VFP & Code Signing

Hello all. I've been tasked with finding out what it takes to get our VFP-generated exe signed.

I've found several issuers of certificates, in a wide range of prices, but not a lot of real information.

In particular, what I need to know is:

1. When we purchase a signing certificate, can it be installed on more than one PC, or is it tied to a specific one?

2. Does the certificate allow us to sign our program and every new version of it, or is it tied to the version number?

3. Can the certificate be used for more than one software project, for example if we launch a new app, will the same cert work for it.

4. Once we purchase the cert, how do we integrate code signing with VFP 9?

I know that's a lot of questions, but honestly it seems all the sites want to do is sell you a certificate, without spending any time whatsoever to let you know what the cert is good for or how to use it.  Thanks in advance for any help.

--- edit

Just realize this. We use Refox, so do we sign the actual exe that VFP generates, or the exe generated by Refox?  Then the Refox exe gets compiled into Inno Installer, which creates a new exe.  
So which of these three exe would we sign??
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Olaf DoschkeSoftware DeveloperCommented:
How you handle the certificate and signing  will get clear if you know how windows verifies signatures.

It's quite simple in that matter: Once you have the certificate on your pc and sign software with it, that signature can be verified on any other windows pc without further installation, as Microsoft installs root certificates of major certificate authorities, such as VeriSign, so if you have a certificate of such a CA the root certificate can verify your signature.

You can sign all your exes and eg using signtool it's easy enough.

More on this in detail already has been answered here:

Doug Hennig points to that article in his short post here:

And you can see he's also signing both the exe installed and the installer itself. If you refox, what is started only is the refoxed exe, so you may spare to sign your exe before refoxing it, but it won't hurt anyway, if you sign any exe you create.

Bye, Olaf.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
formadmirerAuthor Commented:
Thanks Olaf. I had previously stumbled upon Doug Hennig's article. But I've got to say the one on wintellect is really comprehensive with a lot of very useful information. Thanks for saving me probably hours of searching.

I've now downloaded the Windows SDK ISO since I don't have signtool, however I'm running XP SP3 and MS doesn't seem to keep older versions of the SDK around. Hopefully I'll manage to get this one for WIN7 to work for me.

I also stumbled upon an older article which mentioned self-signing the code. Now I realize this will not do away with the Unknown Publisher warnings, but I was wondering if there is ANY advantage that you know of to this at all?

The only advantage I can think of is it would theoretically let others know if the code had been altered in any way. But it would provide no validation as far as identity or authenticity.

We are having an issue where Avast and other antivirus software is flagging our exe download as suspicious and the recommended action is abort.

Chrome does essentially the same. Once the file is downloaded the filename shows in the System Tray with a big red delete button next to it. You have to know to actually click on the filename and choose Save to even get the file onto the PC.

These are the issues we're trying to overcome.
formadmirerAuthor Commented:
Your post offered a lot of very useful information. Thanks once again.
Olaf DoschkeSoftware DeveloperCommented:
What you can't turn off even with a signed exe is the security warning about downloaded files:


To unblock this programmatically you need to remove a file stream, which is named as the file plus ':Zone.Identifier'

put together from
- http://blogs.msdn.com/b/calvin_hsia/archive/2006/09/25/771764.aspx
- http://weblogs.asp.net/dixin/archive/2009/03/14/understanding-the-internet-file-blocking-and-unblocking.aspx
- http://stackoverflow.com/questions/9854853/how-to-delete-ads-alternate-data-stream-in-c

using the Windows API in short you just need:

DECLARE INTEGER DeleteFile IN kernel32 STRING lpFileName

Calvin Hsia also shows, how to read and write with further API functions. This can be very handy to update in a ClickOnce fashion, downloading the next version, unblocking the file/files and patching your own app.

Bye, Olaf.

PS: Unsure how far this will remove Chromes annotation to the file. It's not getting rid of the unknown publisher, of course.

If you do code signing and buy at a CA you have to verify your identity and you specify your company or personal name, so the signature does indeed include your publisher information, then and you have to identify yourself before you get your own certificate, that's part of the price.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Applications

From novice to tech pro — start learning today.