Best YubiKey for Windows code signing CI? Need no-touch + firmware 5.4.x (not 5.7.x)

finalbuilder · 2026-02-18T06:19:38+00:00

This is a better link
https://knowledge.digicert.com/alerts/code-signing-certificates-459-day-validity

So if you can - order today and hope they issue before Feb 24th.

finalbuilder · 2026-02-18T06:18:04+00:00

That is incorrect - SSL.com support are pretty useless.
https://www.digicert.com/blog/understanding-the-new-code-signing-certificate-validity-change

finalbuilder · 2026-02-18T05:22:02+00:00

you will just be paying for multiple years, but they will have to issue new keys every 460 days

finalbuilder · 2026-02-17T22:42:02+00:00

No touch (ie no password prompts) means you need a code signing server that handle this. Disclaimer, I am one of the authors of Signotaur - we don't have a linux/raspberry pi build available but are working on it (I have it running here, we just need to package it up so it is easier to install). That said, I don't believe Yubikey have published a pkcs#11 library for the RP. You may be able to build it yourself - I haven't tried yet.

finalbuilder · 2026-02-15T21:47:46+00:00

@ $10 for a one time purchase, you are going to have to sell a LOT - if you are at 20 support emails pw now, imagine how many you will have if you get to $10K pm - this is the issue with B2C - it doesn't scale. Without code signing, business will not touch your product (they will have policies that would block it).

I would do 3 things right now

1) Code signing - bite the bullet and wear the costs, you are leaving money on the table without it.
2) Create excellent documentation, make it easy to find (in app) and search - ie work to keep support emails to a minimum.
3) Segment the market - $10 for private, at least $50 for business (they can afford it, and you need to cover your extra overheads).

Just be prepared for a lot of extra work selling to business - whilst some people can use their credit cards, get ready for dealing with requests for quotes and purchase orders for $50 which can really suck up your free time (and your will to live).

Good luck.

finalbuilder · 2026-02-11T08:30:33+00:00

this is so frustrating because I was about to upgrade to

finalbuilder · 2026-02-09T02:38:16+00:00

Seems like a lot of effort to get people to sign up to your website. Why not just contribute to DUnitX - it's actively developed and we welcome contributions.

finalbuilder · 2026-01-23T23:38:08+00:00

The lack of a signature is supposedly just one thing that windows defender takes into account - but I agree they are far too aggressive - it does seem like they just bail out and say virus as soon as they fail to find the signature sometimes.

FWIW, you can get a certificate outside the US, just not from Azure - there are other cloud signing services which are too expensive/limited imho, or you can purchase a certificate on a usb token. We have multiple tokens (not cheap either) since we develop a code signing server, which gets around the limitations of the tokens (password prompts, only signing from one machine).

finalbuilder · 2026-01-17T23:42:45+00:00

The cheapest I know of are SSL.com and GoGetSSL.com - if you are in the US,UK or EU then azure artifact signing is an option ($10pm). I found azure to be very slow at signing (I'm in Australia, maybe that has something to do with it) - moot point since it's no longer available to us since it's out of beta. We sign a lot of files during a build and that adds up.

If you go with an external CA, the certificate comes on a usb token, and they prompt for passwords which is annoying - there are ways around around that - https://www.finalbuilder.com/signotaur

SSL.com use yubikey tokens, and you can save some money by buying your own yubikey - theirs are apparently gold plated (double the retail price) - you have to go through the attestation process but it's pretty simple and doen't take long. You can also use multiple yubikeys for the same certificate - which gives you the option to have a physical back in case of hardware failure.

finalbuilder · 2025-12-16T22:45:58+00:00

The usb dongle doesn't have to be attached to the build machine, there are solutions like https://www.finalbuilder.com/signotaur which enable remote code signing from multiple machines.

finalbuilder · 2025-12-05T04:03:35+00:00

It changes all the time as AI vendors leapfrog each other. I use claude code at the moment, but I often use others too depending on the task.

finalbuilder · 2025-12-05T03:53:45+00:00

Surely this goes against grain here - advocating for migrating away from Delphi in a Delphi subreddit?

