Microsoft Trusted Code Signing (Friedrich) (it works!)

Friedrich seems to have enjoyed his nap :wink:
and has been back - posting on the newsgroups and on his forum.

Latest post is about a code-signing technology of which I hadn’t heard - Microsoft Trusted Code Signing. Apparently starts at $10 per month and bypasses Sectigo and the other rapacious barons of the authenticode universe.

6 Likes

My head hurts.
I’m too old for this.
And am very grateful for a Millennial coworker who patiently spent several hours with me as we tried to figure out Entra users and external users and roles, meaningless (to normal people) error messages, user interface (when do you select, when do you double-click), and other bits and pieces.

Downloaded the newest signtool and other required goodies Set up signing integrations to use Trusted Signing | Microsoft Learn

And finally was able to make a batch file to sign an app.

You’ll note that the code-sign certificate is only valid for 3 days. (Auto-extend, analogous to Let’s Encrypt.) Which makes time-stamp obligatory.

But I have a signed .EXE and no dongle and didn’t have to put in a bunch of tickets to Comodo. So life is good…

3 Likes

Maybe a clarionLive webinar to explain to the rest of us mere mortals WTF goes on? :slight_smile:

1 Like

@Sean Yeah. I’d watch that!

BTW… pic of same exe signed yesterday showing that the certificate’s rolling 3-day window has rolled.

I actually got it to work too
knock me over with a feather

I had batch file I wrote with some documentation inside of it posted here
I have moved it to the end the opening post on this thread
Microsoft Trusted Code Signing - Steps to set it up - ClarionHub

To sign your SetupBuilder Installer
where [CodeSignFolder] is the absolute path to the CallCodeSign.cmd file
the .cmd expects to have the other tools installed below it.

3 Likes

The essence of our batch files are the same, Mark. Mine reflects my laziness and simplicity.

"c:\signtool\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "c:\signtool\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "c:\signtool\metadata.json"   %1

Glad you got it working!
My unfamiliarity with Azure, what’s called what, and what’s put where resulted in several head-bangings. But once it’s set up, it’s been working fine and I just add the batch file to the after-build stuff in the IDE so it gets signed each time I rebuild an EXE (which is what I previously did with the purchased PFX).

Yeah, my unfamiliarity with Azure lead to quite a bit of trial and error - mainly error.

Hi Mark,

in the new SetupBuilder 2025, Trusted Code Signing is a built-in feature and it also (automatically) code-signs your uninstaller.

Your method only signs the installer.

Friedrich

2 Likes

BTW, I’ll make a first SetupBuilder 2025 release available on February 6, 2025.

It provides built-in support for OV/EV USB crypto-token, OV/EV cloud and Microsoft Trusted Signing technology.

Friedrich

4 Likes

@Lindersoft I’m so happy to hear that the initial release of SetupBuilder 2025 is right around the corner. :partying_face: :partying_face: :partying_face:

I had not thought about the uninstaller. I’m not too concerned about it, but I’m curious if there a way for me to sign the uninstaller with the pre-2025 version of SetupBuilder (using Microsofts Trusted Signing)


With respect to the #run:

  • I found that I was required to use an absolute path for the command
    • (which was not in a folder listed in my PATH environment variable)
  • I also was required to add the extension (.cmd in this case)
  • I thought that just having the Default Directory would be enough to point the folder in question,
    • but that did not help either.
  • I have yet to figure out how to successfully pass a list of parameters where each parameter is a file enclosed in double quotes, where the values and are built using variables
    • ex: “[Var1]\This File” “[Var2]\That File” “[Var2][Var3]\The other file”

Hi Mark,

unfortunately, it is not possible to sign the uninstaller with Trusted Signing in any pre-2025 version. Uninstaller signing is a very complex task. The uninstaller (and uninstall script) is generated on-the-fly during the INSTALLATION process. That means, the uninstall.exe is not even there when you COMPILE the setup, so there is nothing to sign. The compiler makes use of a “secret method” :grin: (I have developed it quite a few years ago when InstallShield tried to take-over SetupBuilder) to let the installer embed the code-signature into the uninstaller at installer runtime. When you manually code-sign an setup.exe then this method does not work.

