Forum > General
Codesigning (Authenticode) IDE package
CCRDude:
Here's another plugin I wrote for my daily use. This is only useful for those developer who invest into getting a codesigning certificate.
I tend to codesign all Windows files I create with Lazarus. Previously, I've been doing this with post build events. Updating these for all projects was tedious (e.g. when I introduced SHA256 in addition to SHA1 signing, when the certificate has changed, when the timestamping server has changed, when pagehashing was added, ...).
With this package, there's a central IDE Options page to set up certificate, timestamping server, signtool executable location, and a few more attributes, global changes are much easier. The description is picked from the current project. A flag in the Options allows to auto-sign after each build; and there's a menu item to do it manually. Project-specific settings are something I'm thinking about.
LazCodeSigningHelper
Feedback welcome. Screenshots at the link above.
mig-31:
What about other OS: Linux, MacOs?
CCRDude:
I would have to check what options these OS have...
macOS has a command line tool "codesign". Since I'm often working from a Mac (just RDP'ing to the Windows dev machine), I probably could easily adapt to macOS-specific codesigning stuff. Just a different Options frame, a different executable to call and different parameters, if TProcess works the same on macOS.
I use Linux on a few servers, but have no idea at all whether there's any similar codesigning available there. I know that Debian packages are signed, for example, but I know nothing about single executables. Can you hint me at how it's done on Linux?
Phil:
--- Quote from: CCRDude on May 12, 2017, 05:44:54 pm ---macOS has a command line tool "codesign". Since I'm often working from a Mac (just RDP'ing to the Windows dev machine), I probably could easily adapt to macOS-specific codesigning stuff. Just a different Options frame, a different executable to call and different parameters, if TProcess works the same on macOS.
--- End quote ---
Looks like you've done a thorough job. This is certainly something that the Laz IDE has always lacked and that all other IDEs have had for a long time.
It would be nice if this could support OS X too. For anyone interested, here's Apple's documentation on codesigning:
https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
Back when I still developed Windows desktop apps, I typically only signed the installer, not the executable included in the installer. While it's a good idea to sign all executables, the installer is the first one the user will see and many organizations won't allow unsigned installers to be run. I always just used signtool in a batch file, but I believe Inno Setup also has support for including signing in the .iss script. That's probably the one piece missing here and an important piece, although it may be beyond what should be done in the IDE.
I also RDP into my Windows Server (on AWS) from my Mac. I use Microsoft Remote Desktop - very nice and works perfectly.
Note that the distributed Lazarus IDE executables and installers are never signed. They should be.
Thaddy:
Code signing is not normally something you would do unless in a commercial setting.
Furthermore, both Apple and Microsoft require you to obtain certificates from them.
That is not free and requires several other steps to adhere to depending on your requirements.
I hope nobody is under the impression that this plug-in opens up code signing for Authenticode in a general sense.
It is very important and should be stressed that this is NOT the case. It is a feature that is only useful for a limited part of our community.
It is possible to sign with a self generated certificate, though, but you will run into trouble during commercial deployment.
A proper certificate should be obtained through a trusted authority that can sign with a MS rootcertificate. See: http://go.microsoft.com/fwlink/p/?linkid=203607
Navigation
[0] Message Index
[#] Next page