View Full Version : Code-signing certificate for SetupBuilder [January 31, 2007]
NewsArchive
02-01-2007, 01:22 AM
All,
Because of Vista, the price for code-signing certificates increased.
We are in contact with Comodo to find out if there is a special offer for
SetupBuilder customers.
So if you need a code-signing certificate, please wait a few days.
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes
NewsArchive
02-01-2007, 01:22 AM
Too late<g>.. I bought one last week - 2yrs was $340...twice what it was a
few weeks ago.
Skip
NewsArchive
02-01-2007, 01:22 AM
Is this specific FOR Vista? or is Vista just requireing everything to be
signed?
In other words, will my existing certificate work?
paul macfarlane
NewsArchive
02-01-2007, 01:22 AM
Paul,
> In other words, will my existing certificate work?
Your current cert will work fine.
--
Lee White
http://CWaddons.com
http://LodestarSoftware.com
http://DeveloperPLUS.com
"DOS & CPD. When men were men and we didn't do windows!" Lee White
NewsArchive
02-01-2007, 01:23 AM
Hi Paul,
You are lost if you don't code-sign your installations and applications on
Vista. SetupBuilder 6 can automatically code-sign your application(s) and
the installer.
What Lee said. Your existing certificate will work fine :)
Friedrich
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes
NewsArchive
02-01-2007, 01:23 AM
You can get one from tucows for about $75.00 per year.
Greg
NewsArchive
02-01-2007, 01:23 AM
We are working on this one:
Comodo Code Signing Certificate - 1 year.: $79 (instead of $179)
Comodo Code Signing Certificate - 2 year.: $143 (instead of $340)
Comodo Code Signing Certificate - 3 year.: $200 (instead of $500)
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes
NewsArchive
02-01-2007, 03:25 AM
Very good initiative Friedrich, appreciate!
Peter
NewsArchive
02-01-2007, 03:25 AM
Thank you, Peter!
Friedrich
NewsArchive
02-01-2007, 12:22 PM
I already sign my installs and will start signing my apps as well (actually
do sign a couple)....
paul macfarlane
NewsArchive
02-01-2007, 12:23 PM
Hi Paul,
Great!
BTW, SetupBuilder 6 can also code-sign your apps. You can use the
"#code-sign application" compiler function.
Friedrich
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes
NewsArchive
02-02-2007, 04:15 AM
Friedrich,
Where does the "#code-sign application" go in the script?
Skip
NewsArchive
02-02-2007, 10:19 AM
Skip,
Wherever you want, just make sure it's before the compiler adds the file to
the archive (in other words before the "Install File" function).
We do all the pre-compile stuff in the [ Initialize Setup ] section.
For example:
[ Initialize Setup ]
! --- Define commonly used constants ---
#include script "common definitions.sbi"
#embed Vista manifest "[SB6_POOL]\sbuilder.exe"
#code-sign application "[SB6_POOL]\sbuilder.exe"
#code-sign application "[PROJECT]\Lib\wupdate.exe"
! --- Define standard installer variables ---
Set Variable %WINVER% to "{WINVER}"
....
....
Friedrich
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes
NewsArchive
02-02-2007, 10:19 AM
Thanks Friedrich...
Should we also code sign all of the .dlls (including 3rd party) that are
included in the setup? How about .exes that are 3rd party, such as
graphics.exe?
Skip
NewsArchive
02-02-2007, 10:19 AM
Hi Skip,
IMO, there is no need to code-sign all DLLs. But code-signing 3rd party
..exe files is a good idea.
And if you add a Vista-aware manifest, please make sure to include the
Vista-manifest first and then code-sign.
For example, this embeds the Vista-aware manifest into our own sbuilder.exe
and then the compiler code-signs it.
#embed Vista manifest "[SB6_POOL]\sbuilder.exe"
#code-sign application "[SB6_POOL]\sbuilder.exe"
Does this help?
Friedrich
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes
NewsArchive
02-02-2007, 12:22 PM
Yep...thanks!
Skip
NewsArchive
02-06-2007, 02:17 AM
So let me get this straight. If I code sign an app using a 2 year
certificate and then I go out of business. My customers can't reinstall my
app a year after the certificate expires???
So now I don't have to worry about expiration dates?? :) And I can blame
it on MS?
I can't tell you how many apps I have that I have purchased over the years
that just work great. Now they won't?
Vista sucks and Linux is looking better and better all the time it seems.
Great for you though :) All those cheap/free/inferior installation builders
will probably never offer what you are. !!
Thanks friedrich.
Andy Morgan
NewsArchive
02-06-2007, 02:18 AM
Andy,
> So let me get this straight. If I code sign an app using a 2 year
> certificate and then I go out of business. My customers can't reinstall my
> app a year after the certificate expires???
No.
