Insights From an Indie Developer Regarding Code-Signing for Windows

Code signing indicates to an end user where / who an executable binary came from and that it has not been modified along the way. That's what it is, that's what it does, that's what it's for.

Both Apple and Microsoft have built systems on top of this concept to encourage developers to code sign their software. While at a glance these systems seem optional, the unspoken reality is that commercially available software needs to be code signed.

Will an app still launch if it is not code signed? On Windows, yes. The user will be presented with unknown publisher warnings, but the executable can still be launched. To mitigate this, code sign the executable with a Micirosoft Authenticode signature.

Purchasing a Code Signing Certificate

Purchasing a Micirosoft Authenticode signing certificate can be done directly from a certificate authority or from a reseller. Resellers can offer significant discounts, and I personally just had to switch to a reseller when the vendor I selected ended their developer friendly pricing program.

A favorite reseller among the Xojo community is K Software. They also provide a signtool on Windows. The one I make for Mac is ExeWrappper. My most recent experience purchasing a certificate was with K Software, and the process went smoothly.

The Process of Verifying Your Identity

To get a certificate issued to a business name the issuer will verify the business registration through D&B. Oddly this seems to be the rule amongst issuers. Government records don't seem to always satisfy, but a D&B registration will.

Be sure your business details there are up to date with D&B or the process will incur significant delays. I've heard reports of delays ranging from weeks to months. I can personally confirm first hand that for a client the process took several months.

Extended Validation (EV) vs. Organization Validation (OV)

There are two types or "levels" of Authenticode certificates. It's comparable to the days where more expensive SSL certificates would bless your website with "the extra secure green bar." An Extended Validation (or EV) certificate requires extra verification steps and is only issued to a registered business. An Organization Validation (OV) certificate is easier to acquire and can be issued to an individual.

What's the difference between these two types of certificates? Technically, the amount of identity validation. The issuer is supposed to take extra steps to validate the identity requesting an EV certificate. Additionally, software signed with an EV certificate is granted instant SmartScreen score. This means the end user won't see the "Smart Screen protected this PC." blue dialog. When SmartScreen steps in, the user has to click "More Info" and then "Run Anyway."

Which certificate is best for you will depend a lot on what your needs are. If your business is suffering because of SmartScreen warnings, it may be a good business decision to get an EV certificate. If you're like me, just making Windows apps because you happen to be able to, I'm okay with my personal "Tim Parnell" click run anyway certificate.

Code Signing Your Software

Once you have a Microsoft Authenticode signing certificate it's actually much easier to code sign on Windows than it is for macOS. Of course, I offer a desktop app for macOS that can batch code sign Xojo build files for Windows. ExeWrappper will do the leg work, just drop your Windows build folder on the Files list. K Software offers a Windows code signing tool that is much the same, it's called KSign and it's available on their website.

What files need to be signed is the topic of many discussions. I am always interested in hearing additional information about this topic. From what I've discovered, only executables that the user will launch need to be signed. In other words, the installer.exe and the main MyApp.exe need to be signed.

Supporting My Work

I hope this clears some things up. If I am mistaken about anything please don't hesitate to reach out to me! My email address is support@strawberrysw.com

If you found the information I've gathered useful you should check out ExeWrappper. Even if you don't find a need for the software, supporting development helps me spend time researching code signing.

Updates

[2022-03-26] Sectigo may not be using D&B for business validation anymore. I cannot confirm this because of the experience my client just had (finally resolved December 2021).