Ramblings from a developer


Something that has bothered me for a while is the hassle in putting together all the pieces to sign my download files. I finally got around to looking it all up, and it isn’t easy as you have to piece all the things together. I hope that this will give you an insight into how it can really work, since I managed to actually achieve what I wanted and sign my code. This article is a list of the steps I had to take, and you will probably need to review the commands yourself if you have problems.

Update 2006:

How things change. Since I wrote this original article, things in the codesigning world have become a lot easier. I’ve even renewed the two year certificate I bought – but watch out that you get the renewal from the expiry of the first one or you could lose many days!

The main change though is that Microsoft made the signcode executable very hard to find, if not impossible. The good news is that there is a much better option available and, although it isn’t free, it is more comprehensive and offers a GUI mode for your initial testing and a command line option (signcode compatible) for your development script. The best improvement is that you can specify the password for the certificate, which means you don’t have to have the password dialog pop up all the time. Full details, and links to certificate suppliers and a step-by-step guide are available from the X2Net SignCode web page.

I’ve left the original article below as it is still a good summary of the tools that might be useful to people, and how to transform things.

The process

Get a certificate from http://www.ascertia.com/onlineCA/Issuer/CerIssue.aspx who will do a free code signing certificate. Obviously any alternative is good, but this will prove the concept for you, and you can go buy another from them or elsewhere later. The email address is included in the certificate, so use a sensible one you are happy for the world to see. Accept the installation of the certificate into the browser as it won’t be emailed even though they say it will. Make sure you chose exportable.

Then get the Microsoft code signing stuff (codesigningx86.exe) from the MSDN web site (google will find its current location).

Use the certmgr to view your certificate and export it. Export it as a certificate (.cer file), and with the key (.pvk) file.

Use cert2spc to convert the cer file into an spc file. That’s the first half of the process done. Now you need a key file compatible with the signcode application.

From http://support.globalsign.net/en/objectsign/transform.cfm:

How to transform your certificate to a pvk + spc combination.

Export your certificate to a pfx file (be sure to check “Include all certificates in the certification path if possible”). (The latter will help ensure it is accepted by more systems.

Install openssl. You can find compiled binaries on www.openssl.org (but get the Windows build from http://www.shininglightpro.com/ http://www.shininglightpro.com/download/Win32OpenSSL-v0.9.7d.exe)

Extract your private key from the pfx file.

->openssl pkcs12 -in <pfx-file> -nocerts -nodes -out <pem-key-file>

The pfx password will be asked.

Download the pvk transform utility. This file can be found at http://support.globalsign.net/en/objectsign/PVK.zip.

-> pvk -in <pem-key-file> -topvk -out <pvk-file>

Extract your certificates from the pfx file.

openssl pkcs12 -in <pfx-file> -nokeys -out <pem-certs-file>

The pfx password will be asked.

Transform your pem file to a spc file

->openssl crl2pkcs7 -nocrl -certfile <pem-certs-file> -outform DER -out <spc-file>

I didn’t do that last bit – already did that stage. Note that you are transforming into a PEM file as an intermediate step. I got that bit wrong first time round.

Okay, so now you have all the right bits. You now can just run signcode.exe and use the wizard to check it all works. Select the advanced mode so you can use files, and all should go well. You’ll have to enter the password at various points. If it all worked, then we are nearly there.

To actually sign the code, and I used FinalBuilder to make sure it is done each time and every time reliably, you need the following command.

c:\codesigning\signcode -spc “c:\codesigning\myAscertiaSPC.spc” -v “c:\codesigning\myascertiakey.pvk” -a md5 -i “www.yourdomain.com” -n “Application install file” “C:\Build\Installer\yourinstaller.exe”

If it fails, then you probably got a path wrong or a missing file or something silly. Took me ages to spot that I’d got an extra letter in a path. Grr.

The only fly in the ointment is that you need to type the password for each file. It’s not hard to write an app to do the typing for you, but the security of your password is obviously at risk.

An update: Thanks to Hugo Logmans who also provided the script additions to allow FinalBuilder to check that it worked okay, which ensures that you don’t think you signed it.

