Windows app certification

Deploying to Windows? Utilizing VB Script execution? This is the place to ask Windows-specific questions.

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller

bogs
Posts: 5435
Joined: Sat Feb 25, 2017 10:45 pm

Re: Windows app certification

Post by bogs » Sat Jun 26, 2021 8:41 pm

jmk_phd wrote:
Sat Jun 26, 2021 8:23 pm
Yes, I admit to being a lazy wimp in that regard.
What is this "lazy wimp" stuff? Heck, back when I used to program for Win, we used to just distribute a zip file or, if we were feeling really fancy, a self executing zip file!

I send stuff to my wife all the time to run on her Win7 box, frankly, I don't see the UAC warning as any scarier than what you see on a Mac (test I ran from another thread in another language), but, I can understand you want to eliminate your users from seeing it.

Your already putting more effort into than I would, lazy my eye :twisted:
Image

ClipArtGuy
Posts: 253
Joined: Wed Aug 19, 2015 4:29 pm

Re: Windows app certification

Post by ClipArtGuy » Sat Jun 26, 2021 9:32 pm

To be fair, the Windows 10 smart screen warnings are much more ominous sounding than the windows 7 UAC warnings, and also aren;t as simple to bypass as clicking "install anyway". The user must click on a small link for "more info" before being given the option to proceed past the warning.

bogs
Posts: 5435
Joined: Sat Feb 25, 2017 10:45 pm

Re: Windows app certification

Post by bogs » Sat Jun 26, 2021 10:07 pm

To be even fairer, my previous post was supposed to be 'funny'. Ha, it was funny to me, anyway :P
Image

jacque
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 7215
Joined: Sat Apr 08, 2006 8:31 pm
Location: Minneapolis MN
Contact:

Re: Windows app certification

Post by jacque » Sun Jun 27, 2021 5:30 pm

jmk_phd wrote:
Sat Jun 26, 2021 8:23 pm


(1) Do any .dll files -- or even a PDF help file document -- need to be signed along with the standalone?

(2) If a Windows user downloads a .zip file -- or, alternatively, an ISO disk image -- with a folder that contains the signed standalone and these other files, will Windows Defender still issue some scary message or block the download? If so, can either of these be signed?
I've distributed signed Windows apps contained in a zip file and nothing besides the app itself is signed. It seems to work fine.

The primary issue we've found is users trying to run the app from inside the zip folder, which appears on Windows to be an extracted folder but isn't. I'm not sure who in Redmond made that idiotic decision.
Jacqueline Landman Gay | jacque at hyperactivesw dot com
HyperActive Software | http://www.hyperactivesw.com

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Mon Jun 28, 2021 12:21 am

Thanks much for your reply, Jacque!
I've distributed signed Windows apps contained in a zip file and nothing besides the app itself is signed. It seems to work fine.
So I assume this means that Windows Defender will not block a zip file from downloading and not display the "unknown developer" warning.
That's good news.
The primary issue we've found is users trying to run the app from inside the zip folder, which appears on Windows to be an extracted folder but isn't.
I see what you mean. Very odd that they include a Run button next to the Extract button when the .exe is selected.
I'll be sure to include very explicit instructions on my downloads webpage.

jeff k

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Wed Jun 30, 2021 8:15 pm

Hi everyone! As promised, here's the followup on my experience:

I can confirm that the entire procedure -- from purchase to validation to collection to exporting a certificate -- works without a glitch when running IE in Windows 10 via Parallels on a Mac. And K Software's kSign utility is simplicity itself.

When I downloaded the signed .exe from my own website I did get the expected "not commonly downloaded" warning, but after doing the "open anyway" I was able to confirm that it was indeed signed. (Now just a matter of building my "reputation" with SmartScreen by downloading it a zillion times before going public.)

Mitchell at K Software confirmed my suspicion that -- while possible -- distributing an app via .zip is probably not very wise, if only because many folks consider these suspicious. I'd already started looking at two freeware utilities (NCIS and Advanced Installer) to create Windows installers, and he suggested his own favorite (InnoSetup). I'll be using whichever one I can figure out first.

