Windows code sign + ExeWrapper + CheapSSL

So I got a customer who requested a new code sign certificate from CheapSSLSecurity.
It was a hard time getting the right kind of file from it, but I still cannot figure out how to make use of it. All the online help is about installing the certificate via Browser on a Windows machine, demanding the use of IE at some places.
I still cannot figure out how to retrieve the password necessary for using ExeWrapper. The request was started with their online tool, and apparently there was no PW entry involved. Instead, I received private and public key which will not install, and their support never answers the question how to retrieve the password.

Has anyone been lucky with that provider? I am really confused about the files – never had such problems before; even for this client with their previous certificate. Someone who could assist me here?

SSL Certiticates do not always need to have a password. Is it possible your does not? Another idea: perhaps they sold you the wrong type (code-signing certificates are special).

Here’s a copy of a “how to” which I wrote, which describes how to do it (using IE11). These instructions assume you are using the Windows SDK and signtool, but I think if you make it through Step 2, you should have a PFX file that would be usable with ExeWrapper?

  1. Retrieve your code-signing certificate from your vendor once it is ready. Important: use IE11 for this step and download your certificate on the same computer you will use for code-signing.
  2. Save the certificate and private key as a PFX format by following these steps in IE11:
  • Open IE11 on the same computer where you downloaded your certificate.
  • From the Tools menu, choose Internet Options.
  • On the Content tab, click the Certificates button.
  • Select the code-signing certificate you just purchased and downloaded (note: there may be several certificates in the list, be sure to choose the correct one).
  • Click the Export button.
    • Choose “Yes, export the private key”.
    • Choose “PKCS#12.PFX” as the kind.
    • Check the box for “Include all certificates in the certification path if possible”.
    • Create a certificate password (and remember it for later).
    • Export the file to your hard drive.

(adapted from iScreensaver : Code-signing, Notarization, Gatekeeper and Authenticode )

And did they get a Codesign certificate, or an ‘SSL’ one? because SSL isnt any good for this, and is the default type which site assumes you want…

1 Like

I believe it is possible to get a pfx without a password, if that’s the case you can likely leave the password field in ExeWrapper empty.

I got my certificate in a password protected pfx format from a different provider, I’m sorry I don’t have much more help to offer. I can’t recommend this provider anymore because they stopped offering indie-dev friendly pricing.

I need to be renewing my certificate soon, so I’ll be shopping for providers when my eyes recover a little more. With ExeWrapper being in the Omegabundle, I went back into the Microsoft docs for code signing to try to help someone; only to discover they’ve pretty much removed everything about non-EV and non-driver signing.

Windows 11 has me concerned about the future of code signing with non-EV certificates. I wish I had more to tell you, but for now it’s just “Tim is concerned.”

Thanks all. Possibly the error was not using IE11 on client’s side when downloading the certificate. Hope they can fix it.
Is it only me who considers certificate handling on Windows to be really challenging?

In my experience, it is not so much the “handling on Windows”, as it is dealing with Sectigo. That’s like pulling out your spleen :slight_smile:

2 Likes

Thanks all for your responses. Turned out the customer could not access his original computer anymore, so we are going for another attempt. This time with kSoftware. Which sent an irritating response when we were asking if there could be any troubles exporting to PFX:

an EV level certificate might not be what you’re after then. They are delivered on a token that has to be accessed that way only (no PFX export). The OV level certificate however, does offer that option.

I remember we had an EV certificate in the past, and I read on another thread here kSoftware would be totally fine. Can anyone confirm their response, should we look for another supplier or has something changed regarding EV certs?

EV certificates are delivered on a dongle (from every provider, it’s part of EV security) and are not compatible with ExeWrapper at this time.

Thanks, Tim!

Forum for Xojo Programming Language and IDE. Copyright © 2021 Xojo, Inc.