Signing your Delphi executables with a digital certificate.
Posted by jpluimers on 2014/11/25
Using Delphi build-events (see my post Delphi prebuild/prelink/postbuild events), you can automate the process of signing your Delphi executables with a digital certificate.
Below the steps for signing Windows executables.
- You have your digital certificate in a PFX file.
(for testing you can use a self-signed certificate, for the real world you want a certificate leads to a CA).
- You have the Windows SDK installed that provides SignTool.
(in this case, I presume a Windows 7 or 8 x64 machine with the Windows Software Development Kit (SDK) for Windows 8 installed. If not, you have to change the path in the various statements, for instance when using the Windows SDK: Download the Windows SDK for Windows 7 and More | MSDN.)
The post-build event code
You need this SignTool call in your post-build event:
"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /f path-to-PFX-file /p password /t time-stamp-server-URL "$(OUTPUTPATH)" /d "name to sign with" /du URL-to-your-web-site
/d and /du are optional
Note you can run signtool in wizard style as well, but that is cumbersome in a post-build event.
Passwords and digital certificates
When your EXE is signed, and traced back to a certificate authority, people should be able to trust the EXE really is from you or your company.
That means it is very important to guard the signing process, and make sure other people cannot sign their (potential malicious software) with your digital certificate.
A big warning is in place here:
Be very careful storing the digital certificate and password used for signing. If they are under version control, make sure few people have access to it, and prevent people from having access to them at the same time unless absolutely necessary.
Security is a serious thing, so this is not the place to elaborate much on security. I’ll mention a few starting points with more information:
- Protecting your Digital Certificate and Private Key.
- How Attackers Steal Private Keys from Digital Certificates | Symantec Connect Community.
- UCSC Digital Certificate Policy.
- Secure Usage of Digital Certificates.
- Certificate, Key, and Trust Services Programming Guide: Certificate, Key, and Trust Services Concepts.
And on what could happen if organizations that deal with certificates get compromised:
- DigiNotar 2011 Issuance of fraudulent certificates- Wikipedia, the free encyclopedia.
- Comodo Group 2011 breach incident – Wikipedia, the free encyclopedia.
If the timestamping server is unavailable, or you do not timestamp at all, you get an error message like this.
The timestamping is done with servers over the internet. Which means they might not be available 24×7, so it can be worthwhile to harden the signing script.
There are 2 protocols that signtool can use for timestamping: Authenticode (with the /t parameter) and RFC3161 (with the /tr parameter).
Authenticode compatible URLs:
RFC1361 compatible URLs:
For more background information read these:
- Trusted timestamping – Wikipedia, the free encyclopedia.
- Time Stamping Authenticode Signatures (Windows).
- SignTool (Windows).
A bit more on PFX files
Often, certificates and keys start as other file pairs and you need to convert them. Two examples:
- .cert with certificate and .pem with key: Convert a CERT/PEM certificate to a PFX certificate – Stack Overflow.
- .cer with certificate and .crt or .pvk with key: c# – How to create .pfx file from .cer certificate and private key – Stack Overflow.
If you want a self-signed PFX file for testing purposes, then read what Roger Lipscombe answered at StackOverflow to security – How do I create a self-signed certificate for code signing on Windows? – Stack Overflow.