Certifying windows executables?

[AlexTP]

I just stored the good info from this topic here:
https://wiki.freepascal.org/Code_Signing_for_Windows

[boosted36]

My existing "certificates" are for HTTPS e.g. LetsEncrypt - but I'm assuming these are not the type I need for this?

Correct. You will need a codesigning certificate from ultimately Microsoft, although third parties supply them too. (Again, ultimately Microsoft)
Downside:There is some money involved. (not too much for professional use)
Upside: FPC/Lazarus has a codesigning option through a package available from OPM.
The same goes for Apple, btw.

There are various CAs that offer different kind of code signing certs such as Standard and Extended Verification. Pricing also varies depending on it's type and brand. You can compare different brands here - https://signmycode.com/

[Thaddy]

You probably missed my point that Microsoft is the ultimate CA, also for the other certificate issues? Hence, the root CA is always Microsoft itself.

[PascalDragon]

You probably missed my point that Microsoft is the ultimate CA, also for the other certificate issues? Hence, the root CA is always Microsoft itself.

You're wrong. The only important point is that the Windows Certificate Store contains a root certificate for your code signing certificate (or the code signing certificate itself).
For example the root certificate for the software we produce at work is from Sectigo, not Microsoft.
Also for PowerShell scripts we use a code signing certificate which is signed from an intermediate certificate which is in turn signed from a custom, internal root certificate which is distributed to the company's computers through Group Policies.

[ASBzone]

There are various CAs that offer different kind of code signing certs such as Standard and Extended Verification. Pricing also varies depending on it's type and brand. You can compare different brands here - https://signmycode.com/

And, just so everyone knows, as of 2023 the expense for code signing certs have gone up, and the requirements for how they are stored have increased.


I renewed mine just a month ago, and it was a huge uplift over the old price I paid in 2019 and 2022.   But I did about 25% than the prices I saw in the link you used.

[Thaddy]

It is still from $119 upto $189 for a standard code signing certificate, EV from $219.
But the cheapest option is to register for the Microsoft store which is just $19 for a signing certificate and is perpetual. This is particularly useful if you have just 1 main piece of software that you want to distribute. This is information from Microsoft itself as per today.
Btw: the store option does not tie you to the store like Apple does (tries to do: probably illegal in Europe). You can distribute your signed software through other channels too.

BTW: I am prepared to pay for the store option for the MS platforms regarding the compilers. (Offer will likely not expire.)

[rvk]

It is still from $119 upto $189 for a standard code signing certificate, EV from $219.

Can you give a link to the one for $119 upto $189.
(I'm not sure those ones still exists)

Also... are you suggesting the $19 for the store includes a code signing certificate with which you can sign normal Windows executables?
A link to that information would be great too.

(But I don't think that store certificate is something you can really use for other programs)

Edit: So it's only for actual distribution via the Microsoft Store. Not very helpful otherwise.

When you submit an app to the Microsoft Store, Microsoft automatically signs your app with its own certificate during the submission process. This means you don't need to provide your own code signing certificate for apps distributed through the Microsoft Store.

But I would still like the link to those other sites.

[Thaddy]

Can you give a link to the one for $119 upto $189.
(I'm not sure those ones still exists)

This was from this morning from Microsoft.
Are you lazy?

Also... are you suggesting the $19 for the store includes a code signing certificate with which you can sign normal Windows executables?

Just one, but other versions can be signed too at no cost.

A link to that information would be great too.

You ARE lazy.

(But I don't think that store certificate is something you can really use for other programs)

The $19 option is not for a specific executable but for a specific piece of software that may change over time.

Oh, can't you find the Microsoft developers website?

No nonsense please, Rik.
Oh wel that is enough for today.
Looks like a duck (subsitute) walks like a duck, floats on water and therefor it is a.....witch...,

[Thaddy]

https://www.ssl.com/

Even cheaper..............

Now shame you.

I really don't get such...r*t*rds if I do not have enough coffee. 

 

[rvk]

Can you give a link to the one for $119 upto $189.
(I'm not sure those ones still exists)

This was from this morning from Microsoft.
Are you lazy?

No, I'm not lazy, I'm just calling your bullshit 

And you can't sign your own executables with a Microsoft Developer account and distribute it.
You can let Microsoft sign them when putting them in the Microsoft store and downloading them and then distribute them.

Are you suggesting putting all the executables of Lazarus and FPC in the Microsoft Store ?

https://www.ssl.com/

Even cheaper..............

Now shame you.

I really don't get such...r*t*rds if I do not have enough coffee. 

 

Oooo, Thaddy... you didn't read it 

That one for $64 is for 10 years.
And yes... you can purchase one for $129 for one year... but look at the small print:

Pricing Tier:
Tier 1 Monthly - $20/Mo - 20 Signings - 1 Credential
Credentials:
1
Total: $129.00

So it's just for 20 signings.

Please don't bullshit us (or at least provide the relevant details).

A normal Code signing certificate with unlimited signings is running at least in (or close to) the $200's.

[Thaddy]

Rik,

Something was funny here:

I asked Microsoft to provide me with an exact link, answer: we do not take sides, but the funny thing was that the only highlighted link was the cheapest.
 

So AI is not impartial at all and in this case secretly pointed me to the cheapest link.....

Oh, well, now we have to take care of such scenario's as well...

[rvk]

So AI is not impartial at all and in this case secretly pointed me to the cheapest link.....

Look at the number of signing you can do with that "cheapest" certificate !!!!!!

[Thaddy]

The bullshit, you have to take that back.
For one piece of software you do not need more, and updates can be signed too.

Anyway, $119 is half my hourly rate, so is still peanuts and you can sign everything.
( I still do some consultancy )

[rvk]

Anyway, $119 is half my hourly rate, so is still peanuts and you can sign everything.

Yeah, I already decided to ignore your b$ as you didn't provide any links or provide information about the $19 method from Microsoft Store.

(At least the Foundation already has a certificate, and I'm sure they pay more than $119)

[Thaddy]

microsoft.com? That is real bullshit.
DigiCert, Sectigo and GlobalSign all offer that in the range.  Comodo is slightly more expensive.

You really did not check my information. Probably need some coffee too... 

Oh, well,

https://www.youtube.com/watch?v=0yq-Fw7C26Y

Again a seasoned programmer being stupid on purpose.