Certifying windows executables?

[AlexTP]

I just stored the good info from this topic here:
https://wiki.freepascal.org/Code_Signing_for_Windows

[boosted36]

My existing "certificates" are for HTTPS e.g. LetsEncrypt - but I'm assuming these are not the type I need for this?

Correct. You will need a codesigning certificate from ultimately Microsoft, although third parties supply them too. (Again, ultimately Microsoft)
Downside:There is some money involved. (not too much for professional use)
Upside: FPC/Lazarus has a codesigning option through a package available from OPM.
The same goes for Apple, btw.

There are various CAs that offer different kind of code signing certs such as Standard and Extended Verification. Pricing also varies depending on it's type and brand. You can compare different brands here - https://signmycode.com/

[Thaddy]

You probably missed my point that Microsoft is the ultimate CA, also for the other certificate issues? Hence, the root CA is always Microsoft itself.

[PascalDragon]

You probably missed my point that Microsoft is the ultimate CA, also for the other certificate issues? Hence, the root CA is always Microsoft itself.

You're wrong. The only important point is that the Windows Certificate Store contains a root certificate for your code signing certificate (or the code signing certificate itself).
For example the root certificate for the software we produce at work is from Sectigo, not Microsoft.
Also for PowerShell scripts we use a code signing certificate which is signed from an intermediate certificate which is in turn signed from a custom, internal root certificate which is distributed to the company's computers through Group Policies.