Signing your Delphi executables with a digital certificate.
Posted by jpluimers on 2014/11/25
Using Delphi build-events (see my post Delphi prebuild/prelink/postbuild events), you can automate the process of signing your Delphi executables with a digital certificate.
Below the steps for signing Windows executables.
Prerequisites:
- You have your digital certificate in a PFX file.
(for testing you can use a self-signed certificate, for the real world you want a certificate leads to a CA). - You have the Windows SDK installed that provides SignTool.
(in this case, I presume a Windows 7 or 8 x64 machine with the Windows Software Development Kit (SDK) for Windows 8 installed. If not, you have to change the path in the various statements, for instance when using the Windows SDK: Download the Windows SDK for Windows 7 and More | MSDN.)
The post-build event code
You need this SignTool call in your post-build event:
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /f path-to-PFX-file /p password /t time-stamp-server-URL "$(OUTPUTPATH)" /d "name to sign with" /du URL-to-your-web-site
/d and /du are optional
For more examples see Everything you need to know about Authenticode Code Signing – IEInternals – Site Home – MSDN Blogs.
Note you can run signtool in wizard style as well, but that is cumbersome in a post-build event.
Passwords and digital certificates
When your EXE is signed, and traced back to a certificate authority, people should be able to trust the EXE really is from you or your company.
That means it is very important to guard the signing process, and make sure other people cannot sign their (potential malicious software) with your digital certificate.
A big warning is in place here:
Be very careful storing the digital certificate and password used for signing. If they are under version control, make sure few people have access to it, and prevent people from having access to them at the same time unless absolutely necessary.
Security is a serious thing, so this is not the place to elaborate much on security. I’ll mention a few starting points with more information:
- Protecting your Digital Certificate and Private Key.
- How Attackers Steal Private Keys from Digital Certificates | Symantec Connect Community.
- UCSC Digital Certificate Policy.
- Secure Usage of Digital Certificates.
- Certificate, Key, and Trust Services Programming Guide: Certificate, Key, and Trust Services Concepts.
And on what could happen if organizations that deal with certificates get compromised:
- DigiNotar 2011 Issuance of fraudulent certificates- Wikipedia, the free encyclopedia.
- Comodo Group 2011 breach incident – Wikipedia, the free encyclopedia.
Timestamping
If the timestamping server is unavailable, or you do not timestamp at all, you get an error message like this.
The timestamping is done with servers over the internet. Which means they might not be available 24×7, so it can be worthwhile to harden the signing script.
User flobadob – Stack Overflow gave a good example of that in timestamp – Alternative timestamping services for authenticode – Stack Overflow.
There are 2 protocols that signtool can use for timestamping: Authenticode (with the /t parameter) and RFC3161 (with the /tr parameter).
Authenticode compatible URLs:
- http://timestamp.comodoca.com/authenticode
- http://timestamp.verisign.com/scripts/timstamp.dll
- http://timestamp.globalsign.com/scripts/timestamp.dll
- http://tsa.starfieldtech.com
- http://timestamp.digicert.com
RFC1361 compatible URLs:
- http://timestamp.comodoca.com/rfc3161
- http://tsa.starfieldtech.com
- http://services.globaltrustfinder.com/adss/tsa
For more background information read these:
- Trusted timestamping – Wikipedia, the free encyclopedia.
- Time Stamping Authenticode Signatures (Windows).
- SignTool (Windows).
A bit more on PFX files
Often, certificates and keys start as other file pairs and you need to convert them. Two examples:
- .cert with certificate and .pem with key: Convert a CERT/PEM certificate to a PFX certificate – Stack Overflow.
- .cer with certificate and .crt or .pvk with key: c# – How to create .pfx file from .cer certificate and private key – Stack Overflow.
If you want a self-signed PFX file for testing purposes, then read what Roger Lipscombe answered at StackOverflow to security – How do I create a self-signed certificate for code signing on Windows? – Stack Overflow.
–jeroen
PS: In June 2017, an interesting follow up thread was at [WayBack] How to use a code signing certificate with Delphi application? I need the best reputation with Microsoft Smartscreen Filter… – Mauro Botta – Google+
The Wiert Corner - irregular stream of stuff 
Delphi Boot Camp Day 2 - Getting to Know the Delphi Language - Blog - Developer Tools - IDERA Community said
[…] A: https://wiert.me/2014/11/25/signing-your-delphi-executables-with-a-digital-certificate/ […]
Robert Love (@DelphiDev) said
We sign our Applications during our ContinuaCI process only. This allows us to control which machines and/or people have access to the signed cert. It also prevents a developers from distributing an signed copy of the code that may or may not have been committed to version control.
jpluimers said
Thanks for this addition. I wrote this post before digging into continuous integration/delivery. If you have that in place, it is the best place to add signing.
Another thing I forgot in the post is to ensure you have a secure process in place that updates signing certificates that are about to expire.