ISVCon 2012 – One of the best things since the Internet for software businesses

ISVCon is happening this year from July 13th through the 15th at the Atlantis Casino Resort in Reno Nevada. ISVCon is a reboot of the 20+ year running Software Industry Conference (SIC), and was recently taken over by the non-profit Association of Software Professionals. It’s a conference for software people, by software people, and I’ve been attending since 2003. If I can help it, I’ll never miss one! It’s a fantastic conference and I always come away from it with new friends, business ideas and a ton of swag.

Whether you’re a conference-going veteran or have never attended one in your life, this one is one you shouldn’t miss. I’ll be there doing several sessions on code signing and one on software protection techniques and there are other sessions on everything from game development to search engine optimization and online marketing. It’s a big gathering but the attendees are always friendly and welcoming and I guarantee you won’t regret going!

Check out http://www.isvcon.org for registration information and use the coupon code KSoftware2012 to knock 10% off of the registration fee. If anyone has any questions, concerns or doubts about attending please drop me a line so I can convince you to go!

Java Code Signing with our Code Signing Certificates

The Comodo certificates we sell will work for ALL platforms, not just Windows. If you need to digitally sign a .JAR file, here are some instructions.

Comodo has some instructions up on their site in this PDF file, but at least one customer had some trouble with those instructions. If those don’t work for you, try this :

You need to have the Java runtime and Developer Kit installed.

To convert the .PFX/.p12 file into a Java keystore (.jks) file you’ll need a conversion utility. The Jetty open source web server contains a handy tool to do just that :

1. Go to http://dist.codehaus.org/jetty/ and go into the latest jetty- directory (not jetty-hightide!). Currently that is jetty-6.1.26.
2. Download jetty-.zip
3. Open the ZIP file and extract the file: jetty-/lib/jetty-.jar
4. Open a command shell and run:
java -classpath jetty-.jar org.mortbay.jetty.security.PKCS12Import .pfx .jks
Add paths where applicable, surrounding them by quotes where necessary, etc..
It will prompt you for the password.
5. Run:
keytool -list -keystore .jks -v | more
and take a note of the “Alias name” near the top of the output

Now you’re ready to sign your JAR file. For instructions, see http://docs.oracle.com/javase/tutorial/deployment/jar/signing.html

Note: you might want to use the -sigfile option to name the signature files something prettier than the “alias name”. Only the first 8 characters are used.

A big Thank You to Yvon Rozijn from YPR Software for taking the time to share these instructions. You can pick up a copy of their addictive tile Rummy game from http://www.rummigame.com/en/index.php.

How To Automate Code Signing with InnoSetup (and kSign)

InnoSetup is probably the most used setup creation utility out there and it includes support for digital signatures and code signing. Unfortunately it can be a bit hard to configure. Here are some quick instructions for getting code signing up and running using kSign, K Software’s free code signing utility. kSign is free, you can download it here (feel free to pick up a digital certificate while you’re at it!).

These instructions have been tested with InnoSetup version 5.4.2(a).

Open the InnoSetup IDE

Click Tools -> Configure Sign Tools

Click the Add button

For [Name of the Sign Tool] put kSign

Click OK

For [Command of the Sign Tool] put

"C:\PATH_TO_KSIGN\kSign\kSignCMD.exe" /f "C:\FULL_PATH\YourCert.pfx" /p YOUR_PFX_PASSWORD $p

ONLY INCLUDE THE QUOTES IF THE PATH(s) CONTAINS SPACES!

PFX Password only applies if you password protected your PFX file. Leave out the /p all together if you didn’t. Note that for 32-bit Windows users the PATH_TO_KSIGN will be C:\Program Files (x86)\kSign\ and for 64-bit Windows users the PATH_TO_KSIGN will be C:\Program Files\kSign\ – you always need quotes around any path that contains spaces.

Click OK, then OK again.

Now open your setup .iss script file and somewhere in the [Setup] section, put : SignTool=kSign /d $qYOUR_DESCRIPTION$q /du $qhttp://www.example.com$q $f

Replace YOUR_DESCRIPTION and www.example.com with your own values. Save script, viola!

Feel free to post comments or questions. Email support@ksoftware.net if you have any trouble and we’ll help you out.

 

Using kSign – The Free Code Signing Utility

We just released kSign – a free code signing utility. kSign does not require signcode.exe, signtool.exe or any SDK from Microsoft. It comes with everything you need in one ~3MB download.

Using kSign couldn’t be easier. Select your PFX file, set the PFX password if you protected your private key, set the description text and URL (optional), then click SIGN. You can do one file, or 1000 (yes, really, we tested it!). All settings save in between sessions and your last file list loads automatically. Best of all – kSign is FREE! Click here to download kSign.

The installer comes with a GUI program and a command-line program for those that need batch file support.

kSign, code signing utility screenshot

kSign Screenshot (the GUI version)

For the command-line lovers :

Command Line Code Signing Utility

kSign Screenshot (command-line version)

Sell More Software with a Code Signing Certificate

It’s a difficult time to be selling software. Today’s economy has made a lot of buyers afraid to spend money. And many end-users are afraid that buying software online will result in their getting Internet malware on their computer.

Making things worse is Microsoft’s Internet Explorer security warning each time a Vista or Windows 7 user starts to download software from the web – “The publisher could not be verified. Are you sure you want to run this software?”

You can sell more software if you eliminate this frightening message. All it takes is an Authenticode code signing certificate.

If you sign your downloads, your prospect will still see the “Are you sure you want to run this software?” part of the warning message. But they won’t see the “publisher could not be verified.” portion.

