PDA

View Full Version : Digital Code Sign



NewsArchive
09-09-2010, 01:08 AM
Hi Guys,

I have to Digital Code Sign one of my apps, but never done this before.

Not sure where to start and what will be the easiest, yet most
cost-effective approach. I've noticed the public code-sign certificates are
quite expensive, in the region of $200-00 per annum. Is the public
certificate a requirement?

Any help will be appreciated.
Regards, Rupert

NewsArchive
09-09-2010, 01:10 AM
1. You can purchase the comodo certificate at USD200/ 3 years.

2. If your application is RUPERT.EXE... to sign the EXE under comodo,
simply perform the followings:

SIGNCODE -spcmykey.spc -vmykey.pvk RUPERT.EXE

3. You can also codesign the RUPERT.EXE when you are creating the
installer with SetupBuilder.

Thanks.

Kelvin Chua
SINGAPORE

NewsArchive
09-09-2010, 01:13 AM
Rupert,

> I have to Digital Code Sign one of my apps, but never done this before.
>
> Not sure where to start and what will be the easiest, yet most
> cost-effective approach. I've noticed the public code-sign certificates
> are quite expensive, in the region of $200-00 per annum. Is the public
> certificate a requirement?

You can buy discounted original Comodo certificates through Lindersoft (e.g.
a 3-year certificate for $200 instead of $500).

http://www.lindersoft.com/order_codesigning.htm

Here are some very interesting resources:
http://www.beachbunnysoftware.com/webinar/CodeSign.pdf
http://www.lindersoft.com/forums/showthread.php?t=8279
http://www.lindersoft.com/forums/showthread.php?t=9498

BTW, SetupBuilder can code-sign your install/uninstall and all your
application files for you.

If there is any further question, just ask.

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
09-09-2010, 01:14 AM
BTW, I would strongly suggest to request a 3-year certificate. I can
guarantee that you don't want to go through all the hassle once a year!

A Verisign Code Signing Digital ID costs $499 for 1 year, $895 for 2 years
and $1,295 for 3 years. A Thawte Code Signing Digital ID costs $299 for 1
year and $549 for 2 years. A Go Daddy Code Signing Certificate costs $199.99
for 1 year, $359.98 for 2 years and $509.97 for 3 years.

An original Comodo Code Signing Certificate via Lindersoft costs $79 for 1
year, $143 for 2 years and $200 for 3 years!

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
09-09-2010, 01:14 AM
Fredrich ... and for 3 years you must not re-install your OS ??

So it's better to do it from a machine that is used as a 'build server' and
distribution builder ??

kind regards..

ben

NewsArchive
09-09-2010, 01:14 AM
Hi Ben,

> Fredrich ... and for 3 years you must not re-install your OS ??
>
> So it's better to do it from a machine that is used as a 'build server'
> and distribution builder ??

There is no need to reinstall the OS! You only need new certificate files
and you are ready to go. You can use the "portable" .spc/.pvk or .pfx files
on any machine (even at the same time).

For example, our own Comodo certificate is due to expire next Friday. We
ordered a new one and received it yesterday (valid until 09/2013). We just
replace the old certificate files with the new ones and we are back in
business.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
09-09-2010, 01:15 AM
thanks ...

the 'portable' part sounds good

I am currently signing our inhouse apps with a self-generated certificate ...
and it works great ...

Ben

NewsArchive
09-09-2010, 01:15 AM
Hi Ben,

> the 'portable' part sounds good
>
> I am currently signing our inhouse apps with a self-generated certificate
> ...
> and it works great ...

Yes, anyone can create their own digital signature, but Windows only
"trusts" signatures that have been created by certain third parties
(Microsoft root certificate program members). For example, Comodo,
VeriSign, or Thawte.

For example, if you send me one of your application files that is
code-signed with your own self-generated file, it will still report "Unknown
User yada". That means it is still treated as an "unsigned file" and
Windows still displays scary looking warnings when customers download or run
it. And if the UAC-aware operating system (Vista, Windows Server 2008,
Windows 7, Windows Server 2008 R2) has the "User Account Control: Only
elevate executables that are signed and validated" security policy enabled
(quite a few companies are doing this today), then your install can't be
used at all.

So it makes a lot of sense to digitally sign your software with a trusted
certificate if you are distributing it.

BTW, that's why this code-signing business is a real money making machine
<g>. Without a trusted code-signing ("Authenticode") certificate, you are
lost.

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
09-09-2010, 01:15 AM
What we did is implemented the signature files on al lthe computers as a
trusted root, so it does not pop that up INTERNALLY.... lol

Kind Regards

Ben

NewsArchive
09-09-2010, 01:16 AM
Hi Riebens,

I would like to test and create my own self-signed certificate.

How did you go about creating your own certificate?

Regards, Rupert

NewsArchive
09-09-2010, 01:16 AM
http://www.tech-pro.net/code-signing-for-developers.html

Kind Regards

Ben

NewsArchive
09-09-2010, 01:17 AM
After my apps compile (c7), I have a command that automatically calls the
signing tools and signes the dlls / exes

Ben

NewsArchive
09-09-2010, 01:18 AM
Hi Rupert,

> I would like to test and create my own self-signed certificate.
>
> How did you go about creating your own certificate?

If you don't want to create your own certificate, Ascertia generates FREE
certificates for you. You can even use a fake name and email address to get
access.

http://www.ascertia.com/OnlineCA/default.aspx

But please note that FREE certificates are worthless because they are not
trusted (but you can use it to test the code-sign procedure). WebTrust
companies (Comodo, etc.) do an intensive identity verification before they
issue a trusted code-signing certificate (which works on all Windows
machines).

