Code signing an Access2007 application

[Mark Andrews]

I understand this is not really an Access issue but when I started to search
about this issue I kept seeing Access MVPs
so here goes. I have an Access2007 runtime application that I use Sagekey
to build an EXE file. The app runs fine when installed.

I just want to code sign the EXE to get rid of that IE message. Some users
are afraid to run the EXE install program because of this message.

I have not gone down the road to buy a cert and attach it to an EXE, any
tips are appreciated on the best steps to approach this.

I was looking at:
http://www.globalsign.com/code-signing/

Thought it made sense to get some advice from others before I jump in and
buy a cert and figure out how to use it.
I didn't see attaching the cert as part of SageKey product, and having
trouble getting a response from SageKey.
Apologize ahead of time if this is pretty easy (guessing you buy it and run
a command line on something to attach it and done).

---------------------------------------
On a separate note I have another client that uses an Access2007 app that he
wants to install manually (without an install package) and needs to have the
best level of security money can buy. What types of code signing/protection
can I do for this application (other than setting a trusted location)?


Thanks in advance,
Mark

 

[Tony Toews [MVP]]

I understand this is not really an Access issue but when I started to search
about this issue I kept seeing Access MVPs
so here goes. I have an Access2007 runtime application that I use Sagekey
to build an EXE file. The app runs fine when installed.

I just want to code sign the EXE to get rid of that IE message. Some users
are afraid to run the EXE install program because of this message.

The problem is that code signing won't necessarily get rid of all the
messages. (I've code signed my VB6 Auto FE Updater exe) This also
depends on whether they're running the exe from a file server or
downloaded from a website.

If the user has downloaded it from a website they still get the
warning message but now it has your biz name on there. So that's
reasonable enough.

However if they are running your exe from a file server they still get
the screen that warns them about running an exe from a file server.
However this screen is very slightly different/milder from the message
they get when they run an unsigned exe from the file server. In my
not so humble opinion MS should've made this particular screen
significantly "softer" then the non signed exe message.

Hmm, I should really have both on my website. I've been meaning to do
that and haven't quite got there.

I was looking at:
http://www.globalsign.com/code-signing/

I used
https://secure.ksoftware.net/code_signing.html who is a resellers for
Hohoho and was the cheapest source. Ahhh, now they have a five year
code signing celt. Sweet.

I only bought a year because I wanted to see how it would work. I
think that code signing has given my utility a small amount of
credibility with folks using it. Especially the fascist IT
departments. But who knows....

Yikes, Global sign is very expensive. Three times as much.

Now a Verisign code signing cert might also be quite useful because
then you might be able to register and use the MS Verified for Windows
7 logo on your website. Trouble is Verisign are also very expensive.
The good news though is that somewhere on the MS website I found a
Verisign coupon/discount code that dropped the price of the Verisign
code cert to much more reasonable price. Trouble is I forgot to copy
down the URL of that page.

If you poke about on the Windows website and find it please post the

Thought it made sense to get some advice from others before I jump in and
buy a cert and figure out how to use it.
I didn't see attaching the cert as part of SageKey product, and having
trouble getting a response from SageKey.

As far as I know you can digitally sign any exe or msi file and a few
others. But I'm not an expert here.

Apologize ahead of time if this is pretty easy

No, figuring all this out is *not* easy. I spent about five or seven
hours mucking about various web sites to figure out which was the most
recent method of code signing, etc, etc.

(guessing you buy it and run
a command line on something to attach it and done).

Basically yes. Here's my complete cmd file I use. Ignore the extra
del and copy lines as those are for testing purposes with Virtual PC
sessions, etc.

del startmdb.exe
del "X:\9 archive\_ Auto Fe Updater\startmdb.exe"
del "_startmdb.exe"
"C:\Program Files\Microsoft Visual Studio\VB98\vb6.exe" /make startmdb
"C:\Program Files\Microsoft SDKs\Windows\v6.1\Bin\signtool.exe" sign
/t http://timestamp.comodoca.com/authenticode /v startmdb.exe
copy startmdb.exe "X:\9 archive\_ Auto Fe Updater\startmdb.exe"
copy startmdb.exe "_startmdb.exe"

pause

On a separate note I have another client that uses an Access2007 app that he
wants to install manually (without an install package) and needs to have the
best level of security money can buy. What types of code signing/protection
can I do for this application (other than setting a trusted location)?

I'd strongly suggest you start a new thread with an appropriate
subject.

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/

 

[Tony Toews [MVP]]

Now a Verisign code signing cert might also be quite useful because
then you might be able to register and use the MS Verified for Windows
7 logo on your website. Trouble is Verisign are also very expensive.
The good news though is that somewhere on the MS website I found a
Verisign coupon/discount code that dropped the price of the Verisign
code cert to much more reasonable price. Trouble is I forgot to copy
down the URL of that page.

