Windows code signing in 2021

Adam_Charlton · March 23, 2022, 8:49pm

If you are developing your Windows app on macOS @Tim_Parnell has created ExeWrapper which allows you to code sign Windows apps from macOS and works out the right files to sign.

I used to have a code signing certificate from GoDaddy (many years ago) but I don’t think they still provide them.

Stephen_Greenfield · March 23, 2022, 9:16pm

Adam – you are correct that GoDaddy no longer provides code signing certificates (as of 2021).

While I normally develop software on the Mac, and I’ve heard of the very cool ExeWrapper tool, in this case I’m only building a Windows-only application on native Windows hardware.

Michel_Bujardet · March 23, 2022, 11:00pm

I have used both Comodo signing certificates, which I bought from Ksign, and Digicert.

I regularly use the ksign utility I got from ksoftware. It automates signing just as nicely as AppWrapper on Mac. And works with any certificate in P12 or Pfx form.

I sign the executable itself, as well as the installer.

Note that some installer builders, like Innosetup, and automate the signing of the installer.

I never sign DLLs.

As far as I know, Windows only checks the installer is signed.

Gary_Smith · March 24, 2022, 2:26am

I also use Sectigo from Ksign and got the pfx cert. It was for a brand new company name so it took a couple of days to get verified but worth the wait.
I use MSIX packaging tool from Microsoft. It builds a package from your setup file that can be installed from your own website link and it works a lot like your own app store. Once the app is downloaded and installed, If you upload an update to your website then all users of the app will be notified of the update and asked if they want to install it. If they click the update button then the update installs automatically. Also it only updates the part of your app that has changed so the update is very fast.
This works great for a company that wants to build an internal app and distribute it to all if its remote employees and also keep it up to date with very little instructions. Just open the app and click the update button if it offers an update.

Tim_Parnell · March 24, 2022, 3:07am

As the author of ExeWrapper I occasionally get asked about this. I’ve massaged some answers I’ve been working on into a blog post.

Please check out the post:
Insights From an Indie Developer Regarding Code-Signing for Windows

If you have any questions, corrections, or comments please don’t hesitate to let me know!

Thom_McGrath · March 24, 2022, 4:53am

A few comments about your blog post:

It might be worth mentioning that EV certificates require some sort of extra verification during signing. At one point we had to mail a USB stick to the issuer so they could put the certificate on it and mail it back. We were told it would not work if moved from the drive, but I have no idea how that could be true. For another issuer, we have to use a Yubikey to generate OTP codes for each file signed, or use their online verification for $10 per file signed. Both options seriously hurt build automation.
Last time I “renewed” with Sectigo, they told me they don’t use D&B anymore. I forget who, but they let some other company hold your business hostage now.
SmartScreen score appears to stay with the certificate. At least, the only time SmartScreen ever interrupts is for a few days after “renewal” for me. Combined with arduous validation, buying the longest certificate you can afford is strongly recommended.

Julien_Courtes1 · March 24, 2022, 9:54am

Hello,
maybe I should start a new thread (if so will delete this) but wanted to know what I should sign when using InnoSetup to create an installer.
Do I have to sign the folder generated by Xojo or the file generated by InnoSetup or both?

Per_Ronny_Westereng · March 24, 2022, 10:21am

The innosetup .exe and your application .exe should be enough

Thom_McGrath · March 24, 2022, 10:33am

I sign everything with code. From my InnoSetup file:

Source: "..\..\Project\Builds - Beacon\Windows 64 bit\Beacon\*.exe"; DestDir: "{app}"; Check: Is64BitInstallMode; Flags: ignoreversion recursesubdirs createallsubdirs signonce
Source: "..\..\Project\Builds - Beacon\Windows 64 bit\Beacon\*.dll"; DestDir: "{app}"; Check: Is64BitInstallMode; Flags: ignoreversion recursesubdirs createallsubdirs signonce
Source: "..\..\Project\Builds - Beacon\Windows 64 bit\Beacon\*"; Excludes: "*.exe,*.dll"; DestDir: "{app}"; Check: Is64BitInstallMode; Flags: ignoreversion recursesubdirs createallsubdirs

Yes, Windows won’t ■■■■■ about the dlls not being signed, but it should. They contain executable code and have a huge influence over your app.

Tim_Parnell · March 26, 2022, 9:25pm

Thanks for the updates!

I’ve elaborated in the section about EV certificates. I think it’s weird that you had to mail them a USB stick. I do think I read somewhere that EV certificates use the smart-card APIs for some kind of temporary voodoo? Could that be how they prevent the certificate from being moved from the drive?

I’ve also added your note about D&B but I cannot confirm it because that was the exact problem a client just had with Sectigo -_-

I wonder what some of the secrets behind SmartScreen score are. My personal certificates have never gotten enough score, but you can get yours in just a few days. Is there a place I can request Microsoft step in?

Thom_McGrath · March 27, 2022, 12:24am

Nothing that I’m aware of. I think it’s just number of downloads. I’m not trying to brag, but I get hundreds of downloads per day.

Tim_Parnell · March 27, 2022, 12:52am

No understandable, I know Beacon has a wider reach by far.

I want an EV, but I don’t want to do the rigamarole with Sectigo and D&B. Did they by chance indicate what kind of registration they will be looking for in the future?

Thom_McGrath · March 27, 2022, 1:03am

They did tell me, but honestly, I forgot. It was a year or two ago, so I’d assume your more recent experience is correct.

Bill_Gookin · March 27, 2022, 2:57am

If you download your installer with Edge (yuck), when you click on the three dots next to it in the downloads menu (or right click it) you can “Report File as Safe.” I did that for mine (signed with a personal certificate), filled out the form explaining who I was and what the software is, and my installer no longer complains on a fresh VM. You might try that.

Mike_D · March 27, 2022, 3:32pm

I went through this recently, and just getting the certificate is still a mess in 2022 - I eventually got things working here: Sectigo Code Signing Certificate Problems - #3 by Mike_D

Sean_Arney · March 28, 2022, 1:27am

I have to renew with Sectigo this month - thanks all for the insights! I use ExeWrapper after building on Win then over to mac for the signing.

Nicholas_Loveday · March 28, 2022, 2:50am

I’ll suggest there is a significant opportunity here for someone to:

a) sort out the whole mess into a unified process to prepare apps ready for the MacOS, iOS and Windows Appstore’s, and

b) document it.

Building an app that runs is only the start. The rest of the challenge to actually get a Xojo app “out there” where users can get it via the stores is undocumented. As for expecting average users to tinker with system settings and Terminal commands… they won’t.

Michel_Bujardet · March 28, 2022, 10:04am

The Microsoft Windows Store does not require signing applications.

Thom_McGrath · March 28, 2022, 11:23am

Really? I find that absurd.

Michel_Bujardet · March 28, 2022, 11:28am

Not really, since Microsoft takes take of signing executables.

Google does the same optionally in the Play Store for Android apps.