Create and Add a Free Certificate for Your Application

Helpful script writing tricks and HowTo's
hasantr
Posts: 933
Joined: 05 Apr 2016, 14:18
Location: İstanbul

Create and Add a Free Certificate for Your Application

19 Apr 2020, 11:08

It is useful to create certificates to gain the trust of antiviruses and prove that the software is yours. When they whitelist your certificate, you now receive fewer false positives. It may also be useful for some Antiviruses that think of Autohotkey applications as viruses.

In order to perform these operations, you must have an operating system of Windows 8.1 and above.

Creating the Certificate:

Open the PowerShell window and edit the following codes according to your own order: (PowerShell can be found by searching in the Start Menu)

Enter Your Website Name:

Code: Select all

$cert = New-SelfSignedCertificate -DnsName www.yourwebsitename.com -Type CodeSigning -CertStoreLocation Cert:\CurrentUser\My
Enter the password for the certificate in the required field:

Code: Select all

$CertPassword = ConvertTo-SecureString -String "Your_Password" -Force –AsPlainText
Enter this command to export the certificate in Pfx format:

Code: Select all

Export-PfxCertificate -Cert "cert:\CurrentUser\My\$($cert.Thumbprint)" -FilePath "D:\Certs\Your_Cert_Name.pfx" -Password $CertPassword
The result is as follows. A certificate has been created on path "D: \ Certs".
PowerShell.png
PowerShell.png (73.51 KiB) Viewed 8156 times


Add Certificate to Application:


Let's download and run the DigiCert App, a free app.
https://www.digicert.com/util/

The certificate will be displayed on the CodeSigning Tab. (If there is a different situation, add the certificate by using the "import" button on the right.)

Add the certificate by following the steps in the image in order.
DigiCert.png
DigiCert.png (73.5 KiB) Viewed 8156 times

Conclusion:


Now you can right click on the certified application, open its properties and check the certificate.
EndCert.PNG
EndCert.PNG (37.16 KiB) Viewed 8156 times
Resources: (In Turkish Language)
[spoiler3]https://www.sordum.net/52936/bir-yazilima-kod-sertifikasi-nasil-eklenir/
https://www.sordum.net/52825/kod-imzalama-sertifikanizi-kendiniz-olusturun/[/spoiler3]
burque505
Posts: 1747
Joined: 22 Jan 2017, 19:37

Re: Create and Add a Free Certificate for Your Application

19 Apr 2020, 11:18

@hasantr, very nice and extremely useful, thank you!
User avatar
Tigerlily
Posts: 377
Joined: 04 Oct 2018, 22:31

Re: Create and Add a Free Certificate for Your Application

30 Aug 2020, 13:28

@hasantr

Very interesting. I tried to download your Bright Temp x86.exe and my AV actually flagged it on Chrome and won't let me download it. I wonder if its since you digitally signed it in this way?

Pic:
Image

Normally, when I download an AHK exe from this site or GitHub that is not digitally signed in this way, I have no issues.

I was thinking it would be really cool if you made this certification process into an AHK GUI that anyone can use on any script.

Cheers.
-TL
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Create and Add a Free Certificate for Your Application

06 Sep 2020, 00:56

This was talked about a little bit on the Report False-Positives To Anti-Virus Companies thread. Digital signatures don't mean that Anti-Virus companies won't flag an executable as malware. Despite Windows Defender/SmartScreen, users can report your application (in numerous ways to numerous companies) as suspicious or malware, in addition to reporting your website. What digital signatures help with is user trust, SmartScreen, and UAC. With SmartScreen, it will show your information and the user can feel more comfortable about saying yes and allowing your program to run. That you have a digital signature and detailed information filled out, makes the program, author, and/or website it comes from look more professional. This in turns helps establish a reputation of trust with users and Microsoft, and after a bunch of installs and time, Microsoft will be less likely to launch the pop-up when new users attempt to install your application. Though this reputation is only for the present version of the application, not updates or newer versions.

