How to automize multiple projects build process by including digital signature of exe in Delphi?

Question

After building a project group of 2 projects with Delphi (2009) I digitally sign the 2 exes using InstallAware Code signing, an exe that shipped with Delphi 2009.

How is it possible to automize the digital signature, so when I build I can also attach digital signature.

For digital signing I use a pvk (private key) file and an spc (Sw publisher certificate) file.

Subquestion: Moreover I created a project group because I have 2 exes, but they are almost the same, the only thing that changes is the Application icon and the application name (one is ProductOne.dpr, the other is ProductTwo.dpr).

In practice I have 2 brands of the same product, I have a single build but activation keys details activate one or the other, anyway now I was asked to change the icon and the filename, and for this I need to build 2 projects, activation key is not enough anymore to distinguish between the 2. Anyway if there is a way to do this from a single project it would be better.

Answer 1

For the first part:
We code sign our executables using a FinalBuilder script action but the same can be achieved with the command line:

signtool sign /f cert-file.pfx /p pwd /d "MyApp description" /du "http://www.your-url-here.com/" /t "http://timestamp.globalsign.com/timstamp.dll" MyApp.exe

signtool comes from the MS Windows SDK and can also work with certificates from the local machine certificate store. See the linked doc page for the slight changes required for the different forms of certificate.
I would guess this can be put in the post-build events of your project. It will then get run each time you do a full build.

Don't know about the second bit of the question - though I guess I would tend to use a third party tool like FinalBuilder (again) to manage the swapping of icons/resources etc and to do the actual build.

Answer 2

I would use Visual Build Pro from Kinook (they're a SO advertiser, I think) to automate the compiling and signing. It can sign directly, no need for SignTool.

Part2 sounds like a good job for ResHacker, which can be used to replace resources within an app. That would have to be done before signing.

Answer 3

For signing my exe's I'm using "signtool" and you've already got the command line to sign your exe from shunty.

For changing the exe's icon I'm using "ResHacker.exe": It's a small freeware application that can be automated from the command line, so it may be used with any build automation software. Here's a sample command line:

"C:\Path\ResHacker.exe" -modify "D:\PathToExe\ExeName.exe", "D:\PathToExe\ExeName.exe", "C:\PathToIco\IcoName.ico", ICONGROUP, MAINICON,

Don't ommit any of the commas!

It works absolutely fine. For automation I'm using FinalBUilder, and I'm generating 4 (four) versions of one application from one script, re-building every time so I can use different compiler directives, then I'm changing the icon to suite the version, signing everything, building setups, signing the setups, archiving the setups and finally uploading my setups to my "beta" web site (not our official web-site, an other web site that only some people know about)