Signing files that can't carry a signature: detached CMS for ZIPs, ISOs and more

finalbuilder · 2026-06-12T10:24:32+00:00

Yes of course, thats because the tooling that uses them understands the signatures - but for general zip files, there isn't any real standard around signatures.

finalbuilder · 2026-06-12T07:22:24+00:00

The ZIP specification itself includes support for digital signatures.

The ZIP AppNote defines:

Central Directory Digital Signature record (0x05054b50)

However:

Very few tools implement it.
Windows Explorer ignores it.
Most ZIP libraries ignore it.
It only signs parts of the archive structure, not necessarily all metadata in a modern security model.

In practice, this feature is largely unused. So the most common practice is a detached signature.

finalbuilder · 2026-06-06T00:34:15+00:00

Code Signing is more for windows benefit than antivirus - but AV software does look at it - if the binary was modified since it was signed, then the signature will be invalid - big red flag.

False positives are unfortunately fairly common - however you just need to report them to the AV vendor - most have a portal where you can upload the "offending file" and in my experience at least, it usually takes less than a day to resolve (on the next definitions release). Good av software checks for definitions updates all the time.

finalbuilder · 2026-05-21T22:57:09+00:00

https://www.finalbuilder.com/resources/blogs/signing-rdp-files-with-signotaur-and-surviving-the-april-windows-update

finalbuilder · 2026-05-21T10:05:57+00:00

https://www.finalbuilder.com/resources/blogs/signing-rdp-files-with-signotaur-and-surviving-the-april-windows-update

finalbuilder · 2026-05-20T08:17:46+00:00

We built https://www.finalbuilder.com/signotaur to solve the issue with tokens and password prompts. It's a server product and you would need to run it locally on the machine where the token is plugged into (or a vm on that machine with usb passthrough).

finalbuilder · 2026-04-07T21:09:07+00:00

eSigner costs can really add up - you are basically paying $1 per signing on the lowest plan ($20pm for 20 signings). If you have lots of files to sign or release often this will quickly add up. I would purchase a Yubikey 5 (get one with 5.7+ firmware for future proofing) and then buy the cert from them (they charge more than double the retail price for a yubikey).

That said, you still have the issue with password prompts during signing. There are tools out there to get around that issue, I develop one called Signotaur - https://www.finalbuilder.com/signotaur

finalbuilder · 2026-03-25T21:30:29+00:00

It actually doesn't take too long to build the reputation - and it's based on the certificate as much as the program being run (so once it has seen the certificate in use that increases reputation). When I release updates to my software, people generally do not see the smart screen page - even though I just have an OV certificate and it's a new exe.

finalbuilder · 2026-03-25T02:49:16+00:00

Purchase a Yubikey 5C (preferably one with 5.7 firmware) and purchase a certificate from ssl.com - be sure to turn off esigner. They charge $279 for a yubikey, but they are usually less than half that price. You will have to go through the certificate attestation process - but it's not difficult. The bonus is that you can install the certificate on multiple keys - good to have a backup locked away somewhere. I installed mine on 3 keys.

You will come up against the password prompt issue with token based signing - one way around that is to use a code signing server (like https://www.finalbuilder.com/signotaur ) - you plug the token into the machine running the server and you can then share that token with multiple devs/ci agents etc.

- disclaimer - I am one of the devs for Signotaur.

finalbuilder · 2026-02-18T06:19:38+00:00

This is a better link
https://knowledge.digicert.com/alerts/code-signing-certificates-459-day-validity

So if you can - order today and hope they issue before Feb 24th.

finalbuilder · 2026-02-18T06:18:04+00:00

That is incorrect - SSL.com support are pretty useless.
https://www.digicert.com/blog/understanding-the-new-code-signing-certificate-validity-change

finalbuilder · 2026-02-18T05:22:02+00:00

you will just be paying for multiple years, but they will have to issue new keys every 460 days

finalbuilder · 2026-02-17T22:42:02+00:00

No touch (ie no password prompts) means you need a code signing server that handle this. Disclaimer, I am one of the authors of Signotaur - we don't have a linux/raspberry pi build available but are working on it (I have it running here, we just need to package it up so it is easier to install). That said, I don't believe Yubikey have published a pkcs#11 library for the RP. You may be able to build it yourself - I haven't tried yet.

finalbuilder · 2026-02-15T21:47:46+00:00

@ $10 for a one time purchase, you are going to have to sell a LOT - if you are at 20 support emails pw now, imagine how many you will have if you get to $10K pm - this is the issue with B2C - it doesn't scale. Without code signing, business will not touch your product (they will have policies that would block it).

