PDA

View Full Version : Qestions on signing exe's



Richard Hogg
16-Jan-2014, 09:09 AM
Forgive my ignorance again but signing is an area I've put in the "I'll look at it later" pile. I've read previously in the forum about people signing their apps so how does the new feature in 18 differ from what people were doing before.

Stephen W. Meeley
16-Jan-2014, 10:00 AM
Richard,

The biggest change here is that we added a new component (SignDataFlexProjectExe) whose main job is to update the Studio's knowledge of the .exe so that the Studio doesn't think the project needs to recompile just because the .exe has been signed (signing an .exe changes it's size).

In addition, the doc now references more in-depth information about the entire process in general and in particular using the Microsoft SignTool utility instead of the older SignCode utility. The main advantage of SignTool over SignCode is that it can automatically use certificates in the store and you don't have to type in your password every time you sign.

You still need to get your own certificate and have the utility of choice installed properly.

Peter van Mil
16-Jan-2014, 03:02 PM
Hi Richard,

I tried it today and it really works. See http://support.dataaccess.com/Forums/showthread.php?52567-Executable-signing&p=269987#post269987

Nils G. Svedmyr
17-Jan-2014, 05:52 AM
Hi Stephen,

You might have read the other thread about code signing, but I have a question for you.

How much research did you guys do with the "automatically use certificates in the store"?

The reason I'm asking is that I've used code signing for many years and to my experience you just can't leave it to MS to "automatically" decide on which certificate to use. That is a no-brainer if there only is one code certificate, but what if there is more than one?

Could you please elaborate on this?

Stephen W. Meeley
17-Jan-2014, 06:12 AM
Hi Nils,

We expect the tool to work as Microsoft specifies - nothing more and nothing less. You can find the complete specifications here...

http://msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.110).aspx

...and in particular the docs about the automatic selection state:

Automatically selects the best signing certificate. Sign Tool will find all valid certificates that satisfy all specified conditions and select the one that is valid for the longest time. If this option is not present, Sign Tool expects to find only one valid signing certificate.

Our understanding is that the other options are what help determine which certificate is selected.

Lately, it is up to each developer to determine if they want to take advantage of the automatic selection. You do not have to do it that way.

Nils G. Svedmyr
20-Jan-2014, 01:28 AM
Hi Stephen,

To me, this is a show stopper so I won't be using it if there is no possibility to select the certificate I want to use when signing. That's no biggy because I already have a solution that works for me and is as easy to use. The latest version of the free COM Manifest Builder have this built in, and you can start the program from the Studio for any project which automatically loads the current project and it is then only one more click to make the digital signing.

I understand that DAW makes tons of various design decisions, but I think it is a less fortunate decision to not provide any feedback when signing a program. That could (and IMHO should) be improved.

Here is what it looks like when signing a the Order Entry sample program with the COM Manifest Builder. First image is a sample when there is a problem - in this case a missing .exe file. The other image is the confirmation dialog after a successful signing. To me these confirmations makes great sense and should be provided to the user.

73077308

Vincent Oorsprong
20-Jan-2014, 07:41 AM
Nils,

Have you tried the /fCERTNAME.PFX parameter? MSDN says:




/f SignCertFile
Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported. You can use the PVK2PFX.exe tool to convert SPC and PVK files to PFX format.
If the file is in PFX format protected by a password, use the /p option to specify the password. If the file does not contain private keys, use the /csp and /k options to specify the CSP and private key container name, respectively.

Nils G. Svedmyr
20-Jan-2014, 08:47 AM
Vincent,

Yes, that is what I use and have for a long time. However, there is no need to use the PVKwPFX utility to convert to the .pfx format. You can export directly to a pfx file from Windows digital certificate administrator.

So you are right that it is what I use. And because the .pfx file is exposed on the hard-drive I want it password protected and thus I also pass a username & password on the command line to the signtool.exe program.

Vincent Oorsprong
20-Jan-2014, 09:56 AM
Nils,


So you are right that it is what I use. And because the .pfx file is exposed on the hard-drive I want it password protected and thus I also pass a username & password on the command line to the signtool.exe program.

Which IMHO makes it unsafe again...

Nils G. Svedmyr
20-Jan-2014, 09:57 AM
Why should that be unsafe?