PDA

View Full Version : I give up code signing.



NewsArchive
04-16-2010, 01:53 AM
A Little frustrated. After ordering my certificate. Getting (whois) to
match reality. Finally got a email to pick up my certificate. Got my
collection code. Clicked on the button to retrieve it. Entered my
collection code. Clicked on the button to get it.

It shows installation Then successful. So where is it. What file am I
looking for. It did not ask where to put it or tell me where it put it.


I just need a clue.

--
Thanks
Gary Hoffman
http://www.hoffmancomputersystems.com

NewsArchive
04-16-2010, 01:56 AM
Did you follow the recommendation to get your certificate as a file(s),
rather than installing into the machine's CSP?

Jane Fleming

NewsArchive
04-16-2010, 01:57 AM
I don't know. When ordered I accepted the defaults. I don't remember
asking to get it as a file. That is probably the problem. How do I resolve
it. When I received email, it did say I need to get the certificate from
the same machine I ordered it.



--
Thanks
Gary Hoffman
http://www.hoffmancomputersystems.com

NewsArchive
04-16-2010, 01:59 AM
I haven't had to do it myself (because I'm a girl and actually read the
directions and do it right the first time! <G>) but a quick Google of
"export code-signing certificate" turns up a number of hits.
Here's one: http://www.tech-pro.net/export-to-pfx.html

Even if you had specified "in a file", BTW, you'd still have needed to use
the same machine to collect it, as mentioned in this PDF:
http://www.beachbunnysoftware.com/webinar/CodeSign.pdf

HTH

Jane Fleming

NewsArchive
04-16-2010, 02:00 AM
I should have had my daughter do it.

--
Thanks
Gary Hoffman
http://www.hoffmancomputersystems.com

NewsArchive
04-16-2010, 02:01 AM
> I haven't had to do it myself (because I'm a girl and actually read the
> directions and do it right the first time! <G>) but a quick Google of
> "export code-signing certificate" turns up a number of hits.
> Here's one: http://www.tech-pro.net/export-to-pfx.html
>
> Even if you had specified "in a file", BTW, you'd still have needed to use
> the same machine to collect it, as mentioned in this PDF:
> http://www.beachbunnysoftware.com/webinar/CodeSign.pdf

Not to take anything away from Gary's "mistakes" in the process - I made
MORE than my share a little less than 3 years ago, and Comodo support
really helped me out -

but THAT is WHY your CodeSign.pdf should be "Mandatory Reading" ! ! ! :-D

David

--
From David Troxell - Product Scope 7.9 - Encourager Software
Product Scope 7 Viewer - NO Registration Fee! Free to Use!
http://www.encouragersoftware.com/
http://www.encouragersoftware.com/profile/microsoft-office-2010.html

NewsArchive
04-16-2010, 02:01 AM
Gary,

> I don't know. When ordered I accepted the defaults. I don't remember
> asking to get it as a file. That is probably the problem. How do I
> resolve it. When I received email, it did say I need to get the
> certificate from the same machine I ordered it.

There are quite a few interesting articles available. For example:

http://www.lindersoft.com/forums/showthread.php?t=8279

http://www.beachbunnysoftware.com/webinar/CodeSign.pdf

http://www.lindersoft.com/forums/showthread.php?t=9498

http://www.lindersoft.com/forums/showthread.php?t=23062

I assume you did not use the "into the CSP" option and now you have the
certificate in your certificate "pool" (Internet Explorer -> Tools ->
Internet Options -> Content -> Certificates).

You have to export it to get your hands on a .pfx or .spc/.pvk

Friedrich

NewsArchive
04-16-2010, 02:02 AM
And here is a direct link to the "Converting a PFX file to SPC and PVK
files" Comodo support page:

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1089&nav=0,96,7

Friedrich

NewsArchive
04-16-2010, 02:03 AM
Bearing in mind I am having to go through this process soon myself again I
would like to ask a question:

WHY in these days does (a) the order have to be via an XP machine and (b) is
the process do darned complex. Fortunately I still have XP but being as XP
is not being supported now it seems crazy.

Last time I renewed my 3 year certificate I had to jump through so many
hoops despite sending them copies of my USA company registration, copy of
bank statements, proof of identity etc. etc.

Of course my problem is even more difficult as one company I own is
registered in Florida, the accounts are prepared there but I actually live
in the UK. But in these days that should not be very unusual!

I accept this information has to be sent but even then they make it so
difficult.

This is such a large organization that I cannot believe they can make life
easier to buy something.

Curious and interested.

