[Lazarus] Can Lazarus/FPC sign the created executables (Windows)?
Michael Van Canneyt
michael at freepascal.org
Tue Sep 24 13:09:14 CEST 2024
On Tue, 24 Sep 2024, Martin Frb via lazarus wrote:
> On 24/09/2024 12:15, Bo Berglund via lazarus wrote:
>> OK, thanks.
>>
>> I downloaded the Windows SDK installer and when I ran it I got to a
>> selection
>> page where I could select to ONLY install the signing tool.
>>
>> The InnoSetup6 install builder does have support for signing so I will go
>> there
>> for further research.
>
> Well, do you have a certificate?
>
> This is the command I use
> signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256
> /a C:\path\to\target.exe
> The params are explained on
> https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe
>
> The /tr .... /td... is optional, but recommended. And there is a list of
> time servers that can be used
>
> If you have more than one certificate (added to the windows certificate
> store), then you may need to add something to select the one you want....
>
>
> Usually, if you buy a cert, you get a piece of hardware (e.g. usb dongle)
> and instructions which extra software to use to add the cert from that
> hardware to the cert store. (and it will only work while the dongle is
> plugged in).
>
> If you want to use a self issued cert, you need to find a tutorial on that =>
> but windows will not trust self signed certs... (Well the user may or may not
> be able to add your cert to their trusted cert list, but I have no idea ...)
It's maybe an idea to add a small wizard for this to the IDE,
for beginners this would be easier.
Michael.
More information about the lazarus
mailing list