With most Anti-Virus companies, they can be less likely to flag the program as malware, because it does have details like product name, product version, and a digital signature. But that's only a good start, out of multiple more checks to come. They will check for certain signatures, packers, behavior, attempting internet access, attempting to write to the registry, etc... For instance, Bright Temp x86 writes to the registry, thus will come under higher scrutiny.

Also, when it comes to digital signatures, there is more business shenanigans that is played. There is EV code signing certificates. These help establish your reputation with SmartScreen right away, for a nice sized yearly fee of course, with partners of Microsoft. And not just with Microsoft, but also with Google Safe Browsing (used also by Firefox, in addition to Chrome). You don't have to get the EV code signing certificate, but then you will have to wait an unknown period of time (see what they did there) to establish a positive reputation with Microsoft.
hasantr
Posts: 933
Joined: 05 Apr 2016, 14:18
Location: İstanbul

create and Add a Free Certificate for Your Application

24 Sep 2020, 19:30

Tigerlily wrote:
30 Aug 2020, 13:28
@hasantr

Very interesting. I tried to download your Bright Temp x86.exe and my AV actually flagged it on Chrome and won't let me download it. I wonder if its since you digitally signed it in this way?

Pic:
Image

Normally, when I download an AHK exe from this site or GitHub that is not digitally signed in this way, I have no issues.

I was thinking it would be really cool if you made this certification process into an AHK GUI that anyone can use on any script.

Cheers.
The certificate may have expired.
User avatar
SteveMylo
Posts: 233
Joined: 22 Jun 2021, 00:50
Location: Australia
Contact:

Re: Create and Add a Free Certificate for Your Application

27 Jan 2022, 17:39

@SOTE great info thanks. I'm about to sell my scripts with expected sales of around 10,000 plus eventually whis is huge. Pretty exited.

I know that most people say Don't use AHK for mass sales but...... It's all I know and the unique Super Fast image search function that I'm using can't be done anywhere else.

So if I buy Digital Certificates from this site with a yearly fee https://www.sslshopper.com/ev-code-signing-certificates.html do you think all my problems will be solved? Or am I dreamin? :crazy:

Or should I give up? Giving up would be waving my hard-earned dream goodbye.

Many thanks.

Steve
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Create and Add a Free Certificate for Your Application

28 Jan 2022, 09:55

@SteveMylo
First, I would say to pursue your dream, and see if it can become reality. Because at least you can say that you have tried, and will know the result versus it always being a fantasy. As for Digital Certificates, an argument can be made that the EV type is an expensive upfront cost, when you don't have any sales yet or are unexperienced. Some might want to go with the free/cheaper OV type for a year, see how things go, and then do EV. Of course, this is up to the person and their present situation.

Keep in mind that Digital Certificates will help with the shenanigans that AV companies can put developers through, but it isn't a guarantee that some companies or users (with any kind of odd issue) won't cause problems nor does it guarantee sales. Anyway, good luck.
User avatar
SteveMylo
Posts: 233
Joined: 22 Jun 2021, 00:50
Location: Australia
Contact:

Re: Create and Add a Free Certificate for Your Application

28 Jan 2022, 16:33

Thanks! I’m happy to buy the more expensive certificate, i consider it a small investment for a business venture. Cheers. I’ll definitely chase my dream :-)
User avatar
lmstearn
Posts: 714
Joined: 11 Aug 2016, 02:32
Contact:

Re: Create and Add a Free Certificate for Your Application

05 May 2022, 11:15

Bookmarked, thanks. :)
It seems SmartScreen nowadays relies more on rep stats- which in turn may depend on ("meta")data sharing permissions on PCs set at OS install/upgrade. Defender is a little more random, and may spit the dummy on a certain day of the week, or month(s). There's a nice signtool gui as well.
Semi-related old thread: Enable Interaction with Administrative Programs, and more recently sign with osslsigncode via Linux.
:arrow: itros "ylbbub eht tuO kaerB" a ni kcuts m'I pleH

Return to “Tutorials (v1)”

Who is online

Users browsing this forum: No registered users and 34 guests