If you poke about on the Windows website and find it please post the
URL. <smile>

Ahh, found it. https://winqual.microsoft.com/SignUp/

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/

 

[Tony Toews [MVP]]

Also note the following question I posted to Stack Overflow

Code signing didn’t complain when I changed an exe file?
http://stackoverflow.com/questions/1801565/code-signing-didnt-complain-when-i-changed-an-exe-file

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/

 

[Mark Andrews]

Tony,

Thank you for all the useful information! I knew I did the right thing
asking the question here first before I dived in.

Thanks,
Mark

 

[Mark Andrews]

Quick question: I read all the pages, In your opinion would you go with:
- a verisign cert $99/1 year (2 or 3 year are too expensive)
or
- a comodo cert for a few years

I would like to get one for a few years so I don't have to go through this
hassle again anytime soon.
However not sure I understand all the benefits you might get from using a
verisign cert?

I only want to deal with the message when installing the software
(downloading from website and installing).

Thanks again, I might of just bought one that was too expensive,
You saved me time and money!
Mark

PS: FYI: The one article does mention http://www.startssl.com/ which might
even have cheaper prices (however I think they require that you have already
registered, not sure). $49.95

 

[Tony Toews [MVP]]

Quick question: I read all the pages, In your opinion would you go with:
- a verisign cert $99/1 year (2 or 3 year are too expensive)
or
- a comodo cert for a few years

I would like to get one for a few years so I don't have to go through this
hassle again anytime soon.
However not sure I understand all the benefits you might get from using a
verisign cert?

I only want to deal with the message when installing the software
(downloading from website and installing).

Thanks again, I might of just bought one that was too expensive,
You saved me time and money!
Mark

PS: FYI: The one article does mention http://www.startssl.com/ which might
even have cheaper prices (however I think they require that you have already
registered, not sure). $49.95

If you want to use the official Microsoft "Works with Windows 7" logo
then you'd want the Verisign cert. If not then go with the cheapest.

Hmm, StartSLL registration seems to be relatively painless as all it
asks for is your name and address. I do know of one MVP associated
with them. So if that works it's even better of a deal.

Also note that code signing works best if you have a corporation. If
you're a sole proprietorship it gets tricker as, I think, some cert
issuing orgs won't deal with you. A personal code signing cert might
be next to impossible to get. Note that this paragraph may be very
wrong in some significant aspects as I'm passing on what I've read.

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/

 

[Tony Toews [MVP]]

PS: FYI: The one article does mention http://www.startssl.com/ which might
even have cheaper prices (however I think they require that you have already
registered, not sure). $49.95

Actually that's $49.95 for two years. An even better deal.

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/

 

[Tony Toews [MVP]]

Ahh, found it. https://winqual.microsoft.com/SignUp/

<giggle> MS sure doesn't like it when you hit that URL with your
default FIrefox browser.

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/

 

[Tony Toews [MVP]]

Now a Verisign code signing cert might also be quite useful

Symantec just bought them out. Enough said.

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/

 

[David W. Fenton]

As far as I know you can digitally sign any exe or msi file and a
few others. But I'm not an expert here.

Does a single cert cover multiple versions of your EXE? Or do you
have to get a new one each time you issue an update?

And what is the price you're talking about here? $50? $500? $5000?

 

[David W. Fenton]

<giggle> MS sure doesn't like it when you hit that URL with your
default FIrefox browser.

I get the identical page in FF and IE. It doesn't say anything about
the discount.

 

[David W. Fenton]

Actually that's $49.95 for two years. An even better deal.

That website is down -- won't come up within the browser, and
doesn't respond to PING. Traceroute suggests they are based in
Isreal, but is dying somewhere before it gets to their server. I
can't quite see how I could depend on a cert provider whose own
website is not redundantly hosted so that it's never down!

I wanted to look because the "ssl" in the name suggests to me that
it's more aimed at websites needing HTTPS certs and for SSH
tunneling and the like, rather than for EXE certification.

 

[MikeR]

Does a single cert cover multiple versions of your EXE? Or do you
have to get a new one each time you issue an update?

And what is the price you're talking about here? $50? $500? $5000?

You can sign any number of whatever, as long as the cert is not expired.
Mike

 

[Mark Andrews]

I think I'll go with Comodo. I've been reading a few other blogs etc and it
seems like a good way to go.

I have a single person LLC. We'll see how easy it is.

Appreciate the help,
Mark

 

[Tony Toews [MVP]]

That website is down -- won't come up within the browser, and
doesn't respond to PING. Traceroute suggests they are based in
Isreal, but is dying somewhere before it gets to their server. I
can't quite see how I could depend on a cert provider whose own
website is not redundantly hosted so that it's never down!

Puzzling because it's working just fine for me. I suspect a error
somewhere between your ISP and them then.

