views:

165

answers:

3

After building a project group of 2 projects with Delphi (2009) I digitally sign the 2 exes using InstallAware Code signing, an exe that shipped with Delphi 2009.

How is it possible to automize the digital signature, so when I build I can also attach digital signature.

For digital signing I use a pvk (private key) file and an spc (Sw publisher certificate) file.

Subquestion: Moreover I created a project group because I have 2 exes, but they are almost the same, the only thing that changes is the Application icon and the application name (one is ProductOne.dpr, the other is ProductTwo.dpr).

In practice I have 2 brands of the same product, I have a single build but activation keys details activate one or the other, anyway now I was asked to change the icon and the filename, and for this I need to build 2 projects, activation key is not enough anymore to distinguish between the 2. Anyway if there is a way to do this from a single project it would be better.

+5  A: 

For the first part:
We code sign our executables using a FinalBuilder script action but the same can be achieved with the command line:

signtool sign /f cert-file.pfx /p pwd /d "MyApp description" /du "http://www.your-url-here.com/" /t "http://timestamp.globalsign.com/timstamp.dll" MyApp.exe

signtool comes from the MS Windows SDK and can also work with certificates from the local machine certificate store. See the linked doc page for the slight changes required for the different forms of certificate.
I would guess this can be put in the post-build events of your project. It will then get run each time you do a full build.

Don't know about the second bit of the question - though I guess I would tend to use a third party tool like FinalBuilder (again) to manage the swapping of icons/resources etc and to do the actual build.

shunty
Thanks, very informative question. For the second part for now I can use project group with post build events, while if more products will be added in the future I will consider FinalBuilfer. Is there a way to download signtool.exe only instead of the very huge SDK?
Don't think it is available separately. But the SDK is available as a 'web setup' option which lets you pick and choose and, hence, download slightly less than the whole kit.
shunty
+2  A: 

I would use Visual Build Pro from Kinook (they're a SO advertiser, I think) to automate the compiling and signing. It can sign directly, no need for SignTool.

Part2 sounds like a good job for ResHacker, which can be used to replace resources within an app. That would have to be done before signing.

Chris Thornton
+1  A: 

For signing my exe's I'm using "signtool" and you've already got the command line to sign your exe from shunty.

For changing the exe's icon I'm using "ResHacker.exe": It's a small freeware application that can be automated from the command line, so it may be used with any build automation software. Here's a sample command line:

"C:\Path\ResHacker.exe" -modify "D:\PathToExe\ExeName.exe", "D:\PathToExe\ExeName.exe", "C:\PathToIco\IcoName.ico", ICONGROUP, MAINICON,

Don't ommit any of the commas!

It works absolutely fine. For automation I'm using FinalBUilder, and I'm generating 4 (four) versions of one application from one script, re-building every time so I can use different compiler directives, then I'm changing the icon to suite the version, signing everything, building setups, signing the setups, archiving the setups and finally uploading my setups to my "beta" web site (not our official web-site, an other web site that only some people know about)

Cosmin Prund
yes, sounds useful. Currently I do all this manually, including ftp.I'll give a try to FinalBuilder in the future, but in the meantime signtool + ResHacker are exactly what I need. Thanks, really.
Cosmin Prund