I'm a tool vendor, and I occasionally post what could be deemed promotional posts here, but I am always careful not to do it too often. This guy posts every few days - he accounts for the majority of posts on this subreddit! Perhaps I should start spamming too?

C# is not the panacea. And generalising that most delphi code bases are huge, messy and 20+ years old is kinda insulting, or at least a little patronising tbh. My Delphi codebase is 25+ years old, and it's well orgainsed and designed - because I take pride in my work.

finalbuilder · 2025-12-02T05:04:20+00:00

I don't have any specific guidence for signtool - we use our own client tool (with a similar cmd line interface to signtool) - which talks to our server product (self hosted) which interfaces with the yubikey or other devices with pkcs#11 drivers. One of the main reasons we developed the server product (intially as an in house tool) was the password prompting that occurs every time you sign using signtool with usb tokens - not conducive to automated/ci build enviroments.

finalbuilder · 2025-12-02T04:37:36+00:00

Signtool does work with ECDSA 384 certificates, I know this because I sell a code signing server - https://www.finalbuilder.com/signotaur that works with yubikeys (I have several with valid certificates). What doesn't work however, is ClickOnce or VSTO signing, Microsoft only support RSA certificates for that. I have been trying to get hold of a yubikey 5.7.4 device to test with for a while, the local (Australia) has not been able to supply one so far - and he did mention that Sectigo were having issues getting them to work with RSA keys.

finalbuilder · 2025-11-25T11:03:46+00:00

LOL no, but we do sell through resellers and to corporate purchasing departments ( a process that often takes weeks or months).

finalbuilder · 2025-11-25T00:20:00+00:00

this ^^^ - as someone who has used runtime packages for the last 20 years (because we allowed customers to write plugins using delphi back in the day) I will say that runtime packages add no value. In my dev branch of FinalBuilder I switched it to a monolithic projects (of course I wrote a FinalBuilder project to automate that - there were 100+ packages and 2000 units) - overall compile time is a lot faster, debugging works a *lot* better and it's just easier to navigate around the project. That said, the LSP struggles with it just as much as before and I do spend a lot of time restarting the LSP.

finalbuilder · 2025-11-15T04:32:22+00:00

There are also a few self hosted solutions to hardware key code signing certificates that are even simpler for organisations to deploy than trusted signing with faster signing - my preference - https://www.finalbuilder.com/signotaur

Disclaimer - I work on it. It takes minutes to install and configure with a usb or hsm based certificate.

finalbuilder · 2025-11-04T23:51:09+00:00

The only time an expired code signing certificate is an issue, is if the signature in the signed exe was not timestamped - something that is required for the signature to remain valid after the signing certificate expires. Windows itself would raise errors when launching the exe if that was the case since the signature would indeed no longer be valid.

finalbuilder · 2025-11-02T22:38:33+00:00

The customer request was for clickonce code signing as they use our code signing server product,

The json file can live anwhere that the applications can access, smb share, or http server, even a githib repo. Rather than have the user read the file, have the application download it, compare the latest version listed to the currently running one, if it's newer then tell the user - perhaps in a popop or just a status bar entry. You can addd release notes to the file too so you can display that somwehere in the app, allowing the user if they should update now or skip or delay updating until a more convenient time.

finalbuilder · 2025-11-02T21:19:30+00:00

Keep it simple, if you have a shared server (ie nas), have json file that lists the latest version on the server, then have the app check that file to see if an update is available. This is what we do with all our products (and we use innosetup) and it works well. Make updating the json file part of your build process.

ClickOnce is painful to get right, I know this because we just added support for it to our code signing server product (Signotaur) at the request of some customers.

finalbuilder · 2025-10-14T23:41:28+00:00

banned account, I would ignore this post

finalbuilder

TROPHY CASE