John Fligg

NewsArchive
04-16-2010, 02:05 AM
Gary,

If you did not follow the recommendation and installed instead, in IE you
can go to tools/Internet Options/Content Tab/Click on Certificates and see
it. Then you can export it as a PFX certificate.

Abe Jimenez

NewsArchive
04-16-2010, 02:08 AM
Here are some pictures that may help.

Abe Jimenez

NewsArchive
04-16-2010, 02:09 AM
Thanks Abe. I know have a pfx file. Just need to figure out how it becomes
a mykey.spc file. More reading.

I am glad I purchased a 3 year plan. I would hate to do this each year.



--
Thanks
Gary Hoffman
http://www.hoffmancomputersystems.com

NewsArchive
04-16-2010, 02:10 AM
Actually, a pfx file can do you. But you'll need to get signtool.exe from
Microsoft to use it.

There's an explanation in that PDF I mentioned:
http://www.beachbunnysoftware.com/webinar/CodeSign.pdf

David Troxell has a blog with his preferred way to get signtool:
http://profileexchanges.com/downloads/making-app-data-uac-vista-windows-7-safe-chm.zip

Jane Fleming

NewsArchive
04-16-2010, 02:11 AM
You don't need signtool. See image.

Abe Jimenez

NewsArchive
04-16-2010, 02:12 AM
Yes, I see the image.

So you're saying SetupBuilder works for you to code-sign with a PFX file
without having to specify a location for signtool.exe (see image) ?

Jane Fleming

NewsArchive
04-16-2010, 02:13 AM
Yes'm

Abe Jimenez

NewsArchive
04-16-2010, 02:13 AM
Interesting.
I just installed SB on a clean machine, and it wouldn't use a PFX with the
default.

Could you possibly post a screen shot of the same window I posted?

Jane

NewsArchive
04-16-2010, 02:14 AM
Did your clean install of SB include this file or did a get a special one? Mine is 7.1.2860

Abe Jimenez

NewsArchive
04-16-2010, 02:15 AM
I installed 7.2.2925.

But I don't understand your question, Abe.

Like every version of SB I can recall installing, it installed the old
signcode.exe, NOT the newer signtool.exe which is needed to use a PFX for
signing.

Jane Fleming

NewsArchive
04-16-2010, 02:16 AM
Jane,

What I'm saying is that I don't recall installing signtool and that it is in
the SB folder (not where MS installer's would have put it). Was this ever
included in the SB install?

Regards,
Abe

NewsArchive
04-16-2010, 02:17 AM
Not that I know of, Abe.
Perhaps Friedrich can speak to that tomorrow.

The attached from the current SB help file says you have to find and
download it.

Some guy names Jimenez ;-) has something to say about that in this thread:
http://www.lindersoft.com/forums/showthread.php?t=21562&highlight=distributed


Jane

NewsArchive
04-16-2010, 02:18 AM
Never mind. The answer is in a post I made in this newsgroup on 12/2 last
year. Apparently I did install signtool and forgot.

Abe Jimenez

NewsArchive
04-16-2010, 02:18 AM
Welcome to the world of being blonde <G>

Jane Fleming

NewsArchive
04-16-2010, 02:18 AM
I can get gray but not blond :-)

Abe Jimenez

NewsArchive
04-16-2010, 02:21 AM
> I can get gray but not blond :-)

Haven't you heard?

Gray IS the new Blonde<g>

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Get ProPath, make your Clarion programs ready
for Windows 7 and Vista!"
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
04-16-2010, 02:23 AM
Sorry. Never looked at that. I guess SB put it there. I sure as heck don't remember installing it.

Abe Jimenez

NewsArchive
04-16-2010, 02:24 AM
The problem is that Microsoft changed its redistribution license, and
Friedrich (and others) aren't allowed to distribute it. So he supplies the
old signcode.exe which pops up a window and doesn't work with PFX files.

Unless something has changed...
But as I just posted, you made me curious so I installed the latest
pre-release version on a new machine and it installed signcode, not
signtool. And signcode won't work with a pfx.

Jane

NewsArchive
04-16-2010, 02:25 AM
Maybe I got in before the rules changed. This was in Nov last year.

Abe Jimenez

NewsArchive
04-16-2010, 02:25 AM
Hi Jane,

> The problem is that Microsoft changed its redistribution license, and
> Friedrich (and others) aren't allowed to distribute it. So he supplies
> the old signcode.exe which pops up a window and doesn't work with PFX
> files.
>
> Unless something has changed...
> But as I just posted, you made me curious so I installed the latest
> pre-release version on a new machine and it installed signcode, not
> signtool. And signcode won't work with a pfx.

