1. Glenn Scamman
  2. PowerBuilder
  3. Thursday, 5 August 2021 22:07 PM UTC

Hello, we are in the development/testing phase of a PB2019R3 app that we want to deploy with Powerclient.  We've run into our first case of a test user not being able to launch our app because of the antivirus software BitDefender on their laptop.  I was hoping that signing our application will ease this issue that BitDefender has with our .exe.  However, I'm having trouble getting Powerclient to sign the app.

I have installed MS's signtool.exe and read about its syntax.  I have created a self-signed certificate using the Powershell commandlet New-SelfSignedCertificate.  I exported that certificate as a pfx file (with a pw). I filled out the 'Signing' page of the Powerclient project with the location of signtool.exe, location of the pfx file, the pw, the algorithm SHA256, and left the URL of the timestamp server as digicert's URL.  I then tried to build and deploy the Powerclient project, but it fails at the end with "Failed to sign the application...".  I tried again with blanking out the URL of the timestamp server, because this is a self-signed certificate.  It didn't like that ... "The application signature information is incorrectly configured".

My questions:

1) Can a self-signed certificate be used for testing a Powerclient deployment?

2) Can you use a certificate that isn't timestamp verified?

3) Is there a way to get more information about why the application is failing to get signed?

4) I don't know much about certificates, but some can't be exported as pfx files (at least with the certmgr.msc app). Can only .pfx certificate files be used for Powerclient signing?

5) this link, Create a certificate for package signing - MSIX | Microsoft Docs, discusses how the 'subject' of a self-signed certificate needs to match the 'publisher' in your apps manifest file. I have never used manifest files for my apps. Could this be what is causing the problem. I just matched the 'subject' to 'company name' on the Powerclient 'General' page.

6) We will be be requesting a certificate for a new company name in the near future, and we have used digicert for our main company.  Do I need to request anything special to have a certificate that can be exported to a .pfx file?

 

For now, I'll also be looking for documentation on how to let BitDefender Endpoint Security Tools trust an application, but from a short Teams meeting with this user, we didn't see a way to create or exclude our application from its scans. Their machines may be tightly managed and we may have to request their IT dept to add an exclusion rule.

Regards and TIA, Glenn S.

Accepted Answer
Glenn Scamman Accepted Answer Pending Moderation
  1. Friday, 6 August 2021 17:24 PM UTC
  2. PowerBuilder
  3. # Permalink

After a bunch of investigating and trial-and-error, I think I have answered most of the questions I posted above.

1) Can a self-signed certificate be used for testing a Powerclient deployment?

Yes, as Armeen pointed out. The problem I was having with my self-signed certificate is that it wasn't being trusted by the SignTool.exe because I hadn't put this same certificate in the 'Trusted Root Certification Authorities' store in certmgr.msc.  Once I did that, Powerclient didn't fail to sign anymore.  The output doesn't really show a step that the signing succeeded, but when I right-clicked on my app exe file (in the temp location that powerclient puts everything before uploading to the server), I now see the 'Digital Signatures' tab and can see the signature details and timestamp.  So my own machine wasn't trusting my own code-signing certificate until I made that same certificate a trusted authority.  I found this out from a return message while trying to sign my exe from the commandline with SignTool.  It would be nice if the Powerclient output gave more information about the failure.

2) Can you use a certificate that isn't timestamp verified?

Probably, but maybe not without using your own signing script.  When I blanked-out the timestamp server URL in the "Use the SignTool" portion, it didn't like that.  The timestamping portion is simple, so you might as well take advantage of it.

3) Is there a way to get more information about why the application is failing to get signed?

I don't know about this one.  Does more information get logged somewhere other than what you see in the output section of the PB IDE? It merely stated "Failed to sign the application. Please check the signature information."

4) I don't know much about certificates, but some can't be exported as pfx files (at least with the certmgr.msc app). Can only .pfx certificate files be used for Powerclient signing?

Again, without using your own signing script, it is probably not likely. But the MS help on SignTool points out additional options, one of which indicates you can get the certificate directly from the certificate store using the thumbprint with the /sha1 option.  It that case you wouldn't need the cert exported as a .pfx file.  The middle option on the Powerclient Signing screen will be a huge timesaver when frequent builds are deployed.

5) this link, Create a certificate for package signing - MSIX | Microsoft Docs, discusses how the 'subject' of a self-signed certificate needs to match the 'publisher' in your apps manifest file. I have never used manifest files for my apps. Could this be what is causing the problem. I just matched the 'subject' to 'company name' on the Powerclient 'General' page.

I don't think this was the problem. See #1 above for the more likely culprit.

6) We will be be requesting a certificate for a new company name in the near future, and we have used digicert for our main company.  Do I need to request anything special to have a certificate that can be exported to a .pfx file?

Here is a good link about code-signing certificates from Digicert. Other CA's probably have similar FAQ and products.  Digicert's code-signing certificate will be nearly $500 for a year, with a little discount for 3 year or renewals.  Nearly $700 for their "super-trusted" certificate.

Code Signing Certificate FAQs (digicert.com)

Code Signing Certificates | What is EV Code Signing & How It Works | DigiCert

Attachments (3)
Comment
  1. Armeen Mazda @Appeon
  2. Friday, 6 August 2021 17:43 PM UTC
Thanks for sharing all these details to help other people!
  1. Helpful
There are no comments made yet.
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Thursday, 5 August 2021 22:17 PM UTC
  2. PowerBuilder
  3. # 1

Hi Glenn, I can answer your first question.  Yes, you can use self-signed certificate, but if your goal is to ensure the security of your app and best compatibility with the AV tools then you should use a trusted certificate.  Anybody can self-sign an .EXE and claim to be your company.  Trusted certificate ensures that your company really signed the app.

Comment
  1. Armeen Mazda @Appeon
  2. Friday, 6 August 2021 00:58 AM UTC
The certificate is per company not user. It is cheap, trust me. We digitally sign our products all the time.

I suggest reporting the false positives to Avast. They have been pretty responsive to us rolling out updated definitions. The exceptions should be temporary solution until Avast addresses.

I honestly don’t have a clue how bad Windows 11 will be because we haven’t tested it at all yet. But of course it is on our roadmap to support.
  1. Helpful
  1. Miguel Leeuwe
  2. Friday, 6 August 2021 18:58 PM UTC
Thank you Armeen and Glenn for responding!
  1. Helpful
  1. Armeen Mazda @Appeon
  2. Friday, 6 August 2021 19:30 PM UTC
You're very welcome!
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.