Delphi 10.3 Rio – Code signing, provisioning and the Microsoft App Store

before we start, note that this article describes code-signing on Microsoft Windows for applications designed to run on Microsoft Windows 32 or 64bit. Apple’s macOS, iOS and the Android OS also use code-signing but this process is different and uses a different chain of incompatible tools.

Open the pod-bay doors

We all know that writing code is a non-stop smorgasbord of fun, adventure games and caffeine-induced migraines. But eventually the party music has to stop and we need to get our programs out into the sweaty hands of the unsuspecting general public.

Or as Embarcadero (and Microsoft) call it: deploy.

Deployment of applications back in the halcyon days of Windows XP really meant “copy it to a CD” or, if you’re a “mature” programmer like myself maybe even a floppy disk. Oh such happy, carefree, virus-laden days.

Now of course operating systems have become a lot more sophisticated and gained complexity in deployment thanks to the preponderance of computer viruses, worms and trojan apps.

The old ways of trusting our luck just don’t work any more and the virus-writers are almost constantly engaged in a digital arms race against the anti-virus and operating system vendors.

Add to that the huge improvement in connectivity with fiber-optic cables or super-fast internet being ubiquitous in most of the Western World and gradually to the neglected rest too, then installation of applications is often digital – a link on the internet – rather than via some physical medium.

It’s a matter of trust

With easy digital distribution problems started to crop up. The hackers and crackers started to spoof URLs of popular application vendors. More than once popular applications were copied and injected with viruses. The spoofing got so good that it soon became very difficult to tell if the program you had downloaded was actually from the genuine vendor or from some nefarious bandit chomping Cheetos in a sweat-laden bedroom viper pit while he/she scooped up your banking details.

Enter a solution – code signing. Code signing uses a mechanism to embed a cryptographic-protected digital ‘certificate’ into your application’s exe or package. The certificate is issued by a Certificate Authority which is one of a handful of well-known, publicly-listed companies. The certificate is issued to the application vendor using a secure mechanism after which the application vendor (that’s you!) then uses one of a selection of special tools to sign their applications with the certificate.

This ‘signing’ embeds the certificate into the application’s exe or executable module. Once embedded in this way the certificate or any other part of the signed application file cannot be changed without breaking the certificate. This is important as it stops viruses from infecting your application and then giving the user a false sense of security because they trust you and the appearance of the certificate means you and only you created that application module. Note that it doesn’t mean you can’t accidentally code sign an application module which has already been infected with a virus or contains trojan code – but it does mean everyone will know you did it. Of course, I’m sure you use several layers of anti-virus protection on the computers which you use to build and deploy apps… right?

With the advent of Windows Vista the Windows operating system introduced User Account Control started to look for these embedded certificates and if the application you were trying to launch didn’t have a certificate Windows would show a slightly fear-inducing message telling you the publisher was unknown with a passive-aggressive hint that this would be a Bad Idea

Once you code-sign your app the sick-yellow warning gets replaced with a much more comforting blue-skies thumbs up:

As you can see in the above dialog – my name appears by “verified publisher”. This is because this was the name of the publisher on the code signing certificate. So it’s important to pick the right name if you go to purchase one.

Now, signed like this no-one can be in any doubt over who created this application because it was me who signed it or at least someone I gave the code signing certificate to along with the credentials to use it.

How to get a code-signing certificate

Nothing to do with code signing!

There are a few types of code signing certificate. Note that none of them are the same as SSL certificates used for web sites.

This is a confusion which seems to crop up regularly – the two things are similar in nature but used for different purposes and you can’t use an SSL certificate to sign code and you can’t use a code signing certificate to enable SSL and make the padlock appear on your website.

The main types of code signing certificate are:

Self-signed certificate

You create this yourself and there is even a button in Delphi 10.3 Rio’s provisioning page when you select a distribution type of “Windows Application Store”. It has the least amount of ‘trust’ and is used either for internally-distributed apps (for example within your company) or for testing purposes. You can’t use this type of certificate for ‘regular’ apps that you want to distribute to large numbers of people and even among friends you may find they are unable to run your app as they might have Windows settings which prevent this; in particular Windows 10 S is a particular flavor of Windows, installed on Microsoft Surface devices by default, which prevents installing any apps at all unless they arrive via the Microsoft App Store. In short, self-signed certificates are only just better than unsigned apps. They do have the advantage that they’re easy to create and they’re free but that’s about it.

OV Certificate

OV Certificates – or “organization validated” certificates are the most common and cheapest form of code signing certificate. This certificate costs money. The OV certificate requires the person in whose name the certificate will be issued to go through a verification process. This process can take a day or two – sometimes longer depending on what information the certificate issuing authority asks for and how easy it is for you to obtain.

For registered companies such as Ltd, PLC, LLC, Inc and charities the verification process usually uses publicly-available information such as Dun & Bradstreet and other public legal listings to validate the existence of the organization. There is usually some extra machinations such as providing a letterhead and taking part in an automated verification phone call to a number listed in the public records for that organization. It’s usually straight-forward.