You are right. SetupBuilder never installed a version of signtool.exe
(required to make use of the .pfx).

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
04-16-2010, 02:27 AM
> Actually, a pfx file can do you. But you'll need to get signtool.exe from
> Microsoft to use it.
>
> There's an explanation in that PDF I mentioned:
> http://www.beachbunnysoftware.com/webinar/CodeSign.pdf
>
> David Troxell has a blog with his preferred way to get signtool:
> http://profileexchanges.com/downloads/making-app-data-uac-vista-windows-7-safe-chm.zip

Gary,

You must understand - I DO defer to Jane's expert opinion on everything
related to Code Signing - EXCEPT for obtaining signtool.exe! :-D

The link posted above is the CHM version of the blog (the blog itself only
describes what is in the CHM) - refer to help topic - Signtool.exe

You Download and install a small Windows SDK Setup Wizard file -
winsdk_web.exe - on install options - only check Win32 Development tools -
see screen shot - and it installs signtool.exe - pvk2pfx.exe to a location
you have chosen.

David

--
From David Troxell - Product Scope 7.9 - Encourager Software
Product Scope 7 Viewer - NO Registration Fee! Free to Use!
http://www.encouragersoftware.com/
http://www.encouragersoftware.com/profile/microsoft-office-2010.html

NewsArchive
04-16-2010, 02:29 AM
Gary,

Are you set now? I know Jane and I sort of drifted away from your issue.

Abe Jimenez

NewsArchive
04-16-2010, 02:30 AM
Did you by any chance use Firefox when downloading? Don't do that! (Trust
me, I've been there).

Follow the links provided by Friedrich to correct.

HTH
Peter

NewsArchive
04-16-2010, 02:30 AM
I used internet explorer.

--
Thanks
Gary Hoffman
http://www.hoffmancomputersystems.com

NewsArchive
04-16-2010, 02:30 AM
>I used internet explorer.



Have you tried searching for the file?

Any mykey.* with the correct date?

Steve

--
Neural Planner Software Ltd www.NPSL1.com
EasyNN-plus. Neural Networks plus. www.easynn.com
SwingNN. Forecast with Neural Networks. www.swingnn.com
JustNN. Just Neural Networks. www.justnn.com

NewsArchive
04-16-2010, 02:38 AM
Hi John,

> Bearing in mind I am having to go through this process soon myself again I
> would like to ask a question:
>
> WHY in these days does (a) the order have to be via an XP machine and (b)
> is the process do darned complex. Fortunately I still have XP but being as
> XP is not being supported now it seems crazy.

Absolutely. But that's a question for Microsoft <g>. They introduced this
nice restrictions <g> Comodo (or other WebTrusts) can't do anything here.
All this stuff is powered by Microsoft Authenticode technology.

> Last time I renewed my 3 year certificate I had to jump through so many
> hoops despite sending them copies of my USA company registration, copy of
> bank statements, proof of identity etc. etc.
>
> Of course my problem is even more difficult as one company I own is
> registered in Florida, the accounts are prepared there but I actually live
> in the UK. But in these days that should not be very unusual!
>
> I accept this information has to be sent but even then they make it so
> difficult.
>
> This is such a large organization that I cannot believe they can make life
> easier to buy something.
>
> Curious and interested.

All WebTrust "agencies" have to follow the very same strict rules. So you
would experience the same problems with other "Certification Authorities".

BTW, two years ago, we had to request a VeriSign certificate (Microsoft
Partner Program). And you know what? VeriSign did not accept our documents
and they did not issue us a certificate. I told them that we are a Comodo
(the world's 2nd largest WebTrust Compliant Certification Authority) Partner
and that we have quite a few customers and that I would make this story
public. They did not care at all <g>. Please note that those companies
sell 500+ certificates PER HOUR! This is a money making machine. You, the
individual, counts nothing. But Comodo is the nicest WebTrust to work with,
believe me! I will never ever in my life do business with VeriSign again.
But of course, they don't lose sleep over it.

Friedrich

NewsArchive
04-16-2010, 05:10 AM
I can back up the Verisign experience as I was part of it

Moreover when I requested the same verisign certificate (for DMC certifications with Microsoft) they refused to sell me one as I was (at that time) considered as an
"individual" and not a registered company

I had to ask a good friend in the USA to do the request for me and beleive me he had to provide a public notary letter to confirm his address and phone number ONLY because
his company was not listed as such in the yellow pages (he was using another name there more user friendly)

Verisign is to be _avoided_


Merci

Cordialement - Best regards
Jean-Pierre GUTSATZ

CGF

DMC - Data Management Center
A tool to let you Migrate Import Export Transfer your Data
www.dmc-fr.com
Certified by Microsoft : "Works with Vista" &
"Works with Windows Server 2008"

NewsArchive
04-17-2010, 01:52 AM
Friedrich,

I know Vista was never supported, but is W7?