And DO NOT buy anything from Ascertia beccause they are not a Microsoft root
certificate program member. The Ascertia Root Certificate Authority is not
pre-initialised and so it's completely worthless.

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
09-09-2010, 01:19 AM
And just for fun, the following shows the result of an "untrusted" (e.g.
Ascertia) and an "trusted" (Comodo) code-signed application.

Both files have the "Digital Signatures" tab. But only one file has a valid
and trusted signature. That's the fundamental difference between a trusted
and a (free or cheap) untrusted certificate.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
09-09-2010, 01:20 AM
> What we did is implemented the signature files on al lthe computers as a
> trusted root, so it does not pop that up INTERNALLY.... lol

<G> :)

Friedrich

NewsArchive
09-09-2010, 01:20 AM
Hi Friedrich,

> BTW, SetupBuilder can code-sign your install/uninstall and all your
> application files for you.

Does this mean that when using SetupBuilder, I don't need a certificate at
all?

Regards
Rupert

NewsArchive
09-09-2010, 01:21 AM
Rupert,

>> BTW, SetupBuilder can code-sign your install/uninstall and all your
>> application files for you.
>
> Does this mean that when using SetupBuilder, I don't need a certificate at
> all?

You always need a code-signing certificate if you would like to "sign" your
files. The WebTrust authority does a background check before they issue a
certificate.

SetupBuilder uses your certificate to code-sign the setup.exe (including the
uninstall) and can also code-sign your own application files (.exe, .dll,
etc.) for you.

Without a certificate, you can't provide UAC-compliant (Vista, Windows
Server 2008, Windows 7, Server 7) applications or installations.
SetupBuilder can even help to make your application UAC-aware.

Here is a very brief description of how to make an application and
installation "UAC-aware"

http://www.lindersoft.com/forums/showthread.php?p=49386&#post49386

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
09-09-2010, 01:21 AM
> Hi Guys,
>
> I have to Digital Code Sign one of my apps, but never done this before.
>
> Not sure where to start and what will be the easiest, yet most
> cost-effective approach. I've noticed the public code-sign certificates are
> quite expensive, in the region of $200-00 per annum. Is the public
> certificate a requirement?

Rupert,

Friedrich has given you good resources for the process.

I've been through the order process twice now (both 3 year certificates)
through the Lindersoft discount order link:

http://www.lindersoft.com/order_codesigning.htm

And, I have recently updated the CHM version of the App Data UAC Safe blog
with special help topics outlining the Comodo Code Sign Certificate Order
Process (click on blog link, and download link is included in blog)

I give suggestions on how to prepare BEFORE you order - and give the
official Comodo site links regarding key issues in the process.

Product Description - App Data UAC Safe, MFG - Encourager Software
Internet Link - http://profileexchanges.com/blog/?p=120

If you refer to the sources - Friedrich quoted and download Jane Fleming's
PDF or CHM resource - and refer to the help topics I've mentioned - it will
make pre-order - order process and post order use - a lot smoother.

AND, of course, ask the two resident experts - Friedrich and Jane to
clarify any issues that are not clear to you.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

NewsArchive
09-09-2010, 01:22 AM
Rupert,

If you're planning on selling your software commercially and having a demo
on the net for people to download, you need to code sign your app correctly.
Thanks to the advice I get on this newsgroup I bought Setupbuilder, and
eventually got a Comodo certificate. The first one was a hassle because you
actually have to prove who you are. After that it's a bit of a hassle to
recertify, but not as bad.

If you don't have Setupbuilder, you're missing out. We've tried 3 install
programs before Setupbuilder.. and I can say SB is the Clarion of
installation programs. Then you also get the discounted Comodo certificate.

It is nice to know my software is all resourced, manifested, and signed
correctly... so when people install my demo, nasty messages won't appear...
and when these fly by night developers come along to try and compete without
signing their software, it's just one more thing that gives me an advantage.

My 2 cents :)

Ray
VMT Software

NewsArchive
09-09-2010, 01:23 AM
Thanks Ray, Guys,

I will follow this route.

I am used to Godaddy SSL web-certificates and I see they also offer the DCS
certificates, but more expensive than Comodo.

Regards
Rupert

NewsArchive
09-13-2010, 12:58 AM
Do yourself a favor and simply purchase SetupBuilder and get the certificate
thingies through Friedrich. It is a no brainer and is guaranteed to save
you a great deal of time and frustration.

J André Labuschagné

NewsArchive
09-13-2010, 12:59 AM
Andre,

Excellent advice!

What you save with this excellent Code Sign Certificate Deal!

Product Description - Comodo Code Signing Certificate, MFG - Comodo
Internet Link - http://www.lindersoft.com/order_codesigning.htm

Buy this level of SetupBuilder!

Product Description - SetupBuilder Developer, MFG - Lindersoft
Internet Link - http://www.lindersoft.com/products_setupbuilder_dev.htm

All the extra features included at the Developer Edition level will provide
plenty of Setup Tool firepower!

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

NewsArchive
09-13-2010, 01:00 AM
And of course read all the tips you have put together. We are going to
tackle this in the December recess when most of our clients are on holidays.

J André Labuschagné

NewsArchive
09-14-2010, 01:42 AM
Andre,

Thanks!

However, keep in mind - do the homework (for most, a week or two before)
before you start the process - you can anticipate more and get through the
process more quickly,

and decide beforehand - what makes the best sense for your company to
retrieve the certificate in a format you know how to use.

David

--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397

NewsArchive
09-14-2010, 01:43 AM
Thanks for that David - it sounds horrible but between Friedrich's excellent
product and your advice I am sure we will survive somehow <vbg> In any
event, resistance is futile so we need to take the leap.....

J André Labuschagné