Comodo Code Signing Certificate

From application and verification to installation and signing

Date: Januari 2018
Operating system: Windows 10 (64-bits)
Browser: Firefox Quantum 57.0.4 (64-bits)
Development software: Microsoft Visual Studio 2017
Setup software: IndigoRose Setup Factory 9.5

Intro

If you have ever distributed software on the Internet, you probably experienced security messages that Microsoft shows when downloading your software. In addition, it is of course good practice if your software is provided with a digital certificate so the user knows that he or she is dealing with a legitimate party and that the software is safe to use. A Code Signing Certificate can take care of all this. However, requesting such a certificate can be a long and frustrating process. And if you finally have the certificate, it can be quite a task to sign your software with the certificate. That is why i wrote this article with all the steps I have taken from start to finish. Hopefully it can help you throughout the certification process and signing your software.

First the how and why: 

• I have applied for the certificate as a private person 
• I want to use the certificate to sign a Visual Studio application 
• I want to use the certificate to sign the setup

Order the certificate

I ordered my Comodo Code Signing certificate at SSLPoint because of the price. SSLPoint forwards the order to Comodo. Be aware that you have to submit the order on the same computer and with the same browser that you will use to retrieve the certificate later on in the process. Pay attention! Chrome and Microsoft Edge do not work. I use Firefox. Comodo wants to verify your identity before the certificate is issued. As of 2017, they also do this for a renewal. Your identity must be verified by means of a face to face verification at a notary. Comodo sends you an e-mail with a link with which you can download the necessary documents. You must bring the following to the notary:

1. The form of Comodo you just downloaded with instructions for the notary. The third page must be completed and signed by you and the notary.
2. A valid identity card (ID card, driver's license or passport). Take your original ID and no copy. The notary makes copies.
3. Bring one of the following financial documents:
• a credit card (what I did)
• a bank card if there is a validity date on it
• a mortgage statement no older than 6 months
• a bank statement no older than 6 months
4. Bring one of the following documents:
• a bill of a fixed telephone line (mobile is not permitted)
• a gas, water or electricity bill, provided it is addressed to a fixed address
• a rental agreement no older than 6 months
• a official copy of your birth certificate
• a bill with municipal taxes of the past year
• a official copy of a court order 

TIP 1: Always bring original documents. Documents must be dated and contain addresses of you and the sender.

TIP 2: Ensure that the notary provides all documents with a signature. I have personally experienced that i had to go back if this does not happen.

TIP 3: If you have a bill for a land line, take it with you to the notary because Comodo wants to verify your telephone number later on in the process by means of a land line bill! If someone has gone through this process without a land line, I would like to hear how that went.

Verifying my identity at the notary was free in my case. I can imagine that this is not the case with all notaries. If all forms have been completed and signed by the notary, you have to scan them and send them back to Comodo. Comodo also wants to make sure that they are dealing with a legitimate notary. It is therefore advisable to include a link in your e-mail from a notary's register with the link to the notary you went to. In the Netherlands you can use https://www.knb.nl/home.

The final step in the verification process (in my case) was a callback. You will receive an e-mail with a link you need to click. At that moment you will be called at the telephone number given by you. You will receive a PIN code which you then have to fill in on the relevant web page.

I like to hear experiences from people about how the verification process works if you do not have a land line.

Collecting the certificate

When Comodo has verified your identity, you will receive an e-mail stating that you can collect the certificate. You must click on a link to retrieve the certificate.

Attention! The e-mail states that you can do this with Chrome. At the time of this writing Chrome does not work! (Chrome Version 63.0.3239.132 Official build 64-bit). Microsoft Edge does not work either. Best option seems to be Firefox which I used. It also appears to be important that you retrieve the certificate with the same computer you used to apply for the certificate. No worries: once you have received the certificate you can use it on multiple computers.

Once the certificate has been collected and installed, you can check in Firefox if the installation is successful. Go to: Options, Privacy & Security and click the View Certificates button. Your certificate must be visible in the first tab (Your certificates).

It is advisable to create an account at https://www.comodo.com/login/comodo-members.php. In this environment you will see your certificate and you have the option to download it or to replace the already issued certificate if something has gone wrong during the collection of the certificate or if you have forgotten the password of the certificate.

Exporting the certificate

The certificate has been installed but now you want to sign software with it. To be able to sign software you first need to export the certificate. Go to Firefox (or the browser you use) and go to: Options, Privacy & Security and click the View Certificates button.

Select the certificate and click the Create backup button. Choose a location and a name. Save the certificate with the extension .p12. The p12 type is equal to pfx. So if necessary you can simply rename the certificate to a pfx extension. A password will be requested when saving. Give a password and make sure you do not forget it! You can export the certificate as many times as you like, as long as you have the computer and operating system on which the certificate was originally installed.