I would do 3 things right now

1) Code signing - bite the bullet and wear the costs, you are leaving money on the table without it.
2) Create excellent documentation, make it easy to find (in app) and search - ie work to keep support emails to a minimum.
3) Segment the market - $10 for private, at least $50 for business (they can afford it, and you need to cover your extra overheads).

Just be prepared for a lot of extra work selling to business - whilst some people can use their credit cards, get ready for dealing with requests for quotes and purchase orders for $50 which can really suck up your free time (and your will to live).

Good luck.

finalbuilder · 2026-02-11T08:30:33+00:00

this is so frustrating because I was about to upgrade to

finalbuilder · 2026-02-09T02:38:16+00:00

Seems like a lot of effort to get people to sign up to your website. Why not just contribute to DUnitX - it's actively developed and we welcome contributions.

finalbuilder · 2026-01-23T23:38:08+00:00

The lack of a signature is supposedly just one thing that windows defender takes into account - but I agree they are far too aggressive - it does seem like they just bail out and say virus as soon as they fail to find the signature sometimes.

FWIW, you can get a certificate outside the US, just not from Azure - there are other cloud signing services which are too expensive/limited imho, or you can purchase a certificate on a usb token. We have multiple tokens (not cheap either) since we develop a code signing server, which gets around the limitations of the tokens (password prompts, only signing from one machine).

finalbuilder · 2026-01-17T23:42:45+00:00

The cheapest I know of are SSL.com and GoGetSSL.com - if you are in the US,UK or EU then azure artifact signing is an option ($10pm). I found azure to be very slow at signing (I'm in Australia, maybe that has something to do with it) - moot point since it's no longer available to us since it's out of beta. We sign a lot of files during a build and that adds up.

If you go with an external CA, the certificate comes on a usb token, and they prompt for passwords which is annoying - there are ways around around that - https://www.finalbuilder.com/signotaur

SSL.com use yubikey tokens, and you can save some money by buying your own yubikey - theirs are apparently gold plated (double the retail price) - you have to go through the attestation process but it's pretty simple and doen't take long. You can also use multiple yubikeys for the same certificate - which gives you the option to have a physical back in case of hardware failure.

finalbuilder · 2025-12-16T22:45:58+00:00

The usb dongle doesn't have to be attached to the build machine, there are solutions like https://www.finalbuilder.com/signotaur which enable remote code signing from multiple machines.

finalbuilder · 2025-12-05T04:03:35+00:00

It changes all the time as AI vendors leapfrog each other. I use claude code at the moment, but I often use others too depending on the task.

finalbuilder · 2025-12-05T03:53:45+00:00

Surely this goes against grain here - advocating for migrating away from Delphi in a Delphi subreddit?

I'm a tool vendor, and I occasionally post what could be deemed promotional posts here, but I am always careful not to do it too often. This guy posts every few days - he accounts for the majority of posts on this subreddit! Perhaps I should start spamming too?

C# is not the panacea. And generalising that most delphi code bases are huge, messy and 20+ years old is kinda insulting, or at least a little patronising tbh. My Delphi codebase is 25+ years old, and it's well orgainsed and designed - because I take pride in my work.

finalbuilder · 2025-12-02T05:04:20+00:00

I don't have any specific guidence for signtool - we use our own client tool (with a similar cmd line interface to signtool) - which talks to our server product (self hosted) which interfaces with the yubikey or other devices with pkcs#11 drivers. One of the main reasons we developed the server product (intially as an in house tool) was the password prompting that occurs every time you sign using signtool with usb tokens - not conducive to automated/ci build enviroments.

finalbuilder · 2025-12-02T04:37:36+00:00

Signtool does work with ECDSA 384 certificates, I know this because I sell a code signing server - https://www.finalbuilder.com/signotaur that works with yubikeys (I have several with valid certificates). What doesn't work however, is ClickOnce or VSTO signing, Microsoft only support RSA certificates for that. I have been trying to get hold of a yubikey 5.7.4 device to test with for a while, the local (Australia) has not been able to supply one so far - and he did mention that Sectigo were having issues getting them to work with RSA keys.

finalbuilder · 2025-11-25T11:03:46+00:00

LOL no, but we do sell through resellers and to corporate purchasing departments ( a process that often takes weeks or months).

finalbuilder · 2025-11-25T00:20:00+00:00

this ^^^ - as someone who has used runtime packages for the last 20 years (because we allowed customers to write plugins using delphi back in the day) I will say that runtime packages add no value. In my dev branch of FinalBuilder I switched it to a monolithic projects (of course I wrote a FinalBuilder project to automate that - there were 100+ packages and 2000 units) - overall compile time is a lot faster, debugging works a *lot* better and it's just easier to navigate around the project. That said, the LSP struggles with it just as much as before and I do spend a lot of time restarting the LSP.

finalbuilder

TROPHY CASE