After having twice gone through the root-canal that is Sectigo, I just had a much more positive experience getting my new Windows certificate through SSL.com. I ponied up for the Yubikey, instead of subscribing to the cloud signing. I also purchased a five-year term. I’ll be 70 then, and might by then have better things to do.
In the past I used either KSign or ExeWrapper to sign the app folders. Each would sign the .exe files and the individual DLLs. There is no such batch action in SSl.com’s SSL manager. Each file must be individually signed. At least the Yubikey’s PIN need only be entered once per session.
I seem to have no problem if I just sign the .exe files (multiple .exes in projects that have workers), then sign the Innosetup installer. However, if I also sign the top-level DLLs, I get inconsistent functionality. If I sign the plugins in the Libs folder (again, multiple Libs folder where I have workers) things just completely break, In particular, MBS acts like it it is just missing.
The plugins are a mix of Einhugur and MBS, and should already have their vendor signatures. Can I just leave them like that? Would that also apply to the top-level DLLs? Note that I’m not using DesktopHTMLViewer on Windows, so I don’t have all that Chrome stuff.
On my own systems, everything seems fine with just the .exes and the installer signed.
In the light of day, that trouble has gone away. I should have been more specific. The issue was that a job was not performed which was supposed to be handed off to a worker. That was after I had signed the worker .exe DLLs. However, since the job involved a CURL operation, there could have been a transient network issue which was just a coincidence.
So yes, all is well when I sign the DLLs that come with the .exe(s). What I still don’t understand is why the plugin DLLs, particularly MBS, failed to load after I signed those (as both ExeWrapper and KSign appeared to do.) But since signing all of those is quite tedious with the SSL.com app, it is just as well to know that I don’t have to.
I never made an ExeWrapper for Windows because when I pack on Windows I use InnoSetup and its ability to codesign as it packs everything into the installer. If you are building an installer I would recommend taking this approach. Graham hinted at it above.
The only thing I’ve got handy for you is the Beacon installer from @Thom_McGrath. I haven’t gotten a YubiKey myself yet (that’s a task for November), so I can’t explain the ins and outs of how this all fits together with a token.
I got Yubikey… oh boy it’s an experience. I did go through ssl.com and it works, but I need to enter my pin every single time a file needs to be signed. And there are a bunch. It’s really annoying. There is another signing tool that can interface with the yubikey another way, but I’ve yet to try to integrate it into my workflow.
I do use InnoSetup, but I always just used KSign to sign the installers (after signing the build folders with ExeWrapper on my Mac.) It was not clear to me whether InnoSetup signed all the packed contents, or just the installer itself. More to learn.
It handles everything and can be configured to do things like only sign unsigned files (signonce flag). I expect to have more insight as to how it interacts with a YubiKey when I get my own.
I will add that I have seen exactly what Thom describes with the PIN / Password being required for each file with a client project. In their case we are able to copy the password to the clipboard and just paste it in to the dialog that opens.
SSL.com Manager is the name of the desktop app that they offer. This is not the eSigner. I downloaded that from them, along with the Yubikey mini driver. And yes, it only requires the PIN a single time during a session.
I run a bat file on pre and post build in inno setup, I actually copy my pin to the clipboard and bulk code sign all the files at once. So for each build i only have to paste the key in twice.
Yubikey and the updating of certificates is the process i would not wish on my worst enemy. Every two or three years i have to do this and i spend days trying to figure it all out. Once it is up and running, runs great.
I myself am doing this on a Fusion (Intel) Windows 11 guest, from a Sonoma host. While I have an M1 laptop, I am only doing this on my Intel desktop, so I can’t speak for that.
The good news: With encouragement here, I have figured out signing through InnoSetup, signing the .exe and all DLLs along the way. I get a signed uninstaller in the bargain. It works with the Yubikey.
The bad news: I have to enter the PIN on each pass. This is where the clipboard is one’s friend.
