Hello all,

an .EXE or .DLL is easily to code-sign with SetupBuilder. I do not really know,
what actually happens, but, yeah, it just works.

Now my question is, does the same apply to .LIB files?

Timid as I am, I thought I better ask, before I break anything.

Thank you!

Regards,
Wolfgang Orth (aka Caspar Milquetoast)

www.odata.de

Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.

Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.

Wolfgang Orth,

> an .EXE or .DLL is easily to code-sign with SetupBuilder. I do not really know,
> what actually happens, but, yeah, it just works.
>
> Now my question is, does the same apply to .LIB files?

Then I have a question for you, why would you want to?

LIB files aren't executable so why would you ship them unless this is
for a 3rd party offering. Just wondering.

--
Lee White

RPM Report Preview: http://www.cwaddons.com/products/rpm/
Creative Reporting: http://www.CreativeReporting.com

Hydrogen, the only CLEAN fuel and the future of clean air.

>Wolfgang Orth,
>
>> an .EXE or .DLL is easily to code-sign with SetupBuilder. I do not really know,
>> what actually happens, but, yeah, it just works.
>>
>> Now my question is, does the same apply to .LIB files?
>
>Then I have a question for you, why would you want to?
>
>LIB files aren't executable so why would you ship them unless this is
>for a 3rd party offering. Just wondering.
>

Hello Lee,

well, yes, this .LIB is meant to be shipped, because it will be part of a
template. This template adds the ability to an EXE to check the validity of
itself and all other binaries in an install.

It is based on the WinTrust-API from Microsoft. Some specific functions got
exported to its own LIB.

And it would be ironical, if such a file, which, is instrumental for checking
the signature of other files, comes without signature.

<G>

https://www.odata.de/Clarion/verify_digital_certificate

I am in the process of completing Mike Hansons template and then tinker an
installer for it.

But before doing so, I want to make that needed .LIB secure by code-signing. If
this is possible. So we are back at my initial question: is it possible and how
to?

Just the aame as wir any exe or dll?

I fear I could break something, so I better ask.....

Regards,
Wolfgang Orth
www.odata.de

Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.

Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.

Wolfgang Orth,

> well, yes, this .LIB is meant to be shipped, because it will be part of a
> template. This template adds the ability to an EXE to check the validity of
> itself and all other binaries in an install.

I would say LIB files aren't to be signed.
<https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptography-tools>

I sign my 3rd party DLL's but not LIB's.

--
Lee White

RPM Report Preview: http://www.cwaddons.com/products/rpm/
Creative Reporting: http://www.CreativeReporting.com

Hydrogen, the only CLEAN fuel and the future of clean air.

>
>I would say LIB files aren't to be signed.
><https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptography-tools>
>
>I sign my 3rd party DLL's but not LIB's.
>

Will the LIBs be distributed to the end-user?

Or is this LIB relevant only to the programmer. He / she has to have it in the
directory during compile, but no distribution needed?

And because in any case of a doubt, every programmer may extract the needed
functions from the MS files into their own LIB. Nobody will do this, but, hmmm,
it is like it is.



Regards,
Wolfgang Orth
www.odata.de

Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.

Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.

Wolfgang Orth,

> Will the LIBs be distributed to the end-user?

No.

> Or is this LIB relevant only to the programmer. He / she has to have it in the
> directory during compile, but no distribution needed?

Only to the programmer.

--
Lee White

RPM Report Preview: http://www.cwaddons.com/products/rpm/
Creative Reporting: http://www.CreativeReporting.com

Hydrogen, the only CLEAN fuel and the future of clean air.

Thank you very much, Lee, for clarification.

Regards,
Wolfgang Orth
www.odata.de

Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.

Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.

Hello Wolfgang,

sorry for the delay. Super mega ultra busy with SetupBuilder development
and two "Corona-caused" projects (one large school and a local company).
Both projects make use of our SetupBuilder technology.

It's not possible to code-sign a .LIB because a .LIB is used to *generate"
the final file (.EXE, .DLL, etc.).

Sorry again.

Friedrich

Hi Friedrich,

How about using a zip tool to create a .CAB file and then signing
_that_
That would ensure the integrity of the distribution, with the recipient
just having to unzip before use.

https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptography-tools

..CAB files are in the list.

Graham

Hello Friedrich,

no problem at all!

Lee White already brought me on-track, he helped me to understand. I fell
victim to my own misunderstanding. <g>

> Super mega ultra busy with SetupBuilder development

Sounds good!

And Grahams idea with .CAB sounds good also. Not that I understand anything of that....

Wolfgang


Regards,
Wolfgang Orth
www.odata.de

Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.

Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.