--
Regards,
Abe Jimenez
Clarion 7.1.7014 EE Windows 7 Pro 64 Bit

NewsArchive
04-17-2010, 01:53 AM
Abe,

>
> I know Vista was never supported, but is W7?
>

W7 has the very same underlying technology ;-)

Of course, you can use Vista/W7 to order your certificate (the "in the file"
option is not available, only the "in the CSP"). But if you would like to
have it as spc/pvk, then it's complicated. You have to "export" it from the
certificate "pool" to a pfx and then use OpenSSL to convert it.

Friedrich

NewsArchive
04-17-2010, 01:53 AM
BTW, and it can only be exported from the CSP in Vista/W7 if the
"Exportable" option (the default) is marked when you request the
certificate.

Friedrich

NewsArchive
04-17-2010, 01:54 AM
No. But I did hear that gray is an old blond.

Abe Jimenez

NewsArchive
04-17-2010, 01:55 AM
I am not quite good to go. I have had other things to deal with. I do have
the pfx file. I know need to download the newest signtool.exe. Hopefully
that will be the end.



--
Thanks
Gary Hoffman
http://www.hoffmancomputersystems.com

NewsArchive
04-17-2010, 01:55 AM
Gary,

> I am not quite good to go. I have had other things to deal with. I do
> have the pfx file. I know need to download the newest signtool.exe.
> Hopefully that will be the end.

After you have downloaded and "extracted" signtool.exe, you only have to
register it in the SetupBuilder IDE (Tools | Options... | File Locations)
and the compiler can make use of your new PFX.

Friedrich

NewsArchive
04-17-2010, 01:56 AM
> I am not quite good to go. I have had other things to deal with. I do have
> the pfx file. I know need to download the newest signtool.exe. Hopefully
> that will be the end.

Gary,

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c17ba869-9671-4330-a63e-1fd44e0e2505

Download - winsdk_web.exe - Windows SDK Setup Wizard

Install it - Installation Options - Only Win32 Development tools needs to
be chosen

signtool.exe - pvk2pfx.exe

If you chose the default install locations, the files will be installed in
this folder:

C:\Program Files\Microsoft SDKs\Windows\v7.0\bin

David


--
From David Troxell - Product Scope 7.9 - Encourager Software
Product Scope 7 Viewer - NO Registration Fee! Free to Use!
http://www.encouragersoftware.com/
http://www.encouragersoftware.com/profile/microsoft-office-2010.html

NewsArchive
04-19-2010, 01:42 AM
> but THAT is WHY your CodeSign.pdf should be "Mandatory Reading" ! ! ! :-D

Hear hear. Never read it but sounds like essential reading. I am about to
dip into this in the very near future and am dreading it.

J André Labuschagné

NewsArchive
04-19-2010, 01:43 AM
>> but THAT is WHY your CodeSign.pdf should be "Mandatory Reading" ! ! ! :-D
>
> Hear hear. Never read it but sounds like essential reading. I am about to
> dip into this in the very near future and am dreading it.

Andre,

If you review these two resources before going through the order process,
then the process will be easier.

Product Description - CodeSign May2009 - Clarion Live!, MFG - Jane Fleming
Internet Link - http://www.beachbunnysoftware.com/webinar/

One of the first screen shots Jane's PDF or CHM is critical:

Advanced private Key Options - be sure to check Key filename - in the file

Also - Use the operating system W2K or XP AND Internet Explorer to order
AND be sure to use the SAME computer throughout the process!

http://www.lindersoft.com/forums/showthread.php?t=8279

Hal Heindel posted an excellent set of Do's and Don'ts for the process as
well with followup comments by Friedrich Linder!

David

--
From David Troxell - Product Scope 7.9 - Encourager Software
Product Scope 7 Viewer - NO Registration Fee! Free to Use!
http://www.encouragersoftware.com/
http://www.encouragersoftware.com/profile/microsoft-office-2010.html

NewsArchive
04-19-2010, 01:44 AM
> This is a money making machine.

To me the entire exercise has been a money making machine from the get go.

J André Labuschagné

NewsArchive
04-19-2010, 01:45 AM
But the Microsoft mind meld has worked on me, André....

