All,

Because of Vista, the price for code-signing certificates increased.

We are in contact with Comodo to find out if there is a special offer for
SetupBuilder customers.

So if you need a code-signing certificate, please wait a few days.

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

Too late<g>.. I bought one last week - 2yrs was $340...twice what it was a
few weeks ago.

Skip

Is this specific FOR Vista? or is Vista just requireing everything to be
signed?

In other words, will my existing certificate work?

paul macfarlane

Paul,

> In other words, will my existing certificate work?

Your current cert will work fine.

--
Lee White

http://CWaddons.com
http://LodestarSoftware.com
http://DeveloperPLUS.com

"DOS & CPD. When men were men and we didn't do windows!" Lee White

Hi Paul,

You are lost if you don't code-sign your installations and applications on
Vista. SetupBuilder 6 can automatically code-sign your application(s) and
the installer.

What Lee said. Your existing certificate will work fine :)

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

You can get one from tucows for about $75.00 per year.

Greg

We are working on this one:

Comodo Code Signing Certificate - 1 year.: $79 (instead of $179)
Comodo Code Signing Certificate - 2 year.: $143 (instead of $340)
Comodo Code Signing Certificate - 3 year.: $200 (instead of $500)

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

Very good initiative Friedrich, appreciate!

Peter

Thank you, Peter!

Friedrich

I already sign my installs and will start signing my apps as well (actually
do sign a couple)....

paul macfarlane

Hi Paul,

Great!

BTW, SetupBuilder 6 can also code-sign your apps. You can use the
"#code-sign application" compiler function.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

Friedrich,

Where does the "#code-sign application" go in the script?

Skip

Skip,

Wherever you want, just make sure it's before the compiler adds the file to
the archive (in other words before the "Install File" function).

We do all the pre-compile stuff in the [ Initialize Setup ] section.

For example:

[ Initialize Setup ]

! --- Define commonly used constants ---
#include script "common definitions.sbi"

#embed Vista manifest "[SB6_POOL]\sbuilder.exe"
#code-sign application "[SB6_POOL]\sbuilder.exe"
#code-sign application "[PROJECT]\Lib\wupdate.exe"

! --- Define standard installer variables ---
Set Variable %WINVER% to "{WINVER}"
....
....

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

Thanks Friedrich...

Should we also code sign all of the .dlls (including 3rd party) that are
included in the setup? How about .exes that are 3rd party, such as
graphics.exe?

Skip

Hi Skip,

IMO, there is no need to code-sign all DLLs. But code-signing 3rd party
..exe files is a good idea.

And if you add a Vista-aware manifest, please make sure to include the
Vista-manifest first and then code-sign.

For example, this embeds the Vista-aware manifest into our own sbuilder.exe
and then the compiler code-signs it.

#embed Vista manifest "[SB6_POOL]\sbuilder.exe"
#code-sign application "[SB6_POOL]\sbuilder.exe"

Does this help?

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

Yep...thanks!

Skip

So let me get this straight. If I code sign an app using a 2 year
certificate and then I go out of business. My customers can't reinstall my
app a year after the certificate expires???

So now I don't have to worry about expiration dates?? :) And I can blame
it on MS?

I can't tell you how many apps I have that I have purchased over the years
that just work great. Now they won't?

Vista sucks and Linux is looking better and better all the time it seems.

Great for you though :) All those cheap/free/inferior installation builders
will probably never offer what you are. !!

Thanks friedrich.

Andy Morgan

Andy,

> So let me get this straight. If I code sign an app using a 2 year
> certificate and then I go out of business. My customers can't reinstall my
> app a year after the certificate expires???

No.

The certificate is valid for two years to be used for signing. After
that you need to buy another certificate to continue signing. The
expiration is only for the validity of the certificate for signing,
not for use of the software that was signed.

IOW, a program doesn't expire when your certificate does.

--
Lee White

http://CWaddons.com
http://LodestarSoftware.com
http://DeveloperPLUS.com

"DOS & CPD. When men were men and we didn't do windows!" Lee White

That would be the case. But there's a provision to have your app
time-stamped at the time you sign it.
A recognized server verifies the date and time the app was signed.
So if it was signed while your certificate was valid, the app remains valid.

Jane Fleming

> That would be the case. But there's a provision to have your app
> time-stamped at the time you sign it.
> A recognized server verifies the date and time the app was signed.
> So if it was signed while your certificate was valid, the app remains
> valid.

Jane, a couple of doubts since you seem to know about this.
Suppose you -don't- sign your software, does that mean it -won't- run on
Vista at all, or just that it will get this annoying message each time a user
runs it? Also, if the user has absolute trust on you, and you work only with
that user, could he disable the security feature of Vista so he isn't annoyed
about your unsigned soft?

--
Jorge Alejandro Lavera
www.HuenuLeufu.com
www.ClarionTemplates.com
Relief for Clarion Developers.

Jorge,

I've worked a bit with Public Key Infrastructure in other contexts... so I
have some understanding of certificates.
But at present I'm quite ignorant of Vista... sorry.

Jane

That's a relief - thank you very much. My Vista investigations haven't
really begun yet - though planned.

Thanks again

Andy

IMO, it's something you need to do because if you don't, Windows Vista makes
your program to appear as if it's a malware or a virus program. If you
don't code-sign, the "Do you really want to do this?" and "Are you really,
really sure?" dialogs are all over the place in Windows Vista.

Microsoft recommends to code-sign with the following extensions: exe, dll,
ocx, sys, cpl, drv, scr.

I don't think it is possible to disable this Vista feature.

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

> IMO, it's something you need to do because if you don't, Windows Vista
> makes your program to appear as if it's a malware or a virus program.
> If you don't code-sign, the "Do you really want to do this?" and "Are
> you really, really sure?" dialogs are all over the place in Windows
> Vista.
>
> Microsoft recommends to code-sign with the following extensions: exe,
> dll, ocx, sys, cpl, drv, scr.
>
> I don't think it is possible to disable this Vista feature.

Thank you, Friedrich.
I'll take advantage of your offer, then.
A couple of doubts, if you have the patience to answer:
1) In Vista, if you execute in your local hard drive my exe, you'll get this
warning too?
2) If I buy a certificate say for 1 year, in two years time when a user runs
one of my signed programs purchased and installed in this year, it will get
the annoying message again?

--
Jorge Alejandro Lavera
www.HuenuLeufu.com
www.ClarionTemplates.com
Relief for Clarion Developers.

Hi Jorge,

> Thank you, Friedrich.
> I'll take advantage of your offer, then.
> A couple of doubts, if you have the patience to answer:
> 1) In Vista, if you execute in your local hard drive my exe, you'll get
> this warning too?

Yes (if it is not code-signed).

> 2) If I buy a certificate say for 1 year, in two years time when a user
> runs one of my signed programs purchased and installed in this year, it
> will get the annoying message again?

No! What Lee said in a previous message. If you buy a certificate for 1
year, the certificate is valid for one year to be used for *signing*. The
validity is *not* for use of the software that was signed.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

> Hi Jorge,
>
>> Thank you, Friedrich.
>> I'll take advantage of your offer, then.
>> A couple of doubts, if you have the patience to answer:
>> 1) In Vista, if you execute in your local hard drive my exe, you'll get
>> this warning too?
>
> Yes (if it is not code-signed).

Now I'm being idiot here, but what if the user doesn't have an internet
connection? Or this is no longer possible with Vista? (I mean, not having
an internet connection?)

>> 2) If I buy a certificate say for 1 year, in two years time when a user
>> runs one of my signed programs purchased and installed in this year, it
>> will get the annoying message again?
>
> No! What Lee said in a previous message. If you buy a certificate for 1
> year, the certificate is valid for one year to be used for *signing*.
The
> validity is *not* for use of the software that was signed.

Ahh, now I get it. So the "signed" exe is valid for ever, what I cannot do
is to continue signing programs after the expiration.

