First time Code-Signing a Windows app

Hi. I’m using Xojo on my Mac, but programming a game for Windows. I create the Windows app on my Mac and move it to a Windows machine for testing. Once I had my app working, I used InstallCreator on the PC to make a (presumably) ready-to-ship distribution file. Mistakenly, I thought I was done. I sent this to two friends who routinely use Windows for beta testing, and both reported that Windows balked at running the program, and AVG told them my program had a virus (or some message like that.) I’m quite sure my program did NOT contain a virus.

I did some checking and I’m fairly sure the problem is that, just like on the Mac, Windows wants you to code-sign your apps. Neither my app nor the installer app was code-signed. Presumably if my Windows app was code-signed, Windows and AVG anti-virus wouldn’t complain about running my app. (My app does run on Windows just fine as my friends attested, but they had to jump through hoops to convince Windows and AVG to allow it.)

So, now my problem is…how do I code-sign a desktop app for Windows? I code-sign routinely on the Mac for a Mac app, but never for Windows apps. I did some digging and I’m not even sure the code-signing for Windows is done via Microsoft? I found various sites (at various prices) that offer to code-sign my apps for a yearly fee.

I’m hoping someone can point me in the right direction for more info about this? How do I go about code-signing a Windows app? Are there alternative pathways to do this? (obviously hoping for a cheap alternative too!)

Thanks for thoughts…

Basically you need to purchase a code signing certificate

Many places to purchase but here is one I use https://www.ksoftware.net/

They even have their own signing software called ksign that makes it really easy

Also there is Strawberry Software - ExeWrapper that can help automate signing for Microsoft on the Mac

2 Likes

Thanks Brian. I’ll check out your suggestions for sure.

1 Like

I also use a certificate K Software. You can then do the signing with a shell script and a few calls to signtool from Microsoft.

Or if you develop on Mac use ExeWrapper app from Strawberry Software.

Thanks Christian…I already heard of ExeWrapper and have downloaded it in preparation for when I know what to do with it. I’ve been looking over the ksoftware site, and figure the cheaper option is what I would need…since I only have a simple desktop app game, and not a driver. Sounds like that $84 per year option is what I’ll have to use. (I do wish there were a cheaper alternative, but such is life I guess.)

@Ken_Winograd

Yes the cheaper option OV Certificate is what you will need not the more expensive EV driver signing one

you can get it with OmegaBundle

Presumably if my Windows app was code-signed, Windows and AVG anti-virus wouldn’t complain about running my app.

Hohoho.

It means you get less messages, but (expletive deleted) virus checkers and smart screen have to justify their existence.
So they will invent a ‘heuristic detection’ and block your app.
They will tell your customers ‘not many people have downloaded this, so its obviously malware’ and then block that too.

1 Like

Well, that’s good! Thanks Brian.

Well, that’s plainly disappointing, but I hear ya. I’ve heard that from elsewhere too…that virus-checkers complain about a program having a virus when it doesn’t or a program not being overly popular…and that’s enough to put up a warning just so it looks the virus checker is working. Disconcerting for sure. Part of me wants to make my program available and just mention on the download page “you might see a virus warning, but there’s no virus, the program just isn’t code-signed”…but you can imagine that wouldn’t go over very well either, So, I feel like I’m rather forced to code-sign.

Now, just thinking out loud without thought of ramifications, this almost makes me want to believe that Xojo should have a code-signer built-in to Xojo…and by default all Windows apps are code-signed by Xojo. (Yeah, I know, silly idea…but one can dream!)

1 Like

This article is 3 yrs old but it still somewhat relevant and talks about some of the points that JeffT references.

Excellent find. Thanks!

I’m one of few who will tell you to run as far away from ksoftware as possible. Their process is archaic and requires Firefox 68, which in the age of auto-updating software, is problematic. I had done that, generated my CSR, and by the time the certificate was issued Firefox had updated with the features removed, and my CSR with it. Through a lot of trial and error I was able to get version 68 installed and found my old profile, get my CSR, and claim my certificate. This process is technically more secure, but the fact of the matter is few browsers supported this in the first place, and the ones that did are not anymore. ksoftware needs to update their process.

This says nothing about Sectigo half of the process, which is staffed by the biggest idiots on the planet. Every single year - which is why I recommend buying for as long as you can afford - I have to fight with them. Despite being registered with the town, state, and federal governments, they wanted validation from a third party called Dunns and Bradstreet who had my information wrong. D&B wouldn’t allow me to fix it either, since it was wrong, I couldn’t verify myself. It took months to correct. When it came time for renewal, I expected no issues, only to learn they switched to a different third party for verification. Also, their policy says validation is only required every 48 months, except I had to give them a hard time about not honoring that policy before they would.

There is absolutely nothing I would recommend about ksoftware+Sectigo aside from their pricing. My next renewal I’m going to try ssl.com instead.

1 Like

Thanks Thom…your comment is eye-opening and much appreciated. I obviously have a lot to learn. I had read other things about it requiring Internet Explorer to handle the licensing, for instance, which also didn’t sit well with me. After reading the ksoftware site, I was almost ready to forego trying to use Exewrapper on the Mac, (since I like to do things as much as possible on the mac), and use ksoftware’s tools to do all code-signing on the PC. But, now I’m obviously re-thinking that. (You have no idea how tempted I am to post a non-code-signed app, with an explanation of how to get around any Windows or AVG warnings…but I"m not yet there either.) Still learning…thanks again!

You will still get Windows SmartScreen and AVG warnings. AVG is a heuristic antivirus, so it uses a lot of guesswork. If your program does anything, AVG complains. I had to submit an installer to them just yesterday for flagging a false positive. To be fair, my app uses both URLConnection and the MBS JavaScript plugin, so AVG sees javascript and throws a fit. Windows SmartScreen will complain until your identity builds up reputation. This is another reason to buy as long as you can afford, because a renewal means a new certificate, which means a blank reputation. It’s not a great system, but it’s workable. You could get an EV certificate to instantly have perfect reputation, but those are harder to obtain and require a physical token such as a Yubikey. I’ve done that with another project with a certificate from ssl.com and it’s very frustrating because their process cannot be automated. They have a CodeSignTool process that is supposed to be used for scripting and installer building… but it’s flawed and requires user interaction. So just don’t bother with an EV.

So yeah… Windows code signing is the work of some truly sadistic people. For all the crap people give Apple about their process, it is lightyears ahead of Microsoft.

I have not used ExeWrapper, but only because I haven’t had a reason to.

Their process is archaic and requires Firefox 68,

I use them and I dont have Firefox anything.
But I agree with the validation process: its all geared around American company rules requirements which as a UK company I have incredible trouble with.
Its always a fight to get them to agree that I exist, despite having been registered there for years

Internet Explorer then? I’ve tried Safari, Chrome, Edge… nothing works. Which is frustrating because Safari supposedly does have support for the crypto methods still, but their website would still block me. And Internet Explorer shouldn’t be installed anywhere.

Maybe this is a timebomb waiting to happen next time for me, then.
As far as I can recall, I either used Chrome or Safari

I recall being able to use Safari the first, and maybe second, time. This most recent in June, I definitely could not.

You folks have me beat. The last time I attempted to get a certificate, I spent two weeks going back and forth with them about whether I exist on this (or any other) planet, by which time I’d had enough and requested a refund. They processed the refund then sent me an email the next day saying they were ready to issue my certificate. I just threw my hands up and walked away. I’ll try again next spring if I feel like wasting my life on something I have a disclaimer for already on my download page.