CodeSignFailure = true

ActionResult = NOT CodeSignFailure
Continue = NOT CodeSignFailure

if InStr(StatusMessage.MessageText,”Succeeded”) > 0 then
CodeSignFailure = false
end if

I have this script to sign the program executable AND singlefile
installer-executables. Works very fast and efficient. This way you can be sure the file is always signed.

Update: After some issues that someone identified with the ascertia certificate on their machine (which I couldn’t replicate), I bought a two year certificate from http://www.instantssl.com/code-signing/ which is from a fairly new certificate authority, but is cheap therefore and is in the XP SP2 root certificates and thus answers the issues.

Update: The codesign executable is a moving target, and is becoming harder to find. So forget the Microsoft codesign executable, and use one that is much easier to use and not only command line compatible but more comprehensive. Give X2Net SignCode a whirl – both GUI and command line options available.

Matthew Jones

One of the great things about Delphi is that there is a good supply of third-party components available. As a long term user of Delphi my palette has grown in size and I now have over 80 pages to choose from. So any component set has to have something special to get me excited about it, particularly in the general user interface category where there is a lot of competition. Raize Components 3 (RC3 from now on) has a lot that is special, and the main thing it provides is “polish”.

[This review was first published in The Borland User Group Newsletter.]

For me, polish is what distinguishes great apps from okay apps. It is the detail that is put into things that make life easier for the user, that extra time spent making sure things are ‘just right’. RC3 provides this on two levels. First, the components look great, and allow you to provide a good end-user experience with little effort. But most importantly, they make the developers life a great deal easier. This is not just a set of components to sit on the palette, but it includes a suite of property and component editors, and context sensitive menus all of which are well designed, and make life a lot easier.

To show a simple example, let’s take a panel. How often do you drop a panel on a form and then clear the caption property, followed by setting its alignment to top, or client? And then of course remove the border so it doesn’t stand out. With the basic Raize panel, the caption starts blank, and right clicking gives menu items to set the alignment, to remove the border, and also to edit the panel visually. This saves a lot of time playing hunt the property in the object inspector. And this is just the simple panel – things go up from here! Take the GroupBar component as another example. This is an outlook style bar that can display in either the classic style, a task list style, or as an XP category style. Menu items to set the image lists and alignment exist, but here you can edit the bar contents “live” which is more natural than a separate property editor, and allows you to see it exactly as it will appear. In design time, the component even says “Add groups by selecting ‘Add group’ from the context menu” so you don’t waste time working out how to use it. That is polish. So you add a group, and right clicking on the group gives more context-sensitive items. This is a nice component, and it has been made very easy to use.

The installation of RC3 gives you seven palette pages with 117 components, 22 of which are data aware and 9 of which are deprecated (components that are replaced by better components). The pages are labelled Panels, Edits, Lists, Buttons, Display, Shell, and Widgets but they contain more than they imply. The shell components are licensed from Plasmatech, so they have a good pedigree, and provide both the raw controls, and smart dialogs using them. The panels include the Panel and GroupBar mentioned previously, as well as a page control that can be used to replace the Win32 version, but which provides a wide variety of tab styles. These include XP themed versions, but allow for a lot of customisation of both the tabs and the border frames. XP theme support is provided using the now-standard Mike Lischke code, but RC3 components can automatically use XP themes, or emulate them if not on XP. Most of the components can use a “frame controller” that can set the framing options quickly for a set of components, or you can customise the components individually. All this really means that you can have your app look as you want it to, and add some polish yourself.

I shall skip over the splitters, status bars, group and radio boxes and mention the CheckGroup which is like a radio group but of checkboxes, so you get automatic alignment quickly and easily. All the groups have a variety of outline styles to choose from. Likewise I’ll do great injustice and skip the edits page – all of which provide the custom framing, and things like buttons in edit boxes so you can click to get a date-picker (or a custom edit with one or two custom buttons of your own if you want).

