Difference between revisions of "Code Signing for Windows"

From Lazarus wiki
Jump to navigationJump to search
 
(11 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==Signtool==
+
{{Code_Signing_for_Windows}}
Signtool comes as a part of Windows 10 SDK. The binary is typically installed at  
+
 
 +
==Description of the problem==
 +
'''Question:'''
 +
 
 +
I notice Windows 10 gives me a warning that the publisher is unknown after unzipping and attempting to run an executable.
 +
 
 +
Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc?
 +
 
 +
'''Answer''' from forum member Dmitry "skalogryz" Boyarintsev:
 +
 
 +
In order to have the application launch without any "questions", you'll need to purchase an EV certificate. It costs up to $US 500 (prices vary, but I doubt you can find anything below $US 250). The approval might take about a week, since they will do the verification of your actual existence (the existence of your company). If they are prompt enough they might get you verified in a matter of a day or two. For me it took about three weeks.
 +
 
 +
Note that EV certificates are usually "hardware" generated. Meaning you'll have some sort of hardware device in order to sign an executable. The hardware device also needs to be mailed to you... which adds the time to the point when you can finally sign an executable.
 +
 
 +
You can get a simple certificate, but it will still show "Running application by ... Name of your company". Simple certificates are cheaper, about $100.
 +
 
 +
Keep in mind that certificates expire and must be renewed - usually for the same price, or a bit more expensive if you used some promo when buying the first certificate. The renewal process is as fast as simply paying for it, but if you miss the renewal date, you might have to pass the approval process again.
 +
 
 +
You can't use your HTTPS web site certificate. Your HTTPS certificate was given for a domain name, not an executable.
 +
However, the same authority that issued your HTTPS certificate might also be providing code signing certificates (and you might be eligible for a discount of some sort).
 +
 
 +
You also cannot use a developer certificate issued by Apple for [[Code Signing for macOS|code signing macOS applications]].
 +
 
 +
==Examples of certificate companies==
 +
 
 +
* [https://comodosslstore.com/code-signing/comodo-ev-code-signing-certificate?gclid=CjwKCAjwndCKBhAkEiwAgSDKQfX5LQgnCeJ6VF95YAZ0FDIVSmosUBtDvhVyrqX5STHNvyJNk0JMuxoCEb8QAvD_BwE Comodo EV]. $US 399 per year for EV certificate, without a promotion.
 +
* [https://www.digicert.com/order/order-1.php Digicert]. $US 699 per year for EV certificate.
 +
* [https://signmycode.com/code-signing-certificates SignMyCode]. "$199.99 per year for EV Certificates and $49.99 per year for standard code signing certificates.
 +
* [https://www.ksoftware.net/code-signing-certificates/ KSoftware]. "OV Code Signing Certificate". 80 Euros per year.
 +
* [https://cheapsslsecurity.com/sslproducts/codesigningcertificate.html Cheap SSL Security] $US 249 per year for an EV certificate.
 +
 
 +
==Signtool: code signing tool==
 +
 
 +
Signtool comes as a part of Windows 10 SDK. The binary is typically installed at:
 +
 
  C:\Program Files (x86)\Windows Kits\10\bin\__version__\x64
 
  C:\Program Files (x86)\Windows Kits\10\bin\__version__\x64
  
 
1. Install (or generate the certificate) into Windows Certificate Center. EV certificates should also be installed, but signing them requires the hardware key to be present at the time of signing
 
1. Install (or generate the certificate) into Windows Certificate Center. EV certificates should also be installed, but signing them requires the hardware key to be present at the time of signing
  
2. Run the command line:
+
2. Very basic sign command line:
  
 
  signtool sign project1.exe
 
  signtool sign project1.exe
  
==See Also==
+
==See also==
 +
 
 
* [[Code signing]]
 
* [[Code signing]]
* https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool - official documentation
+
 
[[Category:Code signing]]
+
==External links==
[[Category:Windows]]
+
 
 +
* [https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool Microsoft: official documentation for signtool]
 +
* [https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/ Microsoft: Windows 10 SDK download page]

Latest revision as of 09:34, 21 September 2022

Windows logo - 2012.svg

This article applies to Windows only.

See also: Multiplatform Programming Guide

English (en)


Description of the problem

Question:

I notice Windows 10 gives me a warning that the publisher is unknown after unzipping and attempting to run an executable.

Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc?

Answer from forum member Dmitry "skalogryz" Boyarintsev:

In order to have the application launch without any "questions", you'll need to purchase an EV certificate. It costs up to $US 500 (prices vary, but I doubt you can find anything below $US 250). The approval might take about a week, since they will do the verification of your actual existence (the existence of your company). If they are prompt enough they might get you verified in a matter of a day or two. For me it took about three weeks.

Note that EV certificates are usually "hardware" generated. Meaning you'll have some sort of hardware device in order to sign an executable. The hardware device also needs to be mailed to you... which adds the time to the point when you can finally sign an executable.

You can get a simple certificate, but it will still show "Running application by ... Name of your company". Simple certificates are cheaper, about $100.

Keep in mind that certificates expire and must be renewed - usually for the same price, or a bit more expensive if you used some promo when buying the first certificate. The renewal process is as fast as simply paying for it, but if you miss the renewal date, you might have to pass the approval process again.

You can't use your HTTPS web site certificate. Your HTTPS certificate was given for a domain name, not an executable. However, the same authority that issued your HTTPS certificate might also be providing code signing certificates (and you might be eligible for a discount of some sort).

You also cannot use a developer certificate issued by Apple for code signing macOS applications.

Examples of certificate companies

  • Comodo EV. $US 399 per year for EV certificate, without a promotion.
  • Digicert. $US 699 per year for EV certificate.
  • SignMyCode. "$199.99 per year for EV Certificates and $49.99 per year for standard code signing certificates.
  • KSoftware. "OV Code Signing Certificate". 80 Euros per year.
  • Cheap SSL Security $US 249 per year for an EV certificate.

Signtool: code signing tool

Signtool comes as a part of Windows 10 SDK. The binary is typically installed at:

C:\Program Files (x86)\Windows Kits\10\bin\__version__\x64

1. Install (or generate the certificate) into Windows Certificate Center. EV certificates should also be installed, but signing them requires the hardware key to be present at the time of signing

2. Very basic sign command line:

signtool sign project1.exe

See also

External links