How can I make a safe app for any systems?

[Tomi]

When I make a program and publish it in my website, after the first download and attempting to run, the Windows warns me with a "Windows protected your PC" message and I can running it only at my own risk.
This is probably because I don't know, where can I add author, company, etc. properties to my program, because if these properties exist, the OS allows running immediately the downloaded program. Therefore, without these settings, Windows decides, it is not a safe program.
Is there a way in Lazarus to fill anywhere these properties to prevent emergence of this warning? As I know, maybe this is the "digital signature".

[Zvoni]

When I make a program and publish it in my website, after the first download and attempting to run, the Windows warns me with a "Windows protected your PC" message and I can running it only at my own risk.
This is probably because I don't know, where can I add author, company, etc. properties to my program, because if these properties exist, the OS allows running immediately the downloaded program. Therefore, without these settings, Windows decides, it is not a safe program.
Is there a way in Lazarus to fill anywhere these properties to prevent emergence of this warning? As I know, maybe this is the "digital signature".

Project-Options?

[LeP]

Is there a way in Lazarus to fill anywhere these properties to prevent emergence of this warning? As I know, maybe this is the "digital signature".

What you can include in any application (in Lazarus, where @Zvoni replied) are descriptions that have no "security" value.
What you call a "digital signature" requires accreditation with one of the providers that provide code signing certificates.
There are different types of these certificates, with significantly different costs (from a few dozen dollars per year to hundreds of dollars per year).

[Nimbus]

For reference, https://wiki.freepascal.org/Code_Signing_for_Windows

[RayoGlauco]

As far as I know, even if you spend a considerable amount of money to digitally sign your programs, Windows can still block them.

Google says: "Digitally signing your program greatly helps prevent Windows from blocking it, as it gives it reputation and trust, but it's not a complete guarantee, since Windows SmartScreen can still be cautious with new or unfamiliar files."

Once your program has gained a good reputation and is no longer blocked, releasing a new version means starting all over again.

[LeP]

As far as I know, even if you spend a considerable amount of money to digitally sign your programs, Windows can still block them.
Google says: "Digitally signing your program greatly helps prevent Windows from blocking it, as it gives it reputation and trust, but it's not a complete guarantee, since Windows SmartScreen can still be cautious with new or unfamiliar files."
Once your program has gained a good reputation and is no longer blocked, releasing a new version means starting all over again.

This is true, but if you buy a EV code signing your reputation will be boosted (but you have to pay a lot of money).

[Tomi]

Project-Options?

So, do I have to fill some fields in Project Options / Version Info / Other info group? For example the CompanyName and FileVersion to make these visible when the user clicks with right mouse button on EXE file?
https://wiki.freepascal.org/images/e/e1/popt.png

[LeP]

So, do I have to fill some fields in Project Options / Version Info / Other info group? For example the CompanyName and FileVersion to make these visible when the user clicks with right mouse button on EXE file?

Yes, but these are simple textual informations. Nothing to do with safety and security.

Fill those don't change any AV or SmartScreen actions.

[marcov]

Windows also tags files that come from external sources (network, usb, zipfile?). The right way is to install via an installer, preferably MSI with such paid for signature.

[Raskaton]

When I was searching for a solution to a similar problem, I discovered that you can use a so-called "self-signed certificate". It's free, but requires knowledge of certificate generation.
This certificate ensures that the user is informed of who signed the code. However, the application launch prompt will still appear with yellow dialog: "Do you thrust to SomeCompanyName? Run app?".
You also need to create an installer (I recommend InnoSetup + InnoScriptStudio pascal-like scripts) and sign it with the same certificate.

I abandoned this because I couldn't find a fast way to sign exe&dll under Linux while cross-compille. But, it is posible:
https://github.com/mtrojnar/osslsigncode
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537364(v=vs.85)

Inno Setup and Inno Script Studio support code signing your installer and uninstaller executables using Microsoft's signtool.exe or other command-line signing tools. But I couldn't get signtool.exe to work in Wine.

I think the easiest and most convenient way to set up signing is in Inno. This makes it easy to support new versions by combining the installation process and signing all Windows files.

PS used InnoSetup in Wine+Linux

[LeP]

When I was searching for a solution to a similar problem, I discovered that you can use a so-called "self-signed certificate". It's free, but requires knowledge of certificate generation.
This certificate ensures that the user is informed of who signed the code. However, the application launch prompt will still appear with yellow dialog: "Do you thrust to SomeCompanyName? Run app?".
You also need to create an installer (I recommend InnoSetup + InnoScriptStudio pascal-like scripts) and sign it with the same certificate.

You cannot use self-signed certificate. To sign a file (msi, exe, dll, pdf, etc ...) you must have a valid signature certified and generated by hard key (like usb token or other hardware token).

A self signed is valid only for test, no one can trust (and will not trust) about a certificate not relaesed by a CA. If you want to try there plenty of user guides that explain how to do: this is one signcode tool that works in Linux (Ubuntu) https://manpages.ubuntu.com/manpages/noble/en/man1/signcode.1.html and you can use it to sign PE files with your self-signed certificate.

[Raskaton]

You cannot use self-signed certificate. To sign a file (msi, exe, dll, pdf, etc ...) you must have a valid signature certified and generated by hard key (like usb token or other hardware token).

To be more precise, the process consists of two stages:
1. Create a self-signed certificate signed by your custom CA (like, MyCompanyCA.crt)
2. Create a self-generated certificate signed by your custom CA (like, MyCompanyCodeSign.crt)
I have usb tokens, but this is only recomendation. Files can be used also.
Cert must be generated RSA2048/4084 and have OID for "Code signing". No other MUST, as I know.

A self signed is valid only for test, no one can trust (and will not trust) about a certificate not relaesed by a CA.

I've seen many applications that use this approach in production.
The key is that the installer and the application itself are signed with the same certificate. Then, when you run the installer, you'll be asked to trust the publisher using information from your certificate. Once you agree to trust it, the OS will remember this certificate as trusted. When you launch the application, the OS won't display a warning because you trusted the certificate during installation. Therefore, it's important to create an installer with the same signature so that the user only sees the trust prompt once during installation.
Commercial CA don't tell to as that 3 dialogs exists:
1. Unknown publisher. When code not signed at all.
2. Unverified publisher. When code signed by self-generated (self-signed CA) cert.
3. Verified publisher. When buy cert.
Last two options in prompt dialog have info about company name, site, contacts, adress. I attached two old screens.

If you want to try there plenty of user guides that explain how to do: this is one signcode tool that works in Linux (Ubuntu) https://manpages.ubuntu.com/manpages/noble/en/man1/signcode.1.html and you can use it to sign PE files with your self-signed certificate.

Wow! I don't have this in my distro. I'll definitely try it when I get a chance.

[LeP]

I've seen many applications that use this approach in production.
The key is that the installer and the application itself are signed with the same certificate. Then, when you run the installer, you'll be asked to trust the publisher using information from your certificate. Once you agree to trust it, the OS will remember this certificate as trusted. When you launch the application, the OS won't display a warning because you trusted the certificate during installation. Therefore, it's important to create an installer with the same signature so that the user only sees the trust prompt once during installation.
2. Unverified publisher. When code signed by self-generated (self-signed CA) cert.
Last two options in prompt dialog have info about company name, site, contacts, adress. I attached two old screens.

At that time who agree to install something that at not signed by a verify CA (untrusted) ?
You can insert whatever you want in the untrusted certificate, you can "write" that you are Microsoft too.

Only the big companies with an internal IT office have those procedures (and of course only for internal porpouse), and I know lot of them that migrate to standard certificate.

Security should be at the first place.