Now I personally do a double-take when I see the "unsigned" warning screen
(pic).

What code-signing does is to guarantee two things:
1. Who vouches for the software (non-repudiation)
2. That the software hasn't changed since it was signed (change even 1 byte
with a hex editor and again you'll see the yellow warning screen).

And with the amount of malware and nasty people in the world, I think those
are valid concerns.

Jane

NewsArchive
04-19-2010, 01:46 AM
Hi Jane

I agree with you. The more I see it the more it seems to make sense. It
seems that with the myriads of MS bashers out there [and I am sure you can
fill planet with them] there was little else they could do. Maybe I am
being too cynical.

Prepare for zillions of questions when we take the dip. We need to do so in
the not too distant future. Thanks for your excellent work on explaining
this to all of us blonds - oops I meant ancient greys, or should that be
grays.

Cheers
Andre

NewsArchive
04-19-2010, 01:47 AM
Too late - cover is blown. Now we know who made the Nazca lines <g>


> oops I meant ancient greys,

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

NewsArchive
04-19-2010, 02:36 AM
Hi David

Thanks - will do.

Cheers
Andre

NewsArchive
04-19-2010, 02:36 AM
<vbg>

J André Labuschagné

NewsArchive
04-20-2010, 09:23 AM
Okay I'm Back. With success.

First thanks for everyone's help. Abe your images helped & Jane I did read
your document. Thanks to all others who contributed. I read every thread.

A few thoughts after this experience.
1. Always purchase a 3 year certificate. You don't want to do this more
than 3 times a decade.

2. I did use a vista computer to receive the certificate. Know that I know
the process I think it is easier on Vista(I don't have an xp anyway).
Abe's images helped me retrieve the certificates.

3. Jane's pdf on setting up signtool & including it in Sb is mandatory
reading. However for vista you should have a pfx file you already exported.
So you can start the document at the point of setting up signtool.

4. When purchasing I do not remember giving them a key password. I believe
they used my original password. So I suggest you use something you would
use on a regular basis.

5. After compiling I still got error -01.

6. I had to go to the script editor. click on the code -sign application.
Point to the pfx file.

7. Try to do this when you don't have other things on your plate. The
problem there is no warning. All of a sudden you can't code sign. So
making note of your expiration is important.


Now I have just one question. In my original message, backing up the
certificate was mentioned. What do I backup just the pfx file.

I will be getting a new computer soon. Do I need to retrieve the
certificate in internet explorer to my new computer or just the pfx file.


Again thanks to everyone. I can now go back to programming.


--
Thanks
Gary Hoffman
http://www.hoffmancomputersystems.com

NewsArchive
04-20-2010, 09:24 AM
The PFX file can be backed up and copied from computer to computer.
And/or if you have spc and pvk files, copy them as a pair.
That's why I recommend getting them as a file, because once they're
collected they're independent of the computer you bought them on.

The new (development) build of SetupBuilder includes presets for
code-signing, so you won't have to do as much typing in the project
properties and compiler directives.

If code-signing suddenly fails and your certificate hasn't expired, it's
possible that the timestamp server you're using is down. Try switching to
the other one.


Jane

NewsArchive
04-20-2010, 09:25 AM
>Now I have just one question. In my original message, backing up the
>certificate was mentioned. What do I backup just the pfx file.
>
>I will be getting a new computer soon. Do I need to retrieve the
>certificate in internet explorer to my new computer or just the pfx file.

I put everything I needed for code signing in a folder called
CodeSign. I copy it to any backup drives and other computers.

SB7 uses the CodeSign folder and so works on any of my computers.

Steve

--
Neural Planner Software Ltd www.NPSL1.com
EasyNN-plus. Neural Networks plus. www.easynn.com
SwingNN. Forecast with Neural Networks. www.swingnn.com
JustNN. Just Neural Networks. www.justnn.com

NewsArchive
04-20-2010, 09:26 AM
Gary,

Glad you finally got it working. I sure didn't have a lot of fun getting it
to work either. I bought my 3 year certificate in Nov and I'm hoping things
will be easier in 2 1/2 years. In any case, next time I think we'll be able
to just export the file from IE like you just did and put it in the same
location where the old file is. The signtool will already be there for you.
So it shouldn't be so bad.

As for backups, I have a backup program that copies all my source code
folders to an external drive. I put a folder there with my certificate and
after Jane set me straight on the fact I need signtool I copied that there
too. So they both get backed up every night. If I can get my source code,
I can get what I need to sign files.

--
Regards,
Abe Jimenez
Clarion 7.1.7075 EE Windows 7 Pro 64 Bit