a windows service (ie on a ci server) https://www.finalbuilder.com/forums/t/signtool-with-ev-certificate-fails/6535/22 Share this post Link to post
mvanrijnen 123 Posted June 2, 2021 (edited) Yes but because it's for our own internal software, which is copied to the clients from an "applauncher" with versiion control etc, it does not add that much for us if it does nothing with the malware/virusscan software. Edited June 2, 2021 by mvanrijnen Share this post Link to post
DelphiUdIT 188 Posted June 11, 2021 I live in Italy and I have a digital signature device (USB) that allows me to also sign programs (I use signtool as already indicated in previous posts). The cost is about thirty Euros for the physical USB device (legal duration 6 years) and 20 Euros every 3 years for the renewal of the digital signature. This means an indicative cost of 12 Euros per year. This is not an EV device, so I sign the programs but not the drivers. Precisely for the problem of personal recognition (to be done every 3 years) I have entrusted myself to a government structure spread throughout the territory, so I have no problems with renewals. Those who live in Italy and have a business can easily have this device (among other things it is practically mandatory with us). Share this post Link to post
Der schöne Günther 316 Posted June 11, 2021 (edited) @DelphiUdIT, can you give us a product name? Sounds interesting, especially the costs. I also still struggle to understand if an EV certificate is really good for anything besides drivers. I don't have a source at hand, but I remember that Microsoft SmartScreen will automatically grant an EV signed application a higher reputation than with a regular certificate. PS: MSIX files MUST be signed, there's no way around it. Edited June 11, 2021 by Der schöne Günther Share this post Link to post
DelphiUdIT 188 Posted June 11, 2021 22 minutes ago, Der schöne Günther said: @DelphiUdIT, can you give us a product name? Sounds interesting, especially the costs. To buy and use the device you must have a business in Italy (through the provincial Chamber of Commerce ) or live in Italy. It should be the same for the other Italian providers too, they issue the digital signature on permission of the Italian authority. I don't know if someone in Italy can release a digitally sign to a foreign people. Bye Share this post Link to post
Wil van Antwerpen 25 Posted June 12, 2021 (edited) Hi, Quote I also still struggle to understand if an EV certificate is really good for anything besides drivers. I don't have a source at hand, but I remember that Microsoft SmartScreen will automatically grant an EV signed application a higher reputation than with a regular certificate. Exactly that.. if you offer your software as a download then SmartScreen will be a real PITA for your users unless your software was signed with an EV certificate. About 3 times a user gets asked if they really want to do this. First deny the download, then popup a "not often installed" warning with cancel as default choice, then another warning of which I forgot the details. Sorry, can't test that now as Microsoft has finally started accepting my normal certificate again (after 5 months of pain) There I was just coming to the conclusion that one of these days I have to accept that the certificate I had bought for 3 years is worthless and that only an EV code signing certificate is going to offer a painless installation for end users. (pffff... ) edit: you asked for a link: https://www.ssl.com/faqs/which-code-signing-certificate-do-i-need-ev-ov/ Quote Microsoft SmartScreen Reputation According to Microsoft’s FAQ, its reputation-based SmartScreen filter “checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you’re downloading isn’t on that list, SmartScreen will warn you.” Signing your code is not required to earn a SmartScreen reputation, but EV-signed code’s extra level of trust lets developers skip this hurdle altogether: An EV code signing certificate offers an immediate reputation with Microsoft SmartScreen, so your users will never have to click through a SmartScreen warning in Windows. With an OV certificate, SmartScreen reputation must be built organically, as users download and install your files. SmartScreen warnings may occur until enough software proves sufficiently popular with Windows users for SmartScreen to view it as “well known.” I have lost so much time (and sales) on this that when the next renewal comes I will not doubt and buy an EV certificate instead of the -much cheaper- OV one. Edited June 12, 2021 by Wil van Antwerpen 1 Share this post Link to post
Der schöne Günther 316 Posted June 14, 2021 Thank you for clearing this up. Absolutely. As far as I understand, an OV certificate might be sufficient for Freeware tools, but for something you sell, it seems it should most definitely be an EV one. An alternative would be using the App store which is something I am considering. Cost is a one-time fee of 100 US $ for a company developer account, after that, Microsofts infrastructure takes care of hosting, certificates and so on. Share this post Link to post
Davide Angeli 44 Posted June 14, 2021 We have been using this one from several years: https://www.certum.eu/en/code-signing-certificates/ They give us an usb token containing the certificate. To apply the certificate to our exe, dll, bpl, installers etc I've created a small custom internal delphi tool using this library: SecureBlackBox, its not cheap but we are using it for other digital sign purposes and it works fine interacting with tokens and certificates. Share this post Link to post
corneliusdavid 220 Posted June 22, 2021 Lots of good information in this thread but I'll add a blog I wrote a couple of months ago that explains how I use a certificate from K Software (less than $100 year) to sign both Delphi apps and installs built with InnoSetup: What can Code Signing do for you? Perhaps it'll add something useful for someone. Share this post Link to post