C:\>tracert startssl.com

Tracing route to startssl.com [192.116.242.20]
over a maximum of 30 hops:

2 d205-206-24-1.abhsia.telus.net [205.206.24.1]
3 154.11.197.65
4 204.225.243.18
5 sl-gw12-sea-0-0.sprintlink.net [144.224.113.153]
6 sl-bb21-sea-4-0-0.sprintlink.net [144.232.6.123]
7 pos1-2.BR1.SEA1.ALTER.NET [204.255.169.117]
8 0.so-4-2-0.XT2.SEA1.ALTER.NET [152.63.105.86]
9 0.xe-3-2-0.IL2.NYC9.ALTER.NET [152.63.26.93]
10 0.ge-1-2-0.IL2.NYC12.ALTER.NET [152.63.26.98]
11 ge-0-2-0.XT2.LND9.ALTER.NET [158.43.252.46]
12 GigabitEthernet1-0-0.GW3.LND9.ALTER.NET [158.43.
150.110]
13 62.189.148.35
14 EDGE.LON-02-RE1-xe-0-0-0-51.bb.012.net.il [80.17
9.165.170]
15 EDGE.LON-01-RE1-xe-0-0-0-100.bb.012.net.il [80.1
79.165.69]
16 BRDR.PT-M320-RE1-so-3-2-0-0.bb.012.net.il [80.17
9.165.153]
17 WAN-ASR-PT-01-Te0-0-0-2450.bb.012.net.il [212.19
9.4.2]
18 gateway.startcom.org [212.117.158.94]
19 * ^C
C:\>

I wanted to look because the "ssl" in the name suggests to me that
it's more aimed at websites needing HTTPS certs and for SSH
tunneling and the like, rather than for EXE certification.

They appear to have exe certs too.

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/

 

[Tony Toews [MVP]]

I get the identical page in FF and IE. It doesn't say anything about
the discount.

Interesting. In IE I get a page that states in big letters Establish
an Account. Then gives you a list of companies. Then Create a
Company Account and then the bulleted three paragraphs down states

"VeriSign 'Microsoft Authenticode' Code Signing Digital Certificate
($499 $99 USD) " Where the $499 is crossed out.

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/

 

[Tony Toews [MVP]]

Does a single cert cover multiple versions of your EXE? Or do you
have to get a new one each time you issue an update?

A single cert covers any number of exe's, msi's etc I wish to publish
for the year or whatever duration I've purchased the cert. I do have
to sign the code each time I want to make the exe available to the
public.

I would assume Access MDBs, ACCDEs, etc but I haven't bothered to try
that yet.

That said I *always* run the above cmd file when making an exe for
testing purposes on other Virtual PC OSs. So I might run it five or
ten times a day.

And what is the price you're talking about here? $50? $500? $5000?

Using the link I provided to the
https://secure.ksoftware.net/code_signing.html site - $100 per year.

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/

 

[David W. Fenton]

Puzzling because it's working just fine for me. I suspect a error
somewhere between your ISP and them then.

My traceroute was failing just before the last step of yours, so it
really was an issue on their end, not my ISP's.

C:\>tracert startssl.com

Tracing route to startssl.com [192.116.242.20]
over a maximum of 30 hops:

2 d205-206-24-1.abhsia.telus.net [205.206.24.1]
3 154.11.197.65
4 204.225.243.18
5 sl-gw12-sea-0-0.sprintlink.net [144.224.113.153]
6 sl-bb21-sea-4-0-0.sprintlink.net [144.232.6.123]
7 pos1-2.BR1.SEA1.ALTER.NET [204.255.169.117]
8 0.so-4-2-0.XT2.SEA1.ALTER.NET [152.63.105.86]
9 0.xe-3-2-0.IL2.NYC9.ALTER.NET [152.63.26.93]
10 0.ge-1-2-0.IL2.NYC12.ALTER.NET [152.63.26.98]
11 ge-0-2-0.XT2.LND9.ALTER.NET [158.43.252.46]
12 GigabitEthernet1-0-0.GW3.LND9.ALTER.NET [158.43.
150.110]
13 62.189.148.35
14 EDGE.LON-02-RE1-xe-0-0-0-51.bb.012.net.il [80.17
9.165.170]
15 EDGE.LON-01-RE1-xe-0-0-0-100.bb.012.net.il [80.1
79.165.69]
16 BRDR.PT-M320-RE1-so-3-2-0-0.bb.012.net.il [80.17
9.165.153]
17 WAN-ASR-PT-01-Te0-0-0-2450.bb.012.net.il [212.19
9.4.2]
18 gateway.startcom.org [212.117.158.94]
19 * ^C
C:\>

I wanted to look because the "ssl" in the name suggests to me that
it's more aimed at websites needing HTTPS certs and for SSH
tunneling and the like, rather than for EXE certification.

They appear to have exe certs too.

The site is up now (though I'd already looked at it in the Google
cache).