Which files to codesign for Windows

Hello all,

Using Exewrapper from Tim Parnell, I see there is an option to replace existing signature.
I wonder : when I code sign my windows app, should I sign only files (dll) that are not signed or should I sign all files, replacing existing signature if any ?

All DLLs, please.

Ah, ok. I thought I shouldn’t modify these existing signatures since it was not my code. I will do it now.
Thank you Christian.

Hello!

Exewrapper will find all the files that you need to sign. All you have to do is drop your Builds - MyXojoProject folder on the Files list and you’re good to go! I wanted it to be that easy, so it is :smiley:

This is correct! You should leave the “Replace existing signature” checkbox unchecked unless you know for a fact that you do need to replace them. To illustrate, the C++ runtime DLLs that you can optionally include are already signed by Microsoft. You wouldn’t want to replace that as it could be perceived as suspicious.

To me it also looks suspicious if there are various (to me unknown) vendors in the signatures. It looks less suspicious to me if everything is signed from the vendor I get the software.
But that’s just a personal opinion…

On macOS it tends to be that one has to overwrite all included Frameworks with the own signature. Kind of saying: “That’s the confirmed components I want my software to include”.

Anyway… back to Windows and .dll’s.
How about appending the own signature?

Again my own personal opinion: That’s what I (as an end-user) would like best. See that the .dll’s was created and signed by XYZ, and confirmed by a signature from the vendor I got the software.

Mmmh… So it’s seems I have the choice.
Unless anti-virus software thinks otherwise… And it’s my main concern :frowning:

But why do you want I sign your code ?

[quote=488706:@Jürg Otter]To me it also looks suspicious if there are various (to me unknown) vendors in the signatures. It looks less suspicious to me if everything is signed from the vendor I get the software.
But that’s just a personal opinion…[/quote]
The signature should be by the entity that created the executable. Re-signing known libraries is a red flag because… Why did you have to re-sign it? What did you change? I don’t think you’ll find many professional developers who would agree with your opinion. For the most part end users won’t need to worry about any of this which is a relief.

I think appending your signature is probably the correct thing to do if you wanted to put your signature on (and vouch for) an executable. The signtool that ExeWrapper uses (as we don’t have Microsoft’s signtool on macOS) does not append signatures. If anybody would like to update my knowledge, I always welcome improvements that can be made.

I had no idea any of this was about anti-malware software. What errors is the software presenting?

Apple (seems to) thinks differently: Library Validation

Because you are distributing it the way it is, and you vouch for it and are responsible that the way it is (modified or not) works with your application and doesn’t harm the user’s system.

As I’ve said… it’s a personal opinion. It looks to me that on macOS, it tends to be this way.

I understand both perspectives, and both do make sense. So I don’t think there is a “right” or “wrong”.

On Windows, I haven’t noticed any issues with all these approaches: Re-Codesign .dll’s with your certificate, leave the existing CodeSignatures on .dll’s - and even: Don’t CodeSign .dll’s at all (but just the .exe).

I’m more interested in what Apple and Microsoft recommends as in what “professional developers think”… But I haven’t found a documentation for Microsoft Windows yet… if someone does - please let us know.

No, no error. Your software is really good.
I mean I don’t want to go the wrong way (as, I suppose, signing myself the C++ runtime DLLs) and find that anti-virus/anti-malware software don’t like it.
Thank you for your advice.

I let AppWrapper and Sam worry about my Mac code signing, so I appreciate the insight! This thread makes me very happy that I opted to implement the feature as an option, as I wasn’t aware there was such a strong argument for replacement.

Best wishes!

At the minimum, under Windows, the installer should be signed.

If you do not use an installer (which would be strongly recommended anyway), make sure the .exe is signed.

Just had a run-in with VirusTotal, (which I normally like to use to assure customers that their own out of date virus checker is just trying to justify its own existence)

More recently, however, VirusTotal uses some rather obscure and dubious engines.
So this week 6 (of 69) engines - all of which I have never heard of - reported my app as being infected with different randomly invented virus names with ‘high probability’

Most agreed this was a false positive when sent the exe to examine. Grr

BUT - the point I want to make here is that when just the installer was signed, I got 6 black marks
As an experiment, without changing a line of code, I signed the EXE and Libs, plus the installer
The reports went down to 3 immediately, even before I started sending reports.