[drspro2]

as far as i can understand there is a microsoft signtool.exe through which you can certify any Exe file that you have, on the command-line.

you would have to take a webserver-certificate .cert file And the webserver key file and with both you can Generate a new .PFX file ( on the commandline with openssl in apache webserver )

With this .PFX file you can put a certificate on your installer- exe package as such that Windows and also other scanners will treat it as valid.

I have tried it myself but the signtool.exe doesnt accept my .Pfx file. But as far as i understand it everything should work in this way.

It could be a very good way for prolog exe programs and installers to be treated as valid and accepted
in windows?

[Thomas Linder Puls]

I'm not sure if this is a question, suggestion or something else?

But I can tell that we sign all exe, dll and installer files. We sign using the mentioned sign tool.exe which is part of the Windows sdk.

To sign you will need a certificate. You can create a certificate yourself, but such a self created certificate is not trusted by anyone and therefore not really useful (except for development reasons).

The alternative is to purchase a trusted certificate which requires that you document your identity (and pay). With such a certificate you will get the blue version of the "requires administrative rights" dialog instead of the yellow one.

The sign process creates a hash of the file to sign, this hash is the thing that is actually signed. The signed hash, the public part of the certificate and optionally a timestamp. The hash ensures that the file is intact/untampered and the signature ensures that it is signed by one with access to the (the private part) of the certificate.

The thing about "who has access to the certificate" has however recently caused an additional complication. Trusted certificates can now only be delivered in a special form that is tailored to a specific hardware security module (HSM). To my knowledge such devices currently only exist in two price categories a Yubikey to something like €80-100, and network solutions starting somewhere like €20.000, and then there are some possibilities with cloud-signing.

The yubikey is for one-person usage you have the certificate on a usb-thing and have to enter a pin code each time you sign something.

The network solutions is for 20.000 obvious reasons for professional usage. Time will show if someone will fill the price gab.

[drspro2]

it was a question for anyone who has experience with the same process, i cant get the signtool to accept my PFX file, and i cant find out why.

my question:
Can it be possible for the signtool to accept only 1 .PFX file and succesfully sign an
executable with that?

I have my servers webserver certfificate and key file and apache openssl can create a Pfx file with the 2 files.


as prolog developers for exe files for microsoft platform we all have to deal with this subject
i assume.

would it be advisable to Sign the VP-project -Exe also or only the installer package?


would be very nice to have tools for it, and indeed very nice if it can assure that the distributed
exe is unchanged with a checksum

do we already have a Visual-prolog Installer creator? we could use Nullsoft NSIS
and let prolog generate the NSIS installer scripts text files

[Thomas Linder Puls]

I have never used a pfx file directly, because we don't want the pfx file "floating" around here and there.

Instead I have installed the file in my personal certificate storage (the one you see in the image is actually on a yubikey, because as mentioned above you can no longer get it in a pfx file).

There are several ways to locate choose the certificate to use, but to be absolutely certain that you sign using the correct certificate you can use the "thumbprint"/SHA1 Hash:

>signtool sign -v -sha1 2de4ba0a4642ee725655fc3325fcf170641138ea -fd sha256 -td sha256 -tr http://timestamp.digicert.com ttt.ps1
The following certificate was selected:
Issued to: PDC A/S
Issued by: Sectigo Public Code Signing CA E36
Expires: Fri Nov 29 00:59:59 2024
SHA1 hash: 2DE4BA0A4642EE725655FC3325FCF170641138EA

Done Adding Additional Store
Successfully signed: ttt.ps1

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

[drspro2]

so to have only the Server-certificate in the local windows certificate store is / should be enough?

I have tried to do exact the same as you describe, i imported my certificate in the local store application,
and i performed the same commandline , but then with the Hash for my certificate
found in the fingerprint as you describe, still it doesnt accept with this answer:

***
After Hash filter, 0 certs were left.
After Private Key filter, 0 certs were left.

thankyou for your information

[Thomas Linder Puls]

What do you mean by "Server-certificate"?

Perhaps your certificate is not of the right type.

If you look at the image from my "User Certificate Manager" you will see that the "Intended purpose" of my certificate is "Code Signing".

Try this command (for the purpose it doesn't matter whether the file exist):

Code: Select all

signtool sign -debug -v -a -fd sha256 ttt.ps1

It will list all the certificates that it considers and which of them that are suitable for code signing and finally (if the file does exist) which one it chooses.

[drspro2]

Thomas thankyou for the extended information I will try it later