Certifying windows executables?

[Michael Collier]

I notice Windows10 gives me/anyone a warning that a publisher is unknown after unzipping and attempting to run an exe.

Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc??

My existing "certificates" are for HTTPS e.g. LetsEncrypt - but I'm assuming these are not the type I need for this?

Thanks in advance,
Mike

[Thaddy]

My existing "certificates" are for HTTPS e.g. LetsEncrypt - but I'm assuming these are not the type I need for this?

Correct. You will need a codesigning certificate from ultimately Microsoft, although third parties supply them too. (Again, ultimately Microsoft)
Downside:There is some money involved. (not too much for professional use)
Upside: FPC/Lazarus has a codesigning option through a package available from OPM.
The same goes for Apple, btw.

[Michael Collier]

Great - I installed CodeSigningHelper  - thanks Thaddy.

For anyone else reading this in the future, the developers website is
https://www.ccrdude.net/LazCodeSigningHelper/
The online package manager link wouldn't take me there (uses http rather than https).
forum info:
https://forum.lazarus.freepascal.org/index.php/topic,36861.0.html

Plenty to read... thanks again

[skalogryz]

Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc??

Depends on the kind of the certificate you're trying to get.

In order to have the application launching without any "questions", you'll need EV certificate to be purchased. It's costs around $500 (prices may vary, but I doubt you can find anything below $350).
The approval might take about a week, since they will do the verification of your actual existence.  (The existence of your company).
If they are prompt enough they might get you verified in a matter of a day or two. (for me it took about 3 weeks).
Note that EV certificates are usually "hardware" generated. Meaning you'll have some sort of hardware device in order to sign an app. (The hardware device also needs to be mailed to you... which adds the time to the point when you can finally sign an app)

You can get a simple certificate, but it will still show "running application by .... Name of your company"
Simple certificates are cheaper.. about $100

Keep in mind that certificates expire and must be renewed (usually for  the same price, or a bit expensive, if you used some promo when buying the first certificate). Renewal process is as fast as simply paying for it. But if you miss the payment and don't renewal, you might have to pass the reapproval process again.


You can't use your HTTPS certificate. Your HTTPS certificate was given for a domain name, not an executable.
However, the same authority that issued your HTTPS certificate might also be providing code signing certificates (and you might  be eligible for a discount of some sort)

[Thaddy]

Well $500 is a bit expensive. Depends on country it seems. (I pay in the region of the $100 you mentioned for a full one, directly from Microsoft, I have a msdn subsciption, though. That might be the cause I pay less for EV)
You are correct that it needs to be renewed, but only for developers. Once an application is signed it needs no further renewals. Signed is signed and will stay "forever".

Note it is also possible to self sign or internal sign - internal authority -, but that takes some administration for every user/machine.

[skalogryz]

Well $500 is a bit expensive.

Comodo Ev (i think one of the cheapest)
$399 per year for Ev, without a promotion.

Digicert $699 per year for Ev.

¯\_(ツ)_/¯

Depends on country it seems.

No matter what the country is, we all live in the same digital space

Once an application is signed it needs no further renewals. Signed is signed and will stay "forever".

Only if the app is signed with the timestamp (which is acquired via the proper certified server. Such server is usually provided by the party that issues the certificate).
Otherwise the signature expires as well.

Obviously everyone is using a timestamped signing.

[Michael Collier]

If I do..

Menu->Project->Codesign Project->Attach code signature to executable

I get message..

Error: Unable to find signing executable !

Not surprising, because at this stage I haven't configured anything, but I can't seem to find anywhere to set a path to signtool.exe on my hard drive.

It was already on my drive at this location..
C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe

I don't have same configuration options as the image on designers website here:
https://www.ccrdude.net/LazCodeSigningHelper/ide-options.png

Any ideas?

[skalogryz]

Any ideas?

try to use signtool from commandline

A bit off-topic. So, far the only need of automated signing in IDE is only needed if the security settings prevent starting unsigned executables.
Signging is usually needed when it's time to make a release or deploy the app elsewhere.

[Michael Collier]

Thanks,

signtool.exe runs from the command line, it gives expected errors that certificates were not found..

SignTool Error: No certificates were found that met all the given criteria.

But isn't signtool.exe supposed to be fired from within the IDE -and give certificate errors from there?

[skalogryz]

But isn't signtool.exe supposed to be fired from within the IDE -and give certificate errors from there?

I'd think it is supposed to do that... but doesn't do it for some reason.

[Aidex]

Hi!
I use this "OV Code Signing Certificate" for my Windows software. The certificate costs around 80 euros per year.
https://www.ksoftware.net/code-signing-certificates/
On that page you can also find a small freeware "kSign" to sign an .exe manually.
For me this is a simple and relatively inexpensive solution.
Regards, Jörg

[ASBzone]

I notice Windows10 gives me/anyone a warning that a publisher is unknown after unzipping and attempting to run an exe.

Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc??

My existing "certificates" are for HTTPS e.g. LetsEncrypt - but I'm assuming these are not the type I need for this?

Thanks in advance,
Mike

You need a code signing cert, and you can get them rather inexpensively (~US$70/yr) or very expensively (upwards of $500/year)

See one source that I use to obtain mine (for the past 4 years):   https://cheapsslsecurity.com/sslproducts/codesigningcertificate.html

[ASBzone]

Any ideas?

try to use signtool from commandline

A bit off-topic. So, far the only need of automated signing in IDE is only needed if the security settings prevent starting unsigned executables.
Signging is usually needed when it's time to make a release or deploy the app elsewhere.

I also have a script that leverages SignTool from Microsoft...

[SymbolicFrank]

The last time I did this, the difference in price was due to Microsoft SmartScreen. It is the thing that blocks people from running "unsafe" executables, which is: anything not on the whitelist. You can get on the whitelist if enough people run it anyway, or by paying for the expensive certificate.

[trev]

You can get on the whitelist if enough people run it anyway, or by paying for the expensive certificate.

Or by gaming the system (ie downloading your signed executable enough times from any website with a clean reputation). Security ;-)