The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming

    20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now

    20140424-Windows-7-free-disk-space

    More Photos
  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,627 other followers

Signing your Delphi executables with a digital certificate.

Posted by jpluimers on 2014/11/25

Using Delphi build-events (see my post Delphi prebuild/prelink/postbuild events), you can automate the process of signing your Delphi executables with a digital certificate.

Below the steps for signing Windows executables.

Prerequisites:

  1. You have your digital certificate in a PFX file.
    (for testing you can use a self-signed certificate, for the real world you want a certificate leads to a CA).
  2. You have the Windows SDK installed that provides SignTool.
    (in this case, I presume a Windows 7 or 8 x64 machine with the Windows Software Development Kit (SDK) for Windows 8 installed. If not, you have to change the path in the various statements, for instance when using the Windows SDK: Download the Windows SDK for Windows 7 and More | MSDN.)

The post-build event code

You need this SignTool call in your post-build event:

"C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe" sign /f path-to-PFX-file /p password /t time-stamp-server-URL "$(OUTPUTPATH)" /d "name to sign with" /du URL-to-your-web-site

/d and /du are optional

For more examples see Everything you need to know about Authenticode Code Signing – IEInternals – Site Home – MSDN Blogs.

Note you can run signtool in wizard style as well, but that is cumbersome in a post-build event.

Passwords and digital certificates

When your EXE is signed, and traced back to a certificate authority, people should be able to trust the EXE really is from you or your company.

That means it is very important to guard the signing process, and make sure other people cannot sign their (potential malicious software) with your digital certificate.

A big warning is in place here:

Be very careful storing the digital certificate and password used for signing. If they are under version control, make sure few people have access to it, and prevent people from having access to them at the same time unless absolutely necessary.

Security is a serious thing, so this is not the place to elaborate much on security. I’ll mention a few starting points with more information:

And on what could happen if organizations that deal with certificates get compromised:

Timestamping

If the timestamping server is unavailable, or you do not timestamp at all, you get an error message like this.

The timestamping is done with servers over the internet. Which means they might not be available 24×7, so it can be worthwhile to harden the signing script.

User flobadob – Stack Overflow gave a good example of that in timestamp – Alternative timestamping services for authenticode – Stack Overflow.

There are 2 protocols that signtool can use for timestamping: Authenticode (with the /t parameter) and RFC3161 (with the /tr parameter).

Authenticode compatible URLs:

RFC1361 compatible URLs:

For more background information read these:

A bit more on PFX files

Often, certificates and keys start as other file pairs and you need to convert them. Two examples:

If you want a self-signed PFX file for testing purposes, then read what Roger Lipscombe answered at StackOverflow to security – How do I create a self-signed certificate for code signing on Windows? – Stack Overflow.

–jeroen

2 Responses to “Signing your Delphi executables with a digital certificate.”

  1. We sign our Applications during our ContinuaCI process only. This allows us to control which machines and/or people have access to the signed cert. It also prevents a developers from distributing an signed copy of the code that may or may not have been committed to version control.

    • jpluimers said

      Thanks for this addition. I wrote this post before digging into continuous integration/delivery. If you have that in place, it is the best place to add signing.

      Another thing I forgot in the post is to ensure you have a secure process in place that updates signing certificates that are about to expire.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 1,627 other followers

%d bloggers like this: