Have an amazing solution built in RAD Studio? Let us know. Looking for discounts? Visit our Special Offers page!
CodeDelphiNews

Do All Your Windows Applications Look Like A Computer Virus?

no code signing are you a virus

OK, so you’ve written something brilliant, The Next Big Thing.  You’re taking a modern approach.  You’ve read up – or watched – our series on Fluent UI and maybe even applied a few visual things like the neo-skeuomorphism we learned about at the Desktop First conference. 

Perhaps you’ve applied some VCL themes to your app and integrated the ability to detect Windows 10 dark mode/light mode in your Delphi application? Well, try Delphi a Windows UI toolkit, allows you to rebuild pages with a native look and feel and a UI that fits the IDE that is customizable in layout and content, as well as VCL Styles, which has design-time support that allows you to prototype stylish UIs even faster by seeing how your styled forms and controls will look when running. Everything is going well… until users try to use your applications.

inkedannotation 2019 09 19 114909 li 3090339
This is the message you get when you run a very popular open source project which has 100000+ downloads

You start getting complaints from your users they can’t download your application.  Or, when they do finally manage to fight back against the modern web browser’s paranoia your app gets blocked by Windows 10 or, more mysteriously, simply disappears altogether into a blue cloud of corporate group policy genie smoke.

keep 617x225 9952930

You didn’t take the last step: signing your code to prove that your wonderfully-crafted application is from you, and only you, and has not been infected by a computer virus or cryptolocker trojan.

In the recent security-themed TCoffeeAndCode we had intended to talk about code-signing but we kind of got distracted by the many other security things which cropped up.  To be fair, we did say it’s not scripted!

What is code-signing?

Code signing is a manual process that you can make happen just after or at the point of the final building of your application.  It adds a small resource to your exe containing a digital signature.  The signature identifies who, in theory at least, wrote the code and adds in the information that takes a checksum of your application’s exe file.  This information – the code signature – when taken altogether, means that any user running your applications can be sure that the exe file has not been modified since you created it on your computer or build server.  Any changes to the exe, for example, by a virus, will break the cryptographic checksum so users can tell something has gone wrong.

annotation 2019 09 19 132057 2885035
A properly code signed app the image is old the certificate would show a current expiry date

Delivering apps via a weblink pretty much demands code-signing

Code signing doesn’t just help identify the original developer. It also plays a part when your programs are downloaded from a website or similar online delivery mechanism.  Most browsers (probably all) will warn you about downloading exes from a website, especially one which is not using HTTPS. Microsoft Edge and Windows combined goes a little further and will actively scream at you if the exe does not bear a digital signature (another way of saying it’s not code-signed).

pexels anete lusina 5240544 9328827 Photo by Anete Lusina from Pexels

Unsigned apps look just like computer viruses

If your users do finally manage to jump through all the various hoops and actually get the exe to download on your computer some of them may find that the downloaded file has magically disappeared.  This is because it’s fairly common for corporate networks to enforce a rule which says that users may only run certain trusted applications.  No code signature usually means your application is not trusted.  Some go even further, although this is less common and insist that all user applications must be 64bit, especially server-side applications and Windows services. Corporate network admins and ITSec staff can be a little overwrought when it comes to enforcing policies and corralling a bunch of users into behaving themselves by preventing them doing obvious things like streaming torrents, opening questionable attachments and accidentally running malware.

Your non-code-signed application?  It looks just like the worst kind of cryptolocking password stealer to them – and no, they do not want to put down their skinny extra almond latte macachoolie with extra spirella to run it to “check it out” thank you very much.

Is code-signing just for blue chip companies?

Code signing is a MUST if you want to earn an income from your code.  But even if you are an open source or freeware project code signing helps your users to help themselves.

The halcyon days of simply creating an exe, zipping it up and putting it on a webserver are pretty much gone.  If this is how you deliver your software then I hate to be the bearer of bad news: you’re out of date and it’s time to modernize.  Coming soon are a whole bunch of changes to the way Windows operates and many of the security enhancements like UAC, HTTPS and enforced directory-protection are going to happen unilaterally and, in most cases already have.

Of the questions I get asked about, code signing is probably the number one hot topic so I *know* there are a whole crowd of developers who are coming to the realization that code signing is not really an optional activity.

More resources on code-signing

To read more about the pros and cons of code signing as a subject try the following resources:


Don’t squander your hard work to a draconian security gatekeeper – it’s time to modernize and code sign your applications.

See What's New in 12.2 Athens See What's New in 12.2 Athens Dev Days of Summer 2-24

Reduce development time and get to market faster with RAD Studio, Delphi, or C++Builder.
Design. Code. Compile. Deploy.
Start Free Trial   Upgrade Today

   Free Delphi Community Edition   Free C++Builder Community Edition

About author

Ian is the Embarcadero Developer Advocate, a professional writer, presenter, and host. He is a prolific software developer, voice actor, designer and poet. Ian is British American, born in London, now living in Dallas, Texas. "I get up early every day and write code".

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

IN THE ARTICLES