Code Signing for Windows

From Lazarus wiki
Jump to navigationJump to search
Windows logo - 2012.svg

This article applies to Windows only.

See also: Multiplatform Programming Guide

English (en)


Description of the problem

Question:

I notice Windows 10 gives me a warning that a publisher is unknown after unzipping and attempting to run an exe.

Has anyone ever "registered" and if so what authority did they register with, what was the experience like (slow/fast), cost etc?

Answer from forum member @skalogryz:

In order to have the application launching without any "questions", you'll need EV certificate to be purchased. It's costs around $500 (prices may vary, but I doubt you can find anything below $350). The approval might take about a week, since they will do the verification of your actual existence. (The existence of your company). If they are prompt enough they might get you verified in a matter of a day or two. (For me it took about 3 weeks).

Note that EV certificates are usually "hardware" generated. Meaning you'll have some sort of hardware device in order to sign an app. (The hardware device also needs to be mailed to you... which adds the time to the point when you can finally sign an app.)

You can get a simple certificate, but it will still show "Running application by ... Name of your company". Simple certificates are cheaper, about $100.

Keep in mind that certificates expire and must be renewed (usually for the same price, or a bit expensive, if you used some promo when buying the first certificate). Renewal process is as fast as simply paying for it. But if you miss the payment and don't renewal, you might have to pass the re-approval process again.

You can't use your HTTPS certificate. Your HTTPS certificate was given for a domain name, not an executable. However, the same authority that issued your HTTPS certificate might also be providing code signing certificates (and you might be eligible for a discount of some sort).

Examples of companies

Signtool

Signtool comes as a part of Windows 10 SDK. The binary is typically installed at:

C:\Program Files (x86)\Windows Kits\10\bin\__version__\x64

1. Install (or generate the certificate) into Windows Certificate Center. EV certificates should also be installed, but signing them requires the hardware key to be present at the time of signing

2. Very basic sign command line:

signtool sign project1.exe

See also