Signing executables

[Silver Black 23]

What do you use to sign your executables? Is there a subscription fee to pay yearly the certificate or what? 

[Lars S 1]

Hi. You have to purchase a "Code signing certificate". Just Google the term and you will find many possible suppliers.

Typically the certificate you purchase is valid for a number of years and then you have to renew it.

[Uwe Raabe 2057]

I am happy with a certificate from ksoftware since a couple of years now.

[Silver Black 23]

5 minutes ago, Uwe Raabe said:

I am happy with a certificate from ksoftware since a couple of years now.

It seems nice, thank you. Just a question: a signed exe will be signed life-time or once the certificate expire that exe won't be signed anymore?

[Vincent Parrett 750]

If you also timestamp the signature, the exe will be signed permanently. If you skip timestamping the signature will no longer be valid once the certificate expires.

 

This blog post covers codesigning & timestamping

 

[Thijs van Dien 9]

I have a certificate issued by Comodo and let Inno Setup take care of it. As also covered in the blog post linked above, if you obtain a timestamp from a trusted party (special server) when signing, the signature will remain valid. For me the most useful resource was this: https://www.zabkat.com/blog/code-signing-sha1-armageddon.htm.

[Silver Black 23]

Thank you to all of you.

[Vincent Parrett 750]

@Thijs van Dien In my experience the signing feature in Innosetup was fragile, mostly because if the timestamping failed (due to the server not responding, happens a lot) then you had to recompile the whole thing again. Better to do the signing and timestamping seperate from the innosetup step (using signtool), and the signing and timestamping separately so you can retry when timestamping fails.

[Thijs van Dien 9]

@Vincent Parrett Later versions of Inno Setup have several options for retrying, so it's not a problem for me. The only thing that still doesn't work to well is aborting the compilation when it's signing.