As always, everyone's help has been much appreciated!

jeff k

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Windows app certification

Post by stam » Wed Jun 30, 2021 8:21 pm

Thanks Jeff - very useful. I will be going down this route soon too.

On the matter of installers let us know how u get on - on of my targets is to deploy to a very locked down Windows environment. Obviously zip will work fine, I’m concerned that installers may need admin access which would be a problem for this… let us know how it goes with write permissions and maybe if these can deploy to writeable locations with user (not admin) permissions?

Thanks for sharing your experience!
Stam
Last edited by stam on Thu Aug 12, 2021 9:23 am, edited 1 time in total.

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Thu Jul 01, 2021 9:00 pm

Stam and all --

After looking at a couple of script-based tools for authoring Windows installers, I decided to try instead the application Advanced Installer

https://www.advancedinstaller.com/

on account of its very friendly graphical interface. It is available in four versions -- each of which includes increasingly advanced features (and correspondingly higher licensing fees). Because most of my apps are freeware, I chose to try building an installer using their free ("Simple Project") option. (No license is required to deploy a "Simple" installer, either for commericial or noncommercial use.)

Once I worked through the documentation, it took less than 10 minutes to create an installer/uninstaller for one of my apps -- just import the project folder, set a few options, then build. I signed the installer with my certificate, uploaded it to my website, then downloaded it back to my computer (Windows 10 running in Parallels on my Mac.) The installer was recognized as from a known developer (although with the expected "uncommonly downloaded" SmartScreen warning). When I ran the installer, it put the folder with my .exe and supporting files into the Windows Application Files (x86) folder, and even created a shortcut on the desktop that displayed my program icon. The "uninstall" option also seemed to work fine.

The only advanced feature not available in the freeware version that I noticed was the inability to customize the graphics in the install/uninstall windows, which display their own logo. But I don't begrudge them this at all, given the features that they've made freely available.

I can't speak to Stam's particular needs -- a search of the extensive documentation might answer this -- but for me the freeware version of Advanced Installer could not have been simpler. (It was a breeze compared to signing/notarizing/stampling a Mac DMG -- although, in fairness, Apple does not employ the annoying "reputation" system that Windows SmartScreen uses to evaluate and approve downloaded files.)

Hope this helps.

jeff k

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Windows app certification

Post by stam » Thu Aug 12, 2021 12:14 am

Following the advice from this forum I too purchased an OV certificate from K Software.

The process was not as straightforward for me as advertised on the forums; for one, i live in a country different from my driving licence, so actually getting my identity proven was a painful process involving notarising passport and a 'person-to-person' document at extra cost.

Then there's the bizarrely unintuitive process of actually getting the certificate. Basically you have have to both use internet explorer on a windows box (and only IE) to download it and then use the 'internet options' in IE to view content -> certificates and export it from the browser on the machine you used to obtain the certificate. Interestingly, the certificate is not stored, as far as i can see, on system wide certificate management system. A far cry from the equivalent method on mac.

The real friction: After exporting it either as SHA256 or SHA1 with a password, it's simply not possible to use the kSign software, which keeps reporting that the password is incorrect, and i've yet to be able to use kSign to code sign my app.
I opened a couple of support tickets with kSofware but zero response so far.

In the end, i contacted Sectigo, the company that actually issues the certificate you buy from K Software, and finally was given advice to instead use the command line tool signtool.exe which meant i had to download the windows SDK etc (because of course it's not included in default Win10 install) and after much faffing finally got it to code sign my app. Of course, that has had little benefit as the app hasn't been installed widely enough to generate 'reputation' with Microsoft to stop it from warning users this might be dangerous.
You can of course buy reputation by purchasing the significantly more expensive EV certificate. Bit of a racket that...

Questions:
Have people been able to use the kSign app to codesign on Win10? I read somewhere (can't find the source now) that the password function doesn't work with SHA3 certificates on Windows 10, and all SHA1 certificates are expired so they cannot be used on their own. Is there a way to get it to accept a password? Or is it taken as read that people are meant to use signtool.exe instead on Windows 10?

Finally, why are people recommending K Software at all?
They just resell Sectigo's certificates at a profit. Buying a 3-year OV certificate direct from Sectigo is $166, and it's $208 from K Software. Sadly i only found this out well after the event, but cannot say in any way that i would recommend K Software with experience i've had so far.

