Forum > Windows

Certifying windows executables?

(1/4) > >>

Michael Collier:
I notice Windows10 gives me/anyone a warning that a publisher is unknown after unzipping and attempting to run an exe.

Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc??

My existing "certificates" are for HTTPS e.g. LetsEncrypt - but I'm assuming these are not the type I need for this?

Thanks in advance,
Mike

Thaddy:

--- Quote from: Michael Collier on September 29, 2021, 06:32:52 pm ---My existing "certificates" are for HTTPS e.g. LetsEncrypt - but I'm assuming these are not the type I need for this?

--- End quote ---
Correct. You will need a codesigning certificate from ultimately Microsoft, although third parties supply them too. (Again, ultimately Microsoft)
Downside:There is some money involved. (not too much for professional use)
Upside: FPC/Lazarus has a codesigning option through a package available from OPM.
The same goes for Apple, btw.

Michael Collier:
Great - I installed CodeSigningHelper  - thanks Thaddy.

For anyone else reading this in the future, the developers website is
https://www.ccrdude.net/LazCodeSigningHelper/
The online package manager link wouldn't take me there (uses http rather than https).
forum info:
https://forum.lazarus.freepascal.org/index.php/topic,36861.0.html

Plenty to read... thanks again :)

skalogryz:

--- Quote from: Michael Collier on September 29, 2021, 06:32:52 pm ---Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc??

--- End quote ---
Depends on the kind of the certificate you're trying to get.

In order to have the application launching without any "questions", you'll need EV certificate to be purchased. It's costs around $500 (prices may vary, but I doubt you can find anything below $350).
The approval might take about a week, since they will do the verification of your actual existence.  (The existence of your company).
If they are prompt enough they might get you verified in a matter of a day or two. (for me it took about 3 weeks).
Note that EV certificates are usually "hardware" generated. Meaning you'll have some sort of hardware device in order to sign an app. (The hardware device also needs to be mailed to you... which adds the time to the point when you can finally sign an app)

You can get a simple certificate, but it will still show "running application by .... Name of your company"
Simple certificates are cheaper.. about $100

Keep in mind that certificates expire and must be renewed (usually for  the same price, or a bit expensive, if you used some promo when buying the first certificate). Renewal process is as fast as simply paying for it. But if you miss the payment and don't renewal, you might have to pass the reapproval process again.


You can't use your HTTPS certificate. Your HTTPS certificate was given for a domain name, not an executable.
However, the same authority that issued your HTTPS certificate might also be providing code signing certificates (and you might  be eligible for a discount of some sort)

Thaddy:
Well $500 is a bit expensive. Depends on country it seems. (I pay in the region of the $100 you mentioned for a full one, directly from Microsoft, I have a msdn subsciption, though. That might be the cause I pay less for EV)
You are correct that it needs to be renewed, but only for developers. Once an application is signed it needs no further renewals. Signed is signed and will stay "forever".

Note it is also possible to self sign or internal sign - internal authority -, but that takes some administration for every user/machine.

Navigation

[0] Message Index

[#] Next page

Go to full version