Friedrich

1 Like

A quick proof of concept :slightly_smiling_face:

Project with uninstaller support, compiled with SetupBuilder 2025 and Microsoft Trusted Signing:

Trusted Signing is “point.click.ship” in Version 2025…

Friedrich

2 Likes

Because as a “new user”, I can only embed one image in a post…

Here is the compiler report:

Friedrich

1 Like

I have discovered a problem with code signing the (pre SetupBuilder 2025) installer after it’s been created.

I had the same problem when I signed via

  • #run in the script with the “Process after script compilation” option checked
  • manually after the installer was created

When I run the installer:

  • it correctly shows the publisher
  • but when I tell UAC “yes” to continue,
    • I see an “Archive integrity check failed.”
      • and the install terminates

I’m looking forward to testing this with SetupBuilder 2025

With the current SB, changing these options works for me when signing the installer after it has been created:

2 Likes

Carlos - thank you for pointing out the changes you can make in
SetupBuilder > Project > Settings > Tab[Advanced]
I can confirm that solved the “archive integrity check failed.” problem I just reported.

1 Like

Hi Mark,

the compiler does some magic code-signing things when you support uninstall and archive integrity verification. SetupBuilder 2025 also does this when using Trusted Signing. In other words, in SetupBuilder 2025 you’ll have a perfectly valid code-signed uninstall.exe and archive integrity verification also works fine when adding a Trusted Signing signature.

Friedrich

Yep, you have to turn that off if you are signing outside of SB.

All,

a first SetupBuilder 2025 pre-release is available to selected users. The aim of this first pre-release is to test the new built-in (Microsoft / Azure) Trusted Signing support.

This build already supports Windows 11, Windows Server 2025 and ARM64 enhancements. Support for Clarion 12 is built-in, but still disabled.

I am still working on the updated documentation. Without documentation, some of the new features are not accessible.

HOW TO USE TRUSTED SIGNING:

In SetupBuilder 2025, code-signing configuration is done in “Tools | Options… | Code-Signing tab”

  1. In the “Microsoft Code-Signing Tool” entry field, please select the “Trusted Signing” compatible SignTool.exe (with all its dependencies). In the next SB2025 pre-release we’ll have a redistributable available to install it.

  2. “Software Publisher Certificate” supports “Signing Templates” now. This gives us flexibility and we can add all kind of (future) signing methods.

“STPL” is the abbreviation for “Signing Template”. Please use the template “STPL_011://” for Microsoft Trusted Signing. Append the fully qualified path to your “metadata.json” for your Trusted Signing account.

  1. Select a SHA-2 timestamp server in the “Global SHA-2 Timestamp Server” entry field. I would suggest to use http://timestamp.acs.microsoft.com

  2. Select the “Global SHA-2 only” signing type.

That’s it. This will enable Trusted Signing for the install, uninstall, “Installer Integrity Check” and “#code-sign application…” directive.

The compiler result should look like this after the compilation process:

If you have a Trusted Signing account and would like to test the SetupBuilder 2025 pre-release, please send an e-mail to [email protected]. An active (not expired) maintenance plan is required.

BTW, we’ll make new SetupBuilder 2025 pre-releases and builds available on a weekly basis.

Thank you for your help!

Friedrich


Friedrich Linder
Lindersoft | SetupBuilder | www.setupbuilder.com
Voice: +1.954.537.3701 | Fax: +1.954.537.3702

– SetupBuilder “point. click. ship.”
– Industry leaders count on SetupBuilder to deliver…

2 Likes

Quick note: in SetupBuilder 2025, we’ll move from the non-SSL “lindersoft.com” to the SSL “setupbuilder.com” domain.

Please do not use the “old” v2019 Redistributables in v2025. There is a new Redistributable system in v2025.

We’ll also switch the Web Update process to setupbuilder.com by the end of this month.

Friedrich