> Friedrich
>



--
Jorge Alejandro Lavera
www.HuenuLeufu.com
www.ClarionTemplates.com
Relief for Clarion Developers.

Yes. But it's only valid "forever" IF you use a recognized time stamp
server to time stamp it when you sign it.
That guarantees to the world that you didn't adjust the clock on your
computer, and the file was really signed while your certificate was still
valid.

There's no additional charge for time stamping. SetupBuilder includes a
space where you can specify which time stamp server you want to use, and I
believe Friedrich's documentation provides a couple of URLs.

The user doesn't need an Internet connection if you use a recognized
certification authority to create your certificate. Microsoft supplies a
list of trusted root certification authorities with Windows, and updates
those with Windows updates from time to time. If your certificate is
traceable back to one of those trusted authorities, your users' computers
will trust it automatically.

Jane Fleming

Awesome.
Thank you for the information, Jane, and Friedrich too.
All this Vista stuff makes me cry. Fortunately, here in Argentina we won't
see Vista on our clients until at least a year or more, but my
international sales are a different animal.

Jorge A. Lavera

It is a bit confusing...LOL...

If you have a subscription to clarionmag.com, you might check the articles I
wrote late last year on code-signing and certificates for some basic
background explanation

Fortunately, SetupBuilder makes it easy.

Jane

Hello,

I don't understand this at all....it sounds like Microsoft is putting up
messages and making you pay to stop them.

What stops me from writing Virus in Clarion, and installing it under
SetupBuilder 6.0 with a certificate and distributing it ... and people will
end up installing my software (VIRUS) without a warning.

What am I missing here?

-Robert

When somebody discovers the virus or trojan that you've written and signed,
it will be traceable directly back to you. Because it was signed using your
secret key, you'll have a great deal of difficulty successfully repudiating
it.

Jane Fleming

Hello,

That makes sense - thanks for explaining it to me.

-Robert

On 6 Feb 2007 13:14:56 -0500, robert paresi wrote:

> I don't understand this at all....it sounds like Microsoft is putting up
> messages and making you pay to stop them.

Its no different conceptually than a secure certificate on a web store.

And youre right, there's nothing stopping a virus author from getting a
cert.
--

Mark

Thanks for your effort on this! I was about to purchase a 2 year certificate
and was surprised by the huge increase in price.

John

:)

I think what we see here is that the market price of a good is determined by
both the supply and demand for it. Developers need a code-signing
certificate now to install and run their apps on Vista.

But Comodo is still very reasonable (especially for SetupBuilder 6
customers, I hope <g>). And their staff is very professional and extremely
helpful.

Verisign is $499 for 1 year, $894 for 2 years and $1293 for 3 years.
Unbeliveable. Thawte is $199 for 1 year and $399 for 2 years.

I really hope we can offer the same for $79 / $143 / $200.

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

Thats what I call a good initiative.
How will I find out, that you can deliver?

Edvard Korsbæk

Edvard,

I'll keep you all posted here on the newsgroups and on our web site.

Friedrich

Yes ! I knew it could be done...<g>

paul macfarlane

What would the cost be for this upgrade be, to get these features, including
the features that do web update's. I am still at Ver 4 that came with C6

Thanks
Les

Les,

You can upgrade to SetupBuilder 6 Developer Edition for $299.00 (instead of
$399.00).

This includes a 1-year maintenance and support subscription which ensures
that you will always have the latest version of your licensed installation
product without any additional cost during the term of the Plan. You get
every new release, version, and feature enhancement for your licensed
software.

http://store.esellerate.net/s.asp?s=STR9044399608&Cmd=BUY&SKURefnum=SKU8330729719

If you don't have an interest in a 1-year maintenance subscription, you can
upgrade to SetupBuilder 6 Developer Edition for $199.00. This includes a
60-day maintenance subscription.

http://store.esellerate.net/s.asp?s=STR9044399608&Cmd=BUY&SKURefnum=SKU25298326978

If you need further assistance, please let me know.


--
Andrea

Sales and Support, Lindersoft
www.lindersoft.com
1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

Thanks, I think it time to do this.
Les