Sign your own software

There are several ways to sign the software you developed with Microsoft Visual Studio. The most logical choice is to do this within Visual Studio at the properties of your project and the signing tab. You will probably get the following error message when building: Can not import the following key file: certificate.pfx. The key file may be password protected. To correct this, try to import the certificate again. There are various articles on the internet to solve this problem. The most articles focus on the sn command with which a certificate can be installed.

In the end, only one way worked for me, and that is to include a post build event at the project properties and build events. Here I use the signtool.exe from Visual Studio. You can find the signtool (with Visual Studio 2017) at the following location: "C: \ Program Files (x86) \ Windows Kits \ 10 \ bin \ 10.0.15063.0 \ x64 \ signtool.exe". If the tool is not there, you have to install it by starting the Visual Studio Installer. Go to 'Individual Components' and select 'Windows 10 SDK (10.0.15063.0) for UWP: C #, VB, JS'.

The big advantage of this method is that you can sign the application twice. Once for SHA-1 (pre Windows 7 systems) and once for SHA-256. If the signtool.exe is installed, enter the following at the post-build events in Visual Studio.

SHA-1 signing
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\signtool.exe" sign /f "C:\Projects\YourProjectMap\YourCertificate.pfx" /p YourCertificatePassword /t http://timestamp.comodoca.com/authenticode $(TargetPath)

SHA-256 signing
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\signtool.exe" sign /f "C:\Projects\YourProjectMap\YourCertificate.pfx" /p YourCertificatePassword /fd sha256 /tr http://timestamp.comodoca.com/authenticode /td sha256 /as $(TargetPath)

If you now build your project, the application will be signed twice with your certificate. Finally! :)

Sign you setup program

If you make your program available for download on the internet, you will experience security notifications unless you sign the setup.exe with a certificate. Signing the setup.exe can be done with the same certificate. Below is a description of signing the setup.exe with Setup Factory 9.5 from Indigo Rose. Open your setup project in Setup Factory and choose Publish -> Settings in the menu. Go to the Code Signing tab. It is possible to provide the setup.exe with a certificate for both pre-Windows 7 systems (SHA-1) and for systems with Windows 7 and later (SHA-256).

Check the boxes at 'Code sign setups', 'Sign with SHA-256' and 'Sign with SHA-1'. As with Visual Studio, Setup Factory also needs the signtool.exe. Enter it at 'SignTool location'. Select your Code Signing certificate with 'SHA-256 certificate' and enter the password in the next field. In the timestamp field type the following: http://timestamp.comodoca.com/authenticode. Finally, select the option 'Use SHA-256 certificate'. Your setup will now be neatly signed.

I hope this article was helpfull. Good luck with signing!

Assembly must be strong signed in order to be marked as a prerequisite

Today the following error occured when i tried to build my solution:

Assembly 'Mydll.dll' must be strong signed in order to be marked as a prerequisite. Strange cause i have been working on this solution for months already and never had any problems building it.

Ofcourse i tried the standard solutions in order to solve the error like:
- rebuild the entire solution
- clean the solution and rebuild
- remove mydll.dll from the references and reference it again
- check if i was pointing to the right path and the right version of the dll

None of the above made the error go away. Then i realized  i was using Mydll.dll also in Another.dll which was referenced in the solution. As it turned out, Another.dll was pointing to a different version of Mydll.dll. You can guess the rest: after referencing the right Mydll.dll in Another.dll, build it and reference the new Another.dll in my solution, the problem was gone.

I hope this helps solving this error for you too.

Regards,
Jacob

Word-VBA-Error 5096: "PHABETI"

Ik was al een tijdje bezig met een applicatie gemaakt in Word 2007 met behulp van VSTO (Visual Studio Tools for Office). Door middel van deze applicatie kunnen gebruikers in slechts enkele muisklikken brieven aanmaken waarbij de data uit de back office wordt gehaald.

Op een dag ontstond bij het opslaan van een document de foutmelding Word-VBA-Error 5096: "PHABETI". Deze foutmelding werd gegenereerd door het commando WordApp.SaveAs. In onze situatie lag de oorzaak van de foutmelding in een verandering van de huisstijl waarbij lettertypes waren veranderd. De gebruiker had het sjabloon aangepast naar de nieuwe huisstijl.

Na het nodige speurwerk bleek dat de melding ontstaat als lettertypes in het standaard sjabloon normal.dot afwijken van een documenten sjabloon. Zodra ook in het standaard sjabloon de nieuwe lettertypes waren opgenomen was de foutmelding weg. Je kan dit op elk moment doen door het dialoogvenster lettertype op te roepen (zie screenshot 1).

screenshot 1

Vul vervolgens de juiste lettertype in en klik op de knop standaard (screenshot 2).

screenshot 2

English version

I was working for a while on an application made ​​in Word 2007 using VSTO (Visual Studio Tools for Office). Through this application users can create letters in just a few clicks in which the data is retrieved from the back office.

