Microsoft seems to have relaxed the rules somewhat on unsigned applications in the past couple of years. What’s considered required now? Can I publish a Xojo executable (not to an app store but to my own website) and expect users to download and use it without significant problems? Or is an expensive EV certificate still considered essential?
Thanks!
Nothing you can do will stop some virus checkers from complaining about your app, even when they have nothing to complain about. (Heuristic/generic messages)
They only make money if they scare people.
An ordinary certificate helps - without one people will really struggle to install.
An EV certificate pays more things to keep quiet.
Does Xojo have a soup-to-nuts FAQ/tutorial on WINDOWS code signing (including Windows 11)? I see extensive FAQs about MacOS/IOS code signing (which I have a lot of experience with), but I have zero experience code signing a Windows Xojo executable on a Windows platform.
A good FAQ might include:
• Basic review of EV vs non-EV certs;
• List of typical certificate authorities: DigiCert, StartSSL, Verisign, Comodo, GlobalSign, Thawte, GoDaddy, etc. (I know, they change frequently)
• List of support tools that aid in the code signing process
• Example workflows for signing
• Are DLLs required to be signed?
• A few words on using signing certificate for Windows installers?
Suggestions?
If you are developing your Windows app on macOS @Tim_Parnell has created ExeWrapper which allows you to code sign Windows apps from macOS and works out the right files to sign.
I used to have a code signing certificate from GoDaddy (many years ago) but I don’t think they still provide them.
Adam – you are correct that GoDaddy no longer provides code signing certificates (as of 2021).
While I normally develop software on the Mac, and I’ve heard of the very cool ExeWrapper tool, in this case I’m only building a Windows-only application on native Windows hardware.
I have used both Comodo signing certificates, which I bought from Ksign, and Digicert.
I regularly use the ksign utility I got from ksoftware. It automates signing just as nicely as AppWrapper on Mac. And works with any certificate in P12 or Pfx form.
I sign the executable itself, as well as the installer.
Note that some installer builders, like Innosetup, and automate the signing of the installer.
I never sign DLLs.
As far as I know, Windows only checks the installer is signed.
I also use Sectigo from Ksign and got the pfx cert. It was for a brand new company name so it took a couple of days to get verified but worth the wait.
I use MSIX packaging tool from Microsoft. It builds a package from your setup file that can be installed from your own website link and it works a lot like your own app store. Once the app is downloaded and installed, If you upload an update to your website then all users of the app will be notified of the update and asked if they want to install it. If they click the update button then the update installs automatically. Also it only updates the part of your app that has changed so the update is very fast.
This works great for a company that wants to build an internal app and distribute it to all if its remote employees and also keep it up to date with very little instructions. Just open the app and click the update button if it offers an update.
As the author of ExeWrapper I occasionally get asked about this. I’ve massaged some answers I’ve been working on into a blog post.
Please check out the post:
Insights From an Indie Developer Regarding Code-Signing for Windows
If you have any questions, corrections, or comments please don’t hesitate to let me know!
A few comments about your blog post:
It might be worth mentioning that EV certificates require some sort of extra verification during signing. At one point we had to mail a USB stick to the issuer so they could put the certificate on it and mail it back. We were told it would not work if moved from the drive, but I have no idea how that could be true. For another issuer, we have to use a Yubikey to generate OTP codes for each file signed, or use their online verification for $10 per file signed. Both options seriously hurt build automation.
Last time I “renewed” with Sectigo, they told me they don’t use D&B anymore. I forget who, but they let some other company hold your business hostage now.
SmartScreen score appears to stay with the certificate. At least, the only time SmartScreen ever interrupts is for a few days after “renewal” for me. Combined with arduous validation, buying the longest certificate you can afford is strongly recommended.
Hello,
maybe I should start a new thread (if so will delete this) but wanted to know what I should sign when using InnoSetup to create an installer.
Do I have to sign the folder generated by Xojo or the file generated by InnoSetup or both?
The innosetup .exe and your application .exe should be enough
I sign everything with code. From my InnoSetup file:
Source: "..\..\Project\Builds - Beacon\Windows 64 bit\Beacon\*.exe"; DestDir: "{app}"; Check: Is64BitInstallMode; Flags: ignoreversion recursesubdirs createallsubdirs signonce
Source: "..\..\Project\Builds - Beacon\Windows 64 bit\Beacon\*.dll"; DestDir: "{app}"; Check: Is64BitInstallMode; Flags: ignoreversion recursesubdirs createallsubdirs signonce
Source: "..\..\Project\Builds - Beacon\Windows 64 bit\Beacon\*"; Excludes: "*.exe,*.dll"; DestDir: "{app}"; Check: Is64BitInstallMode; Flags: ignoreversion recursesubdirs createallsubdirs
Yes, Windows won’t ■■■■■ about the dlls not being signed, but it should. They contain executable code and have a huge influence over your app.
Thanks for the updates!
I’ve elaborated in the section about EV certificates. I think it’s weird that you had to mail them a USB stick. I do think I read somewhere that EV certificates use the smart-card APIs for some kind of temporary voodoo? Could that be how they prevent the certificate from being moved from the drive?
I’ve also added your note about D&B but I cannot confirm it because that was the exact problem a client just had with Sectigo -_-
I wonder what some of the secrets behind SmartScreen score are. My personal certificates have never gotten enough score, but you can get yours in just a few days. Is there a place I can request Microsoft step in?
Nothing that I’m aware of. I think it’s just number of downloads. I’m not trying to brag, but I get hundreds of downloads per day.
No understandable, I know Beacon has a wider reach by far.
I want an EV, but I don’t want to do the rigamarole with Sectigo and D&B. Did they by chance indicate what kind of registration they will be looking for in the future?
They did tell me, but honestly, I forgot. It was a year or two ago, so I’d assume your more recent experience is correct.
If you download your installer with Edge (yuck), when you click on the three dots next to it in the downloads menu (or right click it) you can “Report File as Safe.” I did that for mine (signed with a personal certificate), filled out the form explaining who I was and what the software is, and my installer no longer complains on a fresh VM. You might try that.
I went through this recently, and just getting the certificate is still a mess in 2022 - I eventually got things working here: Sectigo Code Signing Certificate Problems - #3 by Mike_D
I have to renew with Sectigo this month - thanks all for the insights! I use ExeWrapper after building on Win then over to mac for the signing.
I’ll suggest there is a significant opportunity here for someone to:
a) sort out the whole mess into a unified process to prepare apps ready for the MacOS, iOS and Windows Appstore’s, and
b) document it.
Building an app that runs is only the start. The rest of the challenge to actually get a Xojo app “out there” where users can get it via the stores is undocumented. As for expecting average users to tinker with system settings and Terminal commands… they won’t.