Windows code signing in 2021

Adam – you are correct that GoDaddy no longer provides code signing certificates (as of 2021).

While I normally develop software on the Mac, and I’ve heard of the very cool ExeWrapper tool, in this case I’m only building a Windows-only application on native Windows hardware.

I have used both Comodo signing certificates, which I bought from Ksign, and Digicert.

I regularly use the ksign utility I got from ksoftware. It automates signing just as nicely as AppWrapper on Mac. And works with any certificate in P12 or Pfx form.

I sign the executable itself, as well as the installer.

Note that some installer builders, like Innosetup, and automate the signing of the installer.

I never sign DLLs.

As far as I know, Windows only checks the installer is signed.

1 Like

I also use Sectigo from Ksign and got the pfx cert. It was for a brand new company name so it took a couple of days to get verified but worth the wait.
I use MSIX packaging tool from Microsoft. It builds a package from your setup file that can be installed from your own website link and it works a lot like your own app store. Once the app is downloaded and installed, If you upload an update to your website then all users of the app will be notified of the update and asked if they want to install it. If they click the update button then the update installs automatically. Also it only updates the part of your app that has changed so the update is very fast.
This works great for a company that wants to build an internal app and distribute it to all if its remote employees and also keep it up to date with very little instructions. Just open the app and click the update button if it offers an update.

As the author of ExeWrapper I occasionally get asked about this. I’ve massaged some answers I’ve been working on into a blog post.

Please check out the post:
Insights From an Indie Developer Regarding Code-Signing for Windows

If you have any questions, corrections, or comments please don’t hesitate to let me know!

2 Likes

A few comments about your blog post:

  • It might be worth mentioning that EV certificates require some sort of extra verification during signing. At one point we had to mail a USB stick to the issuer so they could put the certificate on it and mail it back. We were told it would not work if moved from the drive, but I have no idea how that could be true. For another issuer, we have to use a Yubikey to generate OTP codes for each file signed, or use their online verification for $10 per file signed. Both options seriously hurt build automation.

  • Last time I “renewed” with Sectigo, they told me they don’t use D&B anymore. I forget who, but they let some other company hold your business hostage now.

  • SmartScreen score appears to stay with the certificate. At least, the only time SmartScreen ever interrupts is for a few days after “renewal” for me. Combined with arduous validation, buying the longest certificate you can afford is strongly recommended.

Hello,
maybe I should start a new thread (if so will delete this) but wanted to know what I should sign when using InnoSetup to create an installer.
Do I have to sign the folder generated by Xojo or the file generated by InnoSetup or both?

1 Like

The innosetup .exe and your application .exe should be enough

I sign everything with code. From my InnoSetup file:

Source: "..\..\Project\Builds - Beacon\Windows 64 bit\Beacon\*.exe"; DestDir: "{app}"; Check: Is64BitInstallMode; Flags: ignoreversion recursesubdirs createallsubdirs signonce
Source: "..\..\Project\Builds - Beacon\Windows 64 bit\Beacon\*.dll"; DestDir: "{app}"; Check: Is64BitInstallMode; Flags: ignoreversion recursesubdirs createallsubdirs signonce
Source: "..\..\Project\Builds - Beacon\Windows 64 bit\Beacon\*"; Excludes: "*.exe,*.dll"; DestDir: "{app}"; Check: Is64BitInstallMode; Flags: ignoreversion recursesubdirs createallsubdirs

Yes, Windows won’t ■■■■■ about the dlls not being signed, but it should. They contain executable code and have a huge influence over your app.

Thanks for the updates!

I’ve elaborated in the section about EV certificates. I think it’s weird that you had to mail them a USB stick. I do think I read somewhere that EV certificates use the smart-card APIs for some kind of temporary voodoo? Could that be how they prevent the certificate from being moved from the drive?

I’ve also added your note about D&B but I cannot confirm it because that was the exact problem a client just had with Sectigo -_-

I wonder what some of the secrets behind SmartScreen score are. My personal certificates have never gotten enough score, but you can get yours in just a few days. Is there a place I can request Microsoft step in?

Nothing that I’m aware of. I think it’s just number of downloads. I’m not trying to brag, but I get hundreds of downloads per day.

No understandable, I know Beacon has a wider reach by far.

I want an EV, but I don’t want to do the rigamarole with Sectigo and D&B. Did they by chance indicate what kind of registration they will be looking for in the future?

They did tell me, but honestly, I forgot. It was a year or two ago, so I’d assume your more recent experience is correct.

If you download your installer with Edge (yuck), when you click on the three dots next to it in the downloads menu (or right click it) you can “Report File as Safe.” I did that for mine (signed with a personal certificate), filled out the form explaining who I was and what the software is, and my installer no longer complains on a fresh VM. You might try that.

I went through this recently, and just getting the certificate is still a mess in 2022 - I eventually got things working here: Sectigo Code Signing Certificate Problems - #3 by Mike_D

1 Like

I have to renew with Sectigo this month - thanks all for the insights! I use ExeWrapper after building on Win then over to mac for the signing.

I’ll suggest there is a significant opportunity here for someone to:

a) sort out the whole mess into a unified process to prepare apps ready for the MacOS, iOS and Windows Appstore’s, and

b) document it.

Building an app that runs is only the start. The rest of the challenge to actually get a Xojo app “out there” where users can get it via the stores is undocumented. As for expecting average users to tinker with system settings and Terminal commands… they won’t.

The Microsoft Windows Store does not require signing applications.

Really? I find that absurd.

Not really, since Microsoft takes take of signing executables.

Google does the same optionally in the Play Store for Android apps.

I snipped your quote because there is no unified process. Someone could make an app for that, but @Sam_Rowlands already goes most of the distance on macOS. The process changes so frequently, I personally think App Wrapper is a charity to us. I feel that anyone who distributes commercially for Mac should buy App Wrapper (within reason).

The rest of it, preparing apps for the app stores, well that’s uh part of my livelihood / business model. Researching these things takes a lot longer than most Xojo users are aware. Excuse me for not documenting it publicly :sweat_smile:

If you have finished building your app and need to have it professionally prepared for the app stores, it’s one of the services I offer - XojoConsulting.com

3 Likes