The certificate is valid for two years to be used for signing. After
that you need to buy another certificate to continue signing. The
expiration is only for the validity of the certificate for signing,
not for use of the software that was signed.
IOW, a program doesn't expire when your certificate does.
--
Lee White
http://CWaddons.com
http://LodestarSoftware.com
http://DeveloperPLUS.com
"DOS & CPD. When men were men and we didn't do windows!" Lee White
NewsArchive
02-06-2007, 02:18 AM
That would be the case. But there's a provision to have your app
time-stamped at the time you sign it.
A recognized server verifies the date and time the app was signed.
So if it was signed while your certificate was valid, the app remains valid.
Jane Fleming
NewsArchive
02-06-2007, 02:18 AM
> That would be the case. But there's a provision to have your app
> time-stamped at the time you sign it.
> A recognized server verifies the date and time the app was signed.
> So if it was signed while your certificate was valid, the app remains
> valid.
Jane, a couple of doubts since you seem to know about this.
Suppose you -don't- sign your software, does that mean it -won't- run on
Vista at all, or just that it will get this annoying message each time a user
runs it? Also, if the user has absolute trust on you, and you work only with
that user, could he disable the security feature of Vista so he isn't annoyed
about your unsigned soft?
--
Jorge Alejandro Lavera
www.HuenuLeufu.com
www.ClarionTemplates.com
Relief for Clarion Developers.
NewsArchive
02-06-2007, 02:19 AM
Jorge,
I've worked a bit with Public Key Infrastructure in other contexts... so I
have some understanding of certificates.
But at present I'm quite ignorant of Vista... sorry.
Jane
NewsArchive
02-07-2007, 11:05 AM
That's a relief - thank you very much. My Vista investigations haven't
really begun yet - though planned.
Thanks again
Andy
NewsArchive
02-07-2007, 11:05 AM
IMO, it's something you need to do because if you don't, Windows Vista makes
your program to appear as if it's a malware or a virus program. If you
don't code-sign, the "Do you really want to do this?" and "Are you really,
really sure?" dialogs are all over the place in Windows Vista.
Microsoft recommends to code-sign with the following extensions: exe, dll,
ocx, sys, cpl, drv, scr.
I don't think it is possible to disable this Vista feature.
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes
NewsArchive
02-07-2007, 11:06 AM
> IMO, it's something you need to do because if you don't, Windows Vista
> makes your program to appear as if it's a malware or a virus program.
> If you don't code-sign, the "Do you really want to do this?" and "Are
> you really, really sure?" dialogs are all over the place in Windows
> Vista.
>
> Microsoft recommends to code-sign with the following extensions: exe,
> dll, ocx, sys, cpl, drv, scr.
>
> I don't think it is possible to disable this Vista feature.
Thank you, Friedrich.
I'll take advantage of your offer, then.
A couple of doubts, if you have the patience to answer:
1) In Vista, if you execute in your local hard drive my exe, you'll get this
warning too?
2) If I buy a certificate say for 1 year, in two years time when a user runs
one of my signed programs purchased and installed in this year, it will get
the annoying message again?
--
Jorge Alejandro Lavera
www.HuenuLeufu.com
www.ClarionTemplates.com
Relief for Clarion Developers.
NewsArchive
02-07-2007, 11:06 AM
Hi Jorge,
> Thank you, Friedrich.
> I'll take advantage of your offer, then.
> A couple of doubts, if you have the patience to answer:
> 1) In Vista, if you execute in your local hard drive my exe, you'll get
> this warning too?
Yes (if it is not code-signed).
> 2) If I buy a certificate say for 1 year, in two years time when a user
> runs one of my signed programs purchased and installed in this year, it
> will get the annoying message again?
No! What Lee said in a previous message. If you buy a certificate for 1
year, the certificate is valid for one year to be used for *signing*. The
validity is *not* for use of the software that was signed.
Friedrich
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes
NewsArchive
02-07-2007, 11:06 AM
> Hi Jorge,
>
>> Thank you, Friedrich.
>> I'll take advantage of your offer, then.
>> A couple of doubts, if you have the patience to answer:
>> 1) In Vista, if you execute in your local hard drive my exe, you'll get
>> this warning too?
>
> Yes (if it is not code-signed).
Now I'm being idiot here, but what if the user doesn't have an internet
connection? Or this is no longer possible with Vista? (I mean, not having
an internet connection?)
>> 2) If I buy a certificate say for 1 year, in two years time when a user
>> runs one of my signed programs purchased and installed in this year, it
>> will get the annoying message again?
>
> No! What Lee said in a previous message. If you buy a certificate for 1
> year, the certificate is valid for one year to be used for *signing*.
The
> validity is *not* for use of the software that was signed.
Ahh, now I get it. So the "signed" exe is valid for ever, what I cannot do
is to continue signing programs after the expiration.
> Friedrich
>
--
Jorge Alejandro Lavera
www.HuenuLeufu.com
www.ClarionTemplates.com
Relief for Clarion Developers.
