Recent

Author Topic: Certifying windows executables?  (Read 3822 times)

Michael Collier

  • Sr. Member
  • ****
  • Posts: 266
Certifying windows executables?
« on: September 29, 2021, 06:32:52 pm »
I notice Windows10 gives me/anyone a warning that a publisher is unknown after unzipping and attempting to run an exe.

Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc??

My existing "certificates" are for HTTPS e.g. LetsEncrypt - but I'm assuming these are not the type I need for this?

Thanks in advance,
Mike


Thaddy

  • Hero Member
  • *****
  • Posts: 10991
Re: Certifying windows executables?
« Reply #1 on: September 29, 2021, 06:49:55 pm »
My existing "certificates" are for HTTPS e.g. LetsEncrypt - but I'm assuming these are not the type I need for this?
Correct. You will need a codesigning certificate from ultimately Microsoft, although third parties supply them too. (Again, ultimately Microsoft)
Downside:There is some money involved. (not too much for professional use)
Upside: FPC/Lazarus has a codesigning option through a package available from OPM.
The same goes for Apple, btw.
« Last Edit: September 29, 2021, 06:52:29 pm by Thaddy »
The average programmer productivity is 4-5 hours per day. Peak performance 72 hours for short bursts. MTBF is 1 second or less.

Michael Collier

  • Sr. Member
  • ****
  • Posts: 266
Re: Certifying windows executables?
« Reply #2 on: September 29, 2021, 07:53:25 pm »
Great - I installed CodeSigningHelper  - thanks Thaddy.

For anyone else reading this in the future, the developers website is
https://www.ccrdude.net/LazCodeSigningHelper/
The online package manager link wouldn't take me there (uses http rather than https).
forum info:
https://forum.lazarus.freepascal.org/index.php/topic,36861.0.html

Plenty to read... thanks again :)


skalogryz

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2718
    • havefunsoft.com
Re: Certifying windows executables?
« Reply #3 on: September 29, 2021, 07:57:09 pm »
Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc??
Depends on the kind of the certificate you're trying to get.

In order to have the application launching without any "questions", you'll need EV certificate to be purchased. It's costs around $500 (prices may vary, but I doubt you can find anything below $350).
The approval might take about a week, since they will do the verification of your actual existence.  (The existence of your company).
If they are prompt enough they might get you verified in a matter of a day or two. (for me it took about 3 weeks).
Note that EV certificates are usually "hardware" generated. Meaning you'll have some sort of hardware device in order to sign an app. (The hardware device also needs to be mailed to you... which adds the time to the point when you can finally sign an app)

You can get a simple certificate, but it will still show "running application by .... Name of your company"
Simple certificates are cheaper.. about $100

Keep in mind that certificates expire and must be renewed (usually for  the same price, or a bit expensive, if you used some promo when buying the first certificate). Renewal process is as fast as simply paying for it. But if you miss the payment and don't renewal, you might have to pass the reapproval process again.


You can't use your HTTPS certificate. Your HTTPS certificate was given for a domain name, not an executable.
However, the same authority that issued your HTTPS certificate might also be providing code signing certificates (and you might  be eligible for a discount of some sort)
« Last Edit: September 29, 2021, 08:01:03 pm by skalogryz »

Thaddy

  • Hero Member
  • *****
  • Posts: 10991
Re: Certifying windows executables?
« Reply #4 on: September 29, 2021, 08:55:14 pm »
Well $500 is a bit expensive. Depends on country it seems. (I pay in the region of the $100 you mentioned for a full one, directly from Microsoft, I have a msdn subsciption, though. That might be the cause I pay less for EV)
You are correct that it needs to be renewed, but only for developers. Once an application is signed it needs no further renewals. Signed is signed and will stay "forever".

Note it is also possible to self sign or internal sign - internal authority -, but that takes some administration for every user/machine.
« Last Edit: September 29, 2021, 08:59:22 pm by Thaddy »
The average programmer productivity is 4-5 hours per day. Peak performance 72 hours for short bursts. MTBF is 1 second or less.

skalogryz

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2718
    • havefunsoft.com
Re: Certifying windows executables?
« Reply #5 on: September 29, 2021, 10:22:18 pm »
Well $500 is a bit expensive.
Comodo Ev (i think one of the cheapest)
$399 per year for Ev, without a promotion.

Digicert $699 per year for Ev.

¯\_(ツ)_/¯

Depends on country it seems.
No matter what the country is, we all live in the same digital space :)

Once an application is signed it needs no further renewals. Signed is signed and will stay "forever".
Only if the app is signed with the timestamp (which is acquired via the proper certified server. Such server is usually provided by the party that issues the certificate).
Otherwise the signature expires as well.

Obviously everyone is using a timestamped signing.
« Last Edit: September 29, 2021, 10:28:16 pm by skalogryz »

Michael Collier

  • Sr. Member
  • ****
  • Posts: 266
Re: Certifying windows executables?
« Reply #6 on: September 29, 2021, 10:28:35 pm »
If I do..

Menu->Project->Codesign Project->Attach code signature to executable

I get message..

Error: Unable to find signing executable !

Not surprising, because at this stage I haven't configured anything, but I can't seem to find anywhere to set a path to signtool.exe on my hard drive.

