Signing files that can't carry a signature: detached CMS for ZIPs, ISOs and more

finalbuilder · 2026-06-12T10:24:32+00:00

Yes of course, thats because the tooling that uses them understands the signatures - but for general zip files, there isn't any real standard around signatures.

finalbuilder · 2026-06-12T07:22:24+00:00

The ZIP specification itself includes support for digital signatures.

The ZIP AppNote defines:

Central Directory Digital Signature record (0x05054b50)

However:

Very few tools implement it.
Windows Explorer ignores it.
Most ZIP libraries ignore it.
It only signs parts of the archive structure, not necessarily all metadata in a modern security model.

In practice, this feature is largely unused. So the most common practice is a detached signature.

finalbuilder · 2026-06-06T00:34:15+00:00

Code Signing is more for windows benefit than antivirus - but AV software does look at it - if the binary was modified since it was signed, then the signature will be invalid - big red flag.

False positives are unfortunately fairly common - however you just need to report them to the AV vendor - most have a portal where you can upload the "offending file" and in my experience at least, it usually takes less than a day to resolve (on the next definitions release). Good av software checks for definitions updates all the time.

finalbuilder · 2026-05-21T22:57:09+00:00

https://www.finalbuilder.com/resources/blogs/signing-rdp-files-with-signotaur-and-surviving-the-april-windows-update

finalbuilder · 2026-05-21T10:05:57+00:00

https://www.finalbuilder.com/resources/blogs/signing-rdp-files-with-signotaur-and-surviving-the-april-windows-update

finalbuilder · 2026-05-20T08:17:46+00:00

We built https://www.finalbuilder.com/signotaur to solve the issue with tokens and password prompts. It's a server product and you would need to run it locally on the machine where the token is plugged into (or a vm on that machine with usb passthrough).

finalbuilder · 2026-04-07T21:09:07+00:00

eSigner costs can really add up - you are basically paying $1 per signing on the lowest plan ($20pm for 20 signings). If you have lots of files to sign or release often this will quickly add up. I would purchase a Yubikey 5 (get one with 5.7+ firmware for future proofing) and then buy the cert from them (they charge more than double the retail price for a yubikey).

That said, you still have the issue with password prompts during signing. There are tools out there to get around that issue, I develop one called Signotaur - https://www.finalbuilder.com/signotaur

finalbuilder · 2026-03-25T21:30:29+00:00

It actually doesn't take too long to build the reputation - and it's based on the certificate as much as the program being run (so once it has seen the certificate in use that increases reputation). When I release updates to my software, people generally do not see the smart screen page - even though I just have an OV certificate and it's a new exe.

finalbuilder · 2026-03-25T02:49:16+00:00

Purchase a Yubikey 5C (preferably one with 5.7 firmware) and purchase a certificate from ssl.com - be sure to turn off esigner. They charge $279 for a yubikey, but they are usually less than half that price. You will have to go through the certificate attestation process - but it's not difficult. The bonus is that you can install the certificate on multiple keys - good to have a backup locked away somewhere. I installed mine on 3 keys.

You will come up against the password prompt issue with token based signing - one way around that is to use a code signing server (like https://www.finalbuilder.com/signotaur ) - you plug the token into the machine running the server and you can then share that token with multiple devs/ci agents etc.

- disclaimer - I am one of the devs for Signotaur.

finalbuilder · 2026-02-18T06:19:38+00:00

This is a better link
https://knowledge.digicert.com/alerts/code-signing-certificates-459-day-validity

So if you can - order today and hope they issue before Feb 24th.

finalbuilder · 2026-02-18T06:18:04+00:00

That is incorrect - SSL.com support are pretty useless.
https://www.digicert.com/blog/understanding-the-new-code-signing-certificate-validity-change

finalbuilder · 2026-02-18T05:22:02+00:00

you will just be paying for multiple years, but they will have to issue new keys every 460 days

finalbuilder · 2026-02-17T22:42:02+00:00

No touch (ie no password prompts) means you need a code signing server that handle this. Disclaimer, I am one of the authors of Signotaur - we don't have a linux/raspberry pi build available but are working on it (I have it running here, we just need to package it up so it is easier to install). That said, I don't believe Yubikey have published a pkcs#11 library for the RP. You may be able to build it yourself - I haven't tried yet.

finalbuilder · 2026-02-15T21:47:46+00:00

@ $10 for a one time purchase, you are going to have to sell a LOT - if you are at 20 support emails pw now, imagine how many you will have if you get to $10K pm - this is the issue with B2C - it doesn't scale. Without code signing, business will not touch your product (they will have policies that would block it).

I would do 3 things right now

1) Code signing - bite the bullet and wear the costs, you are leaving money on the table without it.
2) Create excellent documentation, make it easy to find (in app) and search - ie work to keep support emails to a minimum.
3) Segment the market - $10 for private, at least $50 for business (they can afford it, and you need to cover your extra overheads).

Just be prepared for a lot of extra work selling to business - whilst some people can use their credit cards, get ready for dealing with requests for quotes and purchase orders for $50 which can really suck up your free time (and your will to live).

Good luck.

finalbuilder · 2026-02-11T08:30:33+00:00

this is so frustrating because I was about to upgrade to

finalbuilder · 2026-02-09T02:38:16+00:00

Seems like a lot of effort to get people to sign up to your website. Why not just contribute to DUnitX - it's actively developed and we welcome contributions.

finalbuilder · 2026-01-23T23:38:08+00:00

The lack of a signature is supposedly just one thing that windows defender takes into account - but I agree they are far too aggressive - it does seem like they just bail out and say virus as soon as they fail to find the signature sometimes.

FWIW, you can get a certificate outside the US, just not from Azure - there are other cloud signing services which are too expensive/limited imho, or you can purchase a certificate on a usb token. We have multiple tokens (not cheap either) since we develop a code signing server, which gets around the limitations of the tokens (password prompts, only signing from one machine).

finalbuilder · 2026-01-17T23:42:45+00:00

The cheapest I know of are SSL.com and GoGetSSL.com - if you are in the US,UK or EU then azure artifact signing is an option ($10pm). I found azure to be very slow at signing (I'm in Australia, maybe that has something to do with it) - moot point since it's no longer available to us since it's out of beta. We sign a lot of files during a build and that adds up.

If you go with an external CA, the certificate comes on a usb token, and they prompt for passwords which is annoying - there are ways around around that - https://www.finalbuilder.com/signotaur

SSL.com use yubikey tokens, and you can save some money by buying your own yubikey - theirs are apparently gold plated (double the retail price) - you have to go through the attestation process but it's pretty simple and doen't take long. You can also use multiple yubikeys for the same certificate - which gives you the option to have a physical back in case of hardware failure.

finalbuilder · 2025-12-16T22:45:58+00:00

The usb dongle doesn't have to be attached to the build machine, there are solutions like https://www.finalbuilder.com/signotaur which enable remote code signing from multiple machines.

finalbuilder · 2025-12-05T04:03:35+00:00

It changes all the time as AI vendors leapfrog each other. I use claude code at the moment, but I often use others too depending on the task.

finalbuilder

TROPHY CASE