And, with a single click, end-users can view your certificate and feel comfortable that they’re downloading exactly what they expected to download. The code signing certificate ensures that the downloaded file has not been tampered with after the original publisher created it.

With a code signing certificate installed, software developers can sign EXE, CAB, DLL, COM, OCX, JAR, VBA, Mozilla object files, Silverlight files, Active X controls, and MacOS 9+ files.

Code signing is an effective way to increase software sales by minimizing the risk associated with downloading files from the Internet.

To learn more about buying an affordable Code Signing certificate from K Software, visit http://codesigning.ksoftware.net/

Exporting your Code Signing Certificate to a PFX File (From FireFox)

** IMPORTANT NOTE : You can only export your certificate *AFTER* Comodo (or whomever you purchased it from)  issues it.

So you’ve purchased a code signing certificate from our store? Great! If you used FireFox to place the order then you’ll now need to export your certificate from the certificate store into a PFX file that you can use with the utilities that perform the code signing. This blog post will walk you through doing that.

If you ordered using Internet Explorer, click here to go to the post about exporting with IE.

To export a stored code signing certificate from FireFox to a PFX file follow these steps :

There are two ways to open the FireFox “Options” Window. The first is to just click the Tools menu. If you don’t see the Tools menu, you might need to do this  :

FireFox Alternate Options Location

The new default location of FireFox Options (for those that don't have a "tools" menu)

If you have the Tools menu at the top of the FireFox window, click it, then Options, then the Advanced Button (far right, top), Encryption tab, then the View Certificates button  :

Firefox Code Signing Export - Step 1

Firefox Code Signing Export - Step 1

 Click the Your Certificates tab at the top, then Select YOUR company name (where you see K Software in the screenshot), click Backup :

Firefox Code Signing Export - Step 2

Firefox Code Signing Export - Step 2 ** Depending on when you ordered, you might see "Comodo Code Signing CA 2" instead of "COMODO CA Limited"

FireFox requires a password for the PFX file.

Type in any password you like but REMEMBER WHAT YOU ENTER!

Firefox Code Signing Export - Step 3

Firefox Code Signing Export - Step 3

Click OK and that’s it! FireFox will ask you where you want to save the PFX file – save it anywhere. The file is portable and can now be copied to any computer.

Additional Note : FireFox might save the file with a .p12 extension – that’s OK! Just rename the file to .pfx and you can use it with any of the code signing tools.



Exporting your Code Signing Certificate to a PFX File (From Internet Explorer)

** IMPORTANT NOTE : You can only export your certificate *AFTER* Comodo (or whomever you purchased it from)  issues it.

So you’ve purchased a code signing certificate from our store? Great! If you used a new(er) version of Internet Explorer then you’ll now need to export your certificate from the certificate store into a PFX file that you can use with the utilities that perform the code signing. This blog post will walk you through doing that.

Though these screen shots are from Windows XP the process is the same on Windows Vista and Windows 7.

To export a stored code signing certificate to a PFX file follow these steps :

Open Control Panel, click Internet Options.

Step 1

Step 1

Click the Content tab. Click the Certificates button.

Export To PFX Step 2

Step 2

Select the Personal tab, then click the certificate you would like to export.

Comodo certificates will be “Issued By” UTN-USERFirst-Object like in the above screen shot or, starting in 2011, by “COMODO Code Signing CA”.

Step 3

Step 3

Click the Next button

Step 4

Step 4

Click the option “Yes, export the private key”. Click the Next button.

Step 5

Step 5

Select the option Personal Information Exchange. Check the first two boxes and optionally the third box. Click the Next button.

** Windows Vista / Windows 7 Users : You may not have the “Enable Strong Encryption” option – that is OK! Check the “Export all extended properties” option.

Step 6

Step 6

Optionally password protect the private key. Click the Next button.

While password protecting the key does provide a great deal of security (only those with the password can code sign), you MUST remember the password – it cannot be recovered.

The only thing left to do after step 6 is to choose where to save the PFX file and click Finish!

What is Authenticode (Code Signing)?

Authenticode™ is a technology developed by Microsoft that, according to them :

While not guaranteeing bug-free code, Authenticode identifies the publisher of signed software and verifies that it hasn’t been tampered with, before users download software to their PCs - technet.microsoft.com/en-us/library/cc750035.aspx

Authenticode is commonly referred to as Code Signing because a “digital signature” is attached to .EXE and other files that is used to determine if the file has been modified since being “signed” by the publisher.

The way most users have run across Authenticode is likely by downloading a piece of software and seeing a rather nasty “Unknown Publisher” warning from the web browser (or Windows). Does this look familiar to anyone?

Example of an unknown publisher warning in Internet Explorer

That is an example of an Unknown Publisher download warning in Windows Vista.

Now an example of the same warning, but for a file that has been digitally signed (by K Software) :

An example of a known publisher - valid code signing certificate used

If you click on the linked K Software text you can see the details of the certificate :

Example of a certificate details page

Note the “This Digital Signature is OK” message. If you don’t see that on the certificate details page then you should not run it as the file has been modified since the publisher signed it (it could have a virus or contain some other sort of malware).

What Authenticode is Not

Authenticode (Code Signing) is not a guarantee that the software that has been digitally signed is bug free or even virus/malware free. All a digital signature says is “this file has not been modified since it was signed by the publisher”. Having said that it is worth noting that obtaining a code signing certificate is not free and that companies or individuals that apply for a code signing certificate do have to pay a fee and do have to prove their identity to the company that issues the certificate.

Comodo Code Signing Certificate Partner

K Software is an authorized Comodo reseller and offers Comodo Code Signing Certificates at a significant discount. Read more.