My advice as it stands right now is that people just buy the certificate direct from Sectigo and use signtool.exe to codesign their apps - cheaper, more straightforward and the support form Sectigo extremely quick, as opposed to K Software who actually have not even responded once so far...

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Windows app certification

Post by stam » Thu Aug 12, 2021 9:37 am

For what it's worth, if using signtool.exe in the command line to codesign your app with a certificate from Sectigo (which is what you get when you buy from K Software), the command is:

Code: Select all

signtool.exe sign /f <path-to-certificate.pfx> /p <PFX password> /fd sha256 /tr http://timestamp.sectigo.com /td sha256 /v <path-to-app.exe>
For certificates purchased elsewhere i think the http://timestamp.sectigo.com varies to reflect that company you purchase the certificate from.
I'll probably just put that in a stack to do it for me automatically and share on here when i have time.

jmk_phd
Posts: 213
Joined: Sat Apr 15, 2017 8:29 pm

Re: Windows app certification

Post by jmk_phd » Wed Sep 01, 2021 6:27 am

Stam --

Sorry to hear of the hassle you experienced in getting Sectigo to verify your identity (and I thought having to take a selfie holding my drivers license was bad enough). Enrolling in the Apple developers program was painless compared to this.

Apart from that, in answer to your questions:

(1) As regards the cost of an OV license, your comparison was not correct: Last I checked, a 3-year license from Sectigo is $166/year (total $498) whereas a 3-year license through K Software is $69.66/year (total $209). I purchased a one-year OV license ($84) only because I’m not sure how much longer I will be developing software (although I'm paid up with LiveCode to mid-2025).

(2) Although I’m barely able to find my way around MS Windows, I was able to download the signing certificate using IE while running Windows 10 in emulation on my iMac using Parallels. (I’ve been very careful to keep multiple copies of that file across several disks for safe-keeping.)

(3) I have experienced no problem whatsoever in using the kSign utility to sign four different apps. Yes, Microsoft’s arcane “reputation” system is maddening. For example, one of my apps earned “reputation” -- so that no warning whatsoever appeared when downloading -- only to find that when I made a needed fix and signed the updated version, it was back to square one.

(4) BTW, K Software’s Mitchell Vincent shared with me his suspicion that MS may be moving to requiring the EV license -- which provides immediate “reputation” but which may cut out freeware/software developers who are not incorporated.

(5) As regards the password that must be entered in the kSign utility, I’ve experienced no problem whatsoever. (I did write it down in several places when first applying for the certificate, having read warnings that it was absolutely necessary when signing an app.)

(6) I was informed to ignore entirely the SHA1 tab in the kSign utility.

(7) I cannot address any problems you’ve experienced with K Software support. I’ve received prompt replies, and the moderator even followed up with me on his own to inquire whether I was able to make kSign work in Parallels.

Great that the command-line tool worked for you. As a Mac user, I would not have known even how to begin with this.

Best,

jeff k

ksoftware
Posts: 3
Joined: Wed Sep 01, 2021 4:37 pm

Re: Windows app certification

Post by ksoftware » Wed Sep 01, 2021 4:58 pm

Stam - I'm not sure what tickets you've raised but please do email me again at the support address (which I just figured out I'm not allowed to include) and I'll do whatever I can to help. It's possible we've spoken before, I just don't recognize the username here.

As far as the current version of kSign goes - you do have to export the certificate (PFX file) from IE and choose the SHA1 option for the private key encryption in the last step. The certificate algorithm is always SHA256 now, 'real' SHA1 certificates are gone as the majority of SHA1 roots have expired and Microsoft explicitly forbids using them anyway. The reason for the SHA1 private key encryption is that kSign calls out to an older version of Signtool that didn't support anything but SHA1 encryption for the private key (again, that's not the certificate algorithm, it's just the private key encryption). I'm literally compiling a new version of kSign right now and hope to release it soon - it doesn't use signtool at all so that requirement will be gone in the very near future. I am moving away from the browser-based key generation VERY soon as well, so the IE requirement at order time will be gone. It's not technically required now as you're free to generate and submit your own CSR, but that is a pain. I'm writing a utility to help Windows users with that.