NewsArchive
02-07-2007, 11:07 AM
Yes. But it's only valid "forever" IF you use a recognized time stamp
server to time stamp it when you sign it.
That guarantees to the world that you didn't adjust the clock on your
computer, and the file was really signed while your certificate was still
valid.
There's no additional charge for time stamping. SetupBuilder includes a
space where you can specify which time stamp server you want to use, and I
believe Friedrich's documentation provides a couple of URLs.
The user doesn't need an Internet connection if you use a recognized
certification authority to create your certificate. Microsoft supplies a
list of trusted root certification authorities with Windows, and updates
those with Windows updates from time to time. If your certificate is
traceable back to one of those trusted authorities, your users' computers
will trust it automatically.
Jane Fleming
NewsArchive
02-07-2007, 11:07 AM
Awesome.
Thank you for the information, Jane, and Friedrich too.
All this Vista stuff makes me cry. Fortunately, here in Argentina we won't
see Vista on our clients until at least a year or more, but my
international sales are a different animal.
Jorge A. Lavera
NewsArchive
02-07-2007, 11:07 AM
It is a bit confusing...LOL...
If you have a subscription to clarionmag.com, you might check the articles I
wrote late last year on code-signing and certificates for some basic
background explanation
Fortunately, SetupBuilder makes it easy.
Jane
NewsArchive
02-07-2007, 11:08 AM
Hello,
I don't understand this at all....it sounds like Microsoft is putting up
messages and making you pay to stop them.
What stops me from writing Virus in Clarion, and installing it under
SetupBuilder 6.0 with a certificate and distributing it ... and people will
end up installing my software (VIRUS) without a warning.
What am I missing here?
-Robert
NewsArchive
02-07-2007, 11:08 AM
When somebody discovers the virus or trojan that you've written and signed,
it will be traceable directly back to you. Because it was signed using your
secret key, you'll have a great deal of difficulty successfully repudiating
it.
Jane Fleming
NewsArchive
02-07-2007, 11:08 AM
Hello,
That makes sense - thanks for explaining it to me.
-Robert
NewsArchive
02-07-2007, 11:08 AM
On 6 Feb 2007 13:14:56 -0500, robert paresi wrote:
> I don't understand this at all....it sounds like Microsoft is putting up
> messages and making you pay to stop them.
Its no different conceptually than a secure certificate on a web store.
And youre right, there's nothing stopping a virus author from getting a
cert.
--
Mark
NewsArchive
02-07-2007, 11:09 AM
Thanks for your effort on this! I was about to purchase a 2 year certificate
and was surprised by the huge increase in price.
John
NewsArchive
02-07-2007, 11:09 AM
:)
I think what we see here is that the market price of a good is determined by
both the supply and demand for it. Developers need a code-signing
certificate now to install and run their apps on Vista.
But Comodo is still very reasonable (especially for SetupBuilder 6
customers, I hope <g>). And their staff is very professional and extremely
helpful.
Verisign is $499 for 1 year, $894 for 2 years and $1293 for 3 years.
Unbeliveable. Thawte is $199 for 1 year and $399 for 2 years.
I really hope we can offer the same for $79 / $143 / $200.
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes
NewsArchive
02-07-2007, 11:11 AM
Thats what I call a good initiative.
How will I find out, that you can deliver?
Edvard Korsbæk
NewsArchive
02-07-2007, 11:11 AM
Edvard,
I'll keep you all posted here on the newsgroups and on our web site.
Friedrich
NewsArchive
02-07-2007, 11:11 AM
Yes ! I knew it could be done...<g>
paul macfarlane
NewsArchive
02-07-2007, 11:11 AM
What would the cost be for this upgrade be, to get these features, including
the features that do web update's. I am still at Ver 4 that came with C6
Thanks
Les
NewsArchive
02-07-2007, 11:12 AM
Les,
You can upgrade to SetupBuilder 6 Developer Edition for $299.00 (instead of
$399.00).
This includes a 1-year maintenance and support subscription which ensures
that you will always have the latest version of your licensed installation
product without any additional cost during the term of the Plan. You get
every new release, version, and feature enhancement for your licensed
software.
http://store.esellerate.net/s.asp?s=STR9044399608&Cmd=BUY&SKURefnum=SKU8330729719
If you don't have an interest in a 1-year maintenance subscription, you can
upgrade to SetupBuilder 6 Developer Edition for $199.00. This includes a
60-day maintenance subscription.
http://store.esellerate.net/s.asp?s=STR9044399608&Cmd=BUY&SKURefnum=SKU25298326978
If you need further assistance, please let me know.
--
Andrea
Sales and Support, Lindersoft
www.lindersoft.com
1.954.252.3910
"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes
NewsArchive
02-19-2007, 11:45 AM
Thanks, I think it time to do this.
Les
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.