It was already on my drive at this location..
C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe

I don't have same configuration options as the image on designers website here:
https://www.ccrdude.net/LazCodeSigningHelper/ide-options.png

Any ideas?

skalogryz

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2718
    • havefunsoft.com
Re: Certifying windows executables?
« Reply #7 on: September 29, 2021, 10:31:27 pm »
Any ideas?
try to use signtool from commandline

A bit off-topic. So, far the only need of automated signing in IDE is only needed if the security settings prevent starting unsigned executables.
Signging is usually needed when it's time to make a release or deploy the app elsewhere.
« Last Edit: September 29, 2021, 10:35:33 pm by skalogryz »

Michael Collier

  • Sr. Member
  • ****
  • Posts: 266
Re: Certifying windows executables?
« Reply #8 on: September 29, 2021, 10:41:39 pm »
Thanks,

signtool.exe runs from the command line, it gives expected errors that certificates were not found..

SignTool Error: No certificates were found that met all the given criteria.

But isn't signtool.exe supposed to be fired from within the IDE -and give certificate errors from there?

skalogryz

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2718
    • havefunsoft.com
Re: Certifying windows executables?
« Reply #9 on: September 29, 2021, 10:53:40 pm »
But isn't signtool.exe supposed to be fired from within the IDE -and give certificate errors from there?
I'd think it is supposed to do that... but doesn't do it for some reason.

Aidex

  • Jr. Member
  • **
  • Posts: 82
Re: Certifying windows executables?
« Reply #10 on: September 30, 2021, 05:46:00 am »
Hi!
I use this "OV Code Signing Certificate" for my Windows software. The certificate costs around 80 euros per year.
https://www.ksoftware.net/code-signing-certificates/
On that page you can also find a small freeware "kSign" to sign an .exe manually.
For me this is a simple and relatively inexpensive solution.
Regards, Jörg

ASBzone

  • Hero Member
  • *****
  • Posts: 616
  • Automation leads to relaxation...
    • Free Console Utilities for Windows (and a few for Linux) from BrainWaveCC
Re: Certifying windows executables?
« Reply #11 on: November 22, 2021, 05:37:51 am »
I notice Windows10 gives me/anyone a warning that a publisher is unknown after unzipping and attempting to run an exe.

Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc??

My existing "certificates" are for HTTPS e.g. LetsEncrypt - but I'm assuming these are not the type I need for this?

Thanks in advance,
Mike


You need a code signing cert, and you can get them rather inexpensively (~US$70/yr) or very expensively (upwards of $500/year)

See one source that I use to obtain mine (for the past 4 years):   https://cheapsslsecurity.com/sslproducts/codesigningcertificate.html

-ASB: https://www.BrainWaveCC.com/

Lazarus v2.0.13 r64843 / FPC v3.2.1-r49055 (via FpcUpDeluxe) -- Windows 64-bit install w/Win32 and Linux/Arm cross-compiles
Primary System: Windows 10 Pro x64, Version 2009 (Build 19042)
Other Systems: Windows 10 Pro x64, Version 2009 (Build 19042) or greater

ASBzone

  • Hero Member
  • *****
  • Posts: 616
  • Automation leads to relaxation...
    • Free Console Utilities for Windows (and a few for Linux) from BrainWaveCC
Re: Certifying windows executables?
« Reply #12 on: November 22, 2021, 05:38:43 am »
Any ideas?
try to use signtool from commandline

A bit off-topic. So, far the only need of automated signing in IDE is only needed if the security settings prevent starting unsigned executables.
Signging is usually needed when it's time to make a release or deploy the app elsewhere.

I also have a script that leverages SignTool from Microsoft...
-ASB: https://www.BrainWaveCC.com/

Lazarus v2.0.13 r64843 / FPC v3.2.1-r49055 (via FpcUpDeluxe) -- Windows 64-bit install w/Win32 and Linux/Arm cross-compiles
Primary System: Windows 10 Pro x64, Version 2009 (Build 19042)
Other Systems: Windows 10 Pro x64, Version 2009 (Build 19042) or greater

SymbolicFrank

  • Hero Member
  • *****
  • Posts: 745
Re: Certifying windows executables?
« Reply #13 on: November 22, 2021, 09:10:58 am »
The last time I did this, the difference in price was due to Microsoft SmartScreen. It is the thing that blocks people from running "unsafe" executables, which is: anything not on the whitelist. You can get on the whitelist if enough people run it anyway, or by paying for the expensive certificate.

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1690
  • Former Delphi 1-7, 10.2 user
Re: Certifying windows executables?
« Reply #14 on: November 22, 2021, 10:18:48 am »
You can get on the whitelist if enough people run it anyway, or by paying for the expensive certificate.

Or by gaming the system (ie downloading your signed executable enough times from any website with a clean reputation). Security ;-)
Lazarus 2.3, FPC 3.3.1 macOS 12.0.1 x86_64 Xcode 13.1
Lazarus 2.3, FPC 3.3.1 macOS 12.0.1 aarch64 Xcode 13.1
Lazarus 2.3, FPC 3.2.2 FreeBSD 13.0 amd64 VM
Lazarus 2.3, FPC 3.2.2 FreeBSD 12.2 amd64 VM
Lazarus 2.1 r61574 FPC 3.0.4 Ubuntu 20.04 VM
Lazarus 2.0.10 FPC 3.2.0 Win10 VM

 

TinyPortal © 2005-2018