Does anyone have any experience purchasing Code Signing Certificates for Delphi apps? I think I understand the technical process, but when I look at actually purchasing, I get more confused.
EV seems to be a more thorough verification process and gives you instant reputation on MS Smartscreen, but if I’m not doing drivers/hardware, maybe OV is good enough? I’d be using it for installers and the apps themselves. Comodo also seems to cover MacOS signing, but Digicert is less clear.
I decided an OV was sufficient for my needs and bought my certificate from KSoftware.
This is for a Windows only app. I did the signing in FinalBuilder. It is a bit fiddly with timestamping which makes FB ideal to use. There is a blog about if I remember correctly. There is also a discussion about this in the Mail Archive.
I’ve used them for an initial code signing certificate and also a renewal - they’re just reselling the Comodo service if I recall correctly. Comodo were a bit difficult about the initial code signing certificate, but I contacted KSoftware and they got the ball rolling quickly after that.
At the time I renewed at least, KSoftware was the cheapest option. The page that you’ve linked to is deceptive with the page title - it doesn’t offer Code signing certificates for anything less than AU$112 per year and I suspect that’s not including GST as well.
I went for OV a few years ago, as that seemed to be all I needed.
However, Microsoft has tightened up a lot this year it seems, making downloads much more problematical.
It’s become a real pain under Windows 10.
So I have started to look at the possibility of upgrading to EV.
I sign my installs with the simpler (er cheaper) OV certificate from KSoftware.
Apart from showing the certificate in the properties of the file I have not really noticed any improvement in negotiating the warnings and quarantining etc from Windows/ AV/Browsers when a user does the download/install. I still get the unknown publisher warning,
I’ve used KSoftware OV certificates for many years… although recently I had a LOT of trouble getting a new certificate (not the fault of KSoftware though).
KSoftware resell Sectigo certificates - and part purchasiing a certificate is proving identity - they basically use the D&B company database to lookup your phone number and call it. I closed our office last years so the number no longer existed - this caused a lot of issues - getting D&B to update your details in Australia is practically impossible (unlike for US companies) - and Sectigo were very inflexible when it came to how they will verify identity. I eventually somehow managed to get our D&B entry updated after 2 weeks of emailing and calling every contact I could find for them - the new cert arrived the day before our old one expired
As for EV certificates - that’s another world of hurt (and ). Microsoft requires EV certs for device drivers etc…
Firstly the key is issued on a physical usb key - which is a major pain if your build server is in a data center in another city - and ours being in a shared cage I’m not keen to have it plugged into the server for other dc customers to find (mine is a digicert one with a bright blue led on the back that lights up my home office at night!). If you are using a cloud platform then you can’t just buy a physical cert and ship it to them - they do have some certificate features but most were not very windows friendly when I looked (a while ago now).
Then there’s the issue with getting virtual machines to see the physical device - Hyper-V server is not great with this.
And then we get to automation. EV keys are designed for User Interaction - they actually want you to type a password in each time they are used. They each have their own client software that needs to be installed - the most common one being SafeNet.
If your build runs under a service, you are sh1t out of luck. If your build runs from the desktop (ie running the FinalBuilder IDE) you can get it to work - however you will have to enter the password at least once in the client software.
I would just stick with an OV certificate if you can (that’s what we are currently using) and avoid the pain of EV’s
I agree with Vincent about the difficulty of proving my identity to Sertigo this year.
I eventually managed to get a Yellow Pages listing, and thankfully Sertigo accepted it.
Good luck. Takes a few weeks from memory unless you are lucky.
I used Comodo and then k-software as well. Had a look around and $80/year seemed the cheapest (this was 3.5years ago). I used to sign with SHA-1 and SHA-256 but lately only the SHA-256. I think it is necessary to find a timestamp to sign the files - I used one in Hawaii.
Also, found that virustotal.com is a great website to check any program/app. Usually virus scanners flag any new app until you add the app name to their list.