One day when saving a document the error message Word VBA Error 5096: "PHABETI" appeared. This error was generated by the command WordApp.SaveAs. In our situation the the error was caused by a change in font styles. The user had changed de document template with the new font and fontsize.

After some research i found that the message occurs when fonts in the default template normal.dot deviate from the fonts in a document template. Once the new fonts were included in the default template the error was gone. You can do this at any time by calling the font dialog box (see screenshot 1).

Set the right font and fontsize and click 'Default'.

Maak een screenshot in VB.NET

Tijdens de ontwikkeling van een project wilde ik graag de mogelijkheid hebben om vanuit het programma automatisch een screenshot te maken van wat de gebruiker op dat moment op het scherm heeft staan. In mijn geval wilde ik dat gebruiken voor het bijhouden van een logboek zodat een screenshot in het logboek wordt opgeslagen wanneer de gebruiker een foutmelding zou krijgen.

Na wat googlen bleek dit verrassend eenvoudig. Zie onderstaande code en doe uw voordeel er mee. Succes!

    Public Shared Function MakeScreenShot() As Bitmap
        Try
            Dim iScreenWidth As Integer = Screen.GetBounds(New Point(0, 0)).Width
            Dim iScreenHeight As Integer = Screen.GetBounds(New Point(0, 0)).Height
            Dim bmpScreenshot As New Bitmap(iScreenWidth, iScreenHeight)
            Dim gfx As Graphics = Graphics.FromImage(bmpScreenshot)
            gfx.CopyFromScreen(0, 0, 0, 0, New Size(iScreenWidth, iScreenHeight))
            MakeScreenShot = bmpScreenshot
        Catch ex As Exception
            MakeScreenShot = Nothing
        End Try
    End Function

Welkom!

Hallo en van harte welkom op mijn nieuwe blog!

Ik ben deze blog gestart omdat ik tot op heden mijn kennis en ervaringen eigenlijk nooit op internet heb gedeeld. Zoals het waarschijnlijk de meeste mensen vergaat zoek ik wel veel informatie op vanaf het internet, maar plaatste ik geen informatie terug. Vanaf vandaag zal ik mijn best doen om daar verandering in aan te brengen en datgene wat ik in de praktijk tegenkomen met iedereen te delen.

Misschien goed om mijn achtergrond en loopbaan tot heden toe te lichten. Vanaf mijn eerste baan in 1986 ben ik meteen in aanraking gekomen met informatie technologie (IT). Als consultant bij een organisatie en advies bureau kreeg ik de opdracht mkb bedrijven te adviseren en te begeleiden bij de automatisering van hun administratie. In deze functie mocht ik bij vele bedrijven in de keuken kijken waardoor ik veel heb geleerd hoe de administraties bij verschillende soorten bedrijven waren ingericht.

Mijn tweede baan was bij een automatiseringsbureau waar ik ook als consultant aan de slag ben gegaan. De werkzaamheden kwamen in grote mate overeen met mijn eerste functie en in een later stadium kwam hier ook het installeren en inrichten van computers, printers en netwerken bij. Na een aantal jaren werd ik door een klant benaderd om een programmeer opdracht uit te voeren. Het bedrijf, een verzekeringsmaatschappij, was zelf begonnen met het bouwen van een polis- en schade administratie maar zag geen kans dit af te maken. Ik heb dit project opgepakt en vanaf dat moment het ontwikkelen van software nooit meer losgelaten. In deze periode was er nog geen windows. Als ik me goed herinner programmeerde ik toen in de taal "Basic Professional Development system 7.0" wat voortkwam uit QuickBasic.

Na deze functie heb ik de grote stap genomen en mijn eigen bedrijf opgezet genaamd ProScope Automatisering. In die periode is het ontwikkelen van software pas echt van de grond gekomen. Vele pakketten werden gebouwd waaronder een abonnementen administratie en advertentie pakket voor kranten en uitgeverijen, een planning pakket voor detacheringsbedrijven, een orderadministratie en planning pakket voor loonbedrijven, etc.

Sinds 2003 ben ik als IT manager werkzaam bij efm verzekeringen. efm is een verzekeringsmaatschappij voor schepen. Hier ben ik verantwoordelijk voor de gehele IT omgeving waaronder het ontwikkelen van vele software modules zoals een offerte programma, crm, polis- en schade administratie, digitaal archief en meer.

Momenteel zit efm midden in een fusieproces met Oranje Verzekeringen. Mijn huidig project heeft hier dan ook alles mee te maken. Netwerk omgevingen moeten gemigreerd worden, nieuwe software is nodig en uiteraard moet er veel data geconverteerd worden naar de nieuwe omgeving. Over dit project zal ik later een apart blog schrijven.

Mocht u vragen of opmerkingen hebben, schroom niet om een berichtje achter te laten of stuur een e-mail.

Groet,

Jacob Iedema