As far as the validation goes -- I know, it's tedious. You're probably in the worst possible scenario if you're ordering as an individual from somewhere that doesn't put an address on government-issued IDs (which is more and more common these days, especially through Europe). Code signing certificates are meant to verify a person or company's legal name and location, and if the ID doesn't list an address it is very hard to verify a person's location.

As far as your comments on pricing goes - I do resell Sectigo certificates (though technically K Software is a Sub-CA), I've always tried to be the cheapest around to help out fellow developers. I started selling these back in 2004 or so when they cost an enormous amount of money, at least to me at the time, so I made a deal with (then) Comodo to sell to independent developers and such. This was back in the day of the Association of Shareware Professionals. Many started buying and it ended up becoming a significant part of my business over the years. I don't know where you got the pricing you quoted but on Sectigo dot-com right now their OV code signing certificates are $179 for 1 year, $169 per year for a 2 year, and $166 per year for a 3 year. That's significantly more than what I'm selling at right now.. Now there *are* several fake lookalike websites out there that have copied Sectigo's logos and pretend to be them, I've known about those guys for years (as have Sectigo), and they basically post fake prices.

That's probably enough for now, I hope to hear from you soon!

Oh, and a BIG thanks to Jeff that emailed me this morning to let me know this thread was here!
Last edited by ksoftware on Wed Sep 01, 2021 7:05 pm, edited 1 time in total.
--
- Mitchell Vincent
- K Software

ksoftware
Posts: 3
Joined: Wed Sep 01, 2021 4:37 pm

Re: Windows app certification

Post by ksoftware » Wed Sep 01, 2021 7:04 pm

Just a quick follow-up. Stam, I was able to find your support ticket after a bit of digging around and I did reply to you on August 12,though I was a day late (I was out of town). Perhaps you didn't see it before posting this as I'm not sure what the time zone difference might be -- I'm replying to that ticket just to make sure.
--
- Mitchell Vincent
- K Software

stam
Posts: 2634
Joined: Sun Jun 04, 2006 9:39 pm
Location: London, UK

Re: Windows app certification

Post by stam » Wed Sep 01, 2021 7:40 pm

ksoftware wrote:
Wed Sep 01, 2021 7:04 pm
Just a quick follow-up. Stam, I was able to find your support ticket after a bit of digging around and I did reply to you on August 12,though I was a day late (I was out of town). Perhaps you didn't see it before posting this as I'm not sure what the time zone difference might be -- I'm replying to that ticket just to make sure.
Dear Mitchell

sorry if my post came across as harsh
You probably found my ticket now - for reference this was #40602, opened on 7 Aug 2021.

I'll happily retract one of my previous statements: with respect to the price i see i was mistaken i didn't notice that the price quoted by Sectigo was per year :oops: so yes, you do provide very good value for money.

Regarding your other points:
- with respect to using SHA1 certificates as an SHA256 certificate - well that never crossed my mind, sorry
- having not heard back from you after a few days, i contacted Sectigo directly and they immediately helped me with MS signtool.exe

Admittedly signtool is slightly more of a faff, so if you're compiling a new version of kSign i'll definitely try that. But otherwise will continue using signtool if any problems; its a faff, but not that much of a faff...

Thank you for commenting not he forum about this
Stam
Last edited by stam on Wed Sep 01, 2021 10:02 pm, edited 1 time in total.

ksoftware
Posts: 3
Joined: Wed Sep 01, 2021 4:37 pm

Re: Windows app certification

Post by ksoftware » Wed Sep 01, 2021 8:17 pm

Stam, no apologies needed at all! I was late replying to you so it's me that needs to apologize. In the future, don't hesitate to call either - the phone always forwards to my mobile and I take calls any time if I can.

FWIW, signtool is 'the' signing utility so if you're using it, by all means continue. I actually use it myself because I automate almost all of my build processes. kSign is really meant to be for those not comfortable using a command-line program and there is no real advantage to it over signtool except perhaps the built-in batch signing function (which is fairly easy to replicate with signtool using Powerscript or even a batch file).

In the end if you're happy and signing, fantastic!
--
- Mitchell Vincent
- K Software

Post Reply

Return to “Windows”