The Lists page is where more of the polish shows. Raize components 2 was the first component set I bought which had a list box with check boxes for each item, and a tabbed list box. RC3 improves these by allowing category titles in the check-list with a very smart faded background on each, along with an design-time editor to make it easy to fill. The tabbed list has a Cells property so that you can access the individual parts of the tabbed items – again making life easier for developers. Speaking of which, there are two variations provided – an EditList which allows the user to press F2 to edit an item in-situ, and a RankingList which allows the user to drag the items up and down. These are things that you can write yourself, but they are fiddly to get right, and here you just drop them on your form and move on. If I had one niggle about these, it is that there are derived from the basic List and not all available as a single mega-list with tabs, checkboxes, ranking, and editing. But I guess such a need would be rare. Other lists and combos include fonts, images (with indents and labels), MRU, treeviews, check-trees and listviews.

The buttons in RC3 include a wide variety of image compatible, shaped, toolbar and menu buttons. For those supporting glyphs, there is a nice image selector, with modern looking images that will do for many basic tasks. Of particular note is the DialogButtons component. Drop one of these on your form and you instantly have OK and Cancel buttons properly aligned on a panel at the bottom of your form. You can also show a Help button, and add other items there if you want. For a quick dialog, this has always been nice, but one of the most amazing facilities that RC3 gives is in the context menu for the standard Delphi form. Items added allow for adding a groupbar, toolbar, status bar, splitter, panel, image list, frame controller, and form state component. Additionally, there is ‘Create dialog’ and ‘Create options dialog’ which both put a dialog buttons component on the form, change the form settings to dialog borders, and for the options dialog creates a page control with two tabs ready and waiting. These all make the developer task easier, and save having to go find things on the palette. Of course it doesn’t eliminate all the work, but many of the things that you usually want to do are made a lot easier.

The Display page contains a variety of time-saving components as well as some nice implementations of the basics. The label allows rotation and different fonts, and the status pane is a label with border, but includes things like blinking. Derivations of this include scrolling, key status, and most interestingly a version info which makes it possible to show version information from your executable without any effort. This is why I buy components, and it all helps to meet user expectations of modern apps. There is also a background gradient/image component here, which along with the transparent option in virtually all the other components means that you can create great looking forms. Further display components include a URL label, border, arrowed-line and shaded separators, progress bars, scrolling LED panel, and a bitmap animator.

The Widgets page provides a miscellaneous set of items. Visually, there are comprehensive date, time and colour pickers each customisable with properties and events. You can set your form shape according to the outline of a bitmap, add a tray icon, make your tooltips into much friendlier balloons, save your forms state at runtime, send MAPI email and launch other apps.

I think I have shown that RC3 provides more than just a nice looking set of user interface components. The extras that are provided are what makes the Raize components the first I consider when building apps, and RC3 has added a great deal that will make my life easier. For existing users, an upgrade is an easy decision. For new users, it is well worth a good evaluation as a truly professional component set that will save you time and give your development and your apps “polish”.

As someone who has been victim to a spammer forging our email “from” address, and thus getting over 10,000 bounce emails a day for nearly ten days, I have a personal interest in making sure it doesn’t happen again. The likes of the SPF (Sender Permitted From) therefore look interesting. But why can’t it be much simpler?
One of the interesting thoughts I got from reading PC Pro (UK magazine), which said that there were three or four competing systems, one of which uses server keys, is why we can’t just sign the emails? That is, make a header like:

X-SignText: 2004-04-22 name@matthew-jones.com 1942939

Now, to check this was valid, you’d get a text record from the domain server which would contain a public key. You’d then decrypt the SignValid part and match the SignText item. If it didn’t match, then you’d just bin it. By including the date you stop people catching one header and forging forever and can ensure it is within a few days of sending. The random number keeps the encryption on its toes to ensure it can’t be cracked.

Why wouldn’t this work? It doesn’t depend on sender IP numbers at all. It of course needs an email client to encrypt a line, but code for that is commonplace, and is certainly less work than lots of lookups as needed by SPF and the like.

Publishing date: 14.06.2004 14:21

I’ll declare an interest in that I write the Epanoopy spam filter for VPOP3. (now defunct since this article was written)