For individual developers it’s a more involved process. In my case when I wanted a code signing certificate in my own name – rather than a company – I had to take various proofs of identity to a Notary Public. This is because I am based in Dallas, Texas, USA. Developers in Europe and other countries will have a different but similar process. The notarized copies of ID (there was more than one document) were then sent by the notary to a specific fax number and scans were emailed too. The whole process took about a week. I used my local UPS store for the notary services – they were cost-effective, less than $10,and I use them now for all notarization (which in the USA seems to crop up a lot!)

Despite what you may hear in most cases an OV code signing certificate is perfectly fine for the job. I write code for a number of software houses and one in particular signs all app resources using an OV certificate. These apps go out to in excess of 10,000 active customers in a huge variety of operating system configurations and deployment scenarios from regular Joe public to small offices to blue chip public listed companies including several airports and at least one Embassy that I am aware of, maybe more.

To code sign with an OV certificate you can use a utility I will describe later or Microsoft’s own MSSign application. Delphi 10.3 Rio also can sign your apps too with the OV certificate as long as you’re targeting Ad-Hoc on Windows.

EV certificates

EV Certificates or “extended validation” certificates are a much more complicated thing to obtain.

For a start the validation process is much more rigorous. Once you pass this validation process you will be issued with a USB hardware ‘key’ which is a device that acts as a ‘token’. This token must be physically present each and every time you wish to sign some code. I know that for some people this has proved to be a problem and can make automated builds a pain since you have to physically type in a password to authorize access to the token – a step which apparently can’t be fully automated.

Once you do obtain an EV certificate it does mean that things like Microsoft Smart Screen will provide you with the highest level of trust. For some scenarios this is going to be an absolute requirement.

For me, I’ve not found it necessary to get anything other than an OV code signing certificate – I recommend you read through the links above and make your own choices.

Microsoft App Store Code Signing

This final type of certificate is a bit of a weird one. When you submit an app to the Microsoft App store – either paid or free – Microsoft pass it through a validation process which checks that you’ve not used any forbidden API calls or included any other obviously infringing content. Once you pass that validation Microsoft will then sign the app for you. The code signing still identifies the author as you and is based on the “publisher” details you provided to Microsoft when you signed up to their App Store as a developer and submitted the package. I’ve yet to work out quite how Microsoft validate this as strongly as an EV or OV certificate but in the end I guess it’s not relevant to you as the developer.

Where to get a code-signing certificate

A disclaimer – I don’t have any association with any of the companies I’ve linked to here and elsewhere in this article. I can vouch for K Software because I’ve used them for a few years now for several customers of mine and always get my certificates from them but beyond that I don’t know them and they don’t know me 🙂

The cheapest/most cost effective certificate vendor I’ve found is https://ksoftware.net – they are resellers for Sectigo (previously known as Commodo) and provide both OV and EV certificates. The renewals are discounted too. I assume they survive off Ramen noodles for lunch every day. Either way, I’ve used them for a while and they’re still going strong so more power to them.

The number one main source for code signing certificates is Sectigo (Commodo) themselves and can be found here: https://sectigo.com/signing-certificates/code-signing – weirdly enough they are a lot more expensive than K Software who resell their certificates. I’m not sure why this is.

There are a large number of other resellers and top-level certificate authorities. I do not have experience of them so I’ll leave you to wade through the morass. Don’t pay too much, is my advice, but make sure you’re getting the correct thing.

How to code-sign your apps

I’m not going to describe the process of actually getting the certificate because the vendors do a good job of walking you through it. But however you do it you will end up with a file which either ends in .p12 or .pfx – here’s a pro tip: some apps and techniques for code-signing ask for P12 files and some want a PFX file. Whatever one you have make a copy of it and rename the copy’s extension to whatever the other one is. So P12 to PFX or PFX to P12. The reason this works is they are exactly the same file format at the binary level. Only the file extension is different. I know of one person who was going to pay for a second code signing certificate “because they had the wrong format”. Luckily they ranted in my direction and I was able to save them doling out cash unnecessarily.

If you have an EXE and you simply want to code sign outside of the IDE

Using KSign

No matter where you got your certificate, go to K Software’s website and scroll to the link which says Download KSign Now. KSign is a small Windows app which allows you to manually code sign any of your exes.

The app has areas for the certificate details and an area where you can drop or select one or more exes to code-sign. It’s easy to use.

Manually signing using Microsoft’s SignTool

You can use Microsoft’s command line code signing tool. This may be already installed on your machine.

If it’s not installed you can go here to read more about it and download the necessary software kit: https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool

Using SignTool is fairly easy. You need to open a terminal Window and use a command line like so:

"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f C:\PATH\TO\YOUR\CERT\certname.p12 /p passwordforthecert "C:\PATH\TO\EXE\myapp.exe"

Obviously that needs to be all on one line. Note the use of the P12 certificate extension.

I use Signtool in some of my automated builds where I am signing several hundred different exes and modules which are built via a script.

Code signing in the RAD Studio Delphi IDE

There are two ways to do this. You can either use SignTool as post-build task in the IDE. You can read more about how to set up these tasks here: http://docwiki.embarcadero.com/RADStudio/Rio/en/Creating_Build_Events – essentially just replicate the line above for the manually signing using SignTool paragraph and tweak it for your situation.

The other way to sign your apps is to target the Windows Application store and select “ad hoc” as the distribution type as shown here:

In the section which says “certificate file” put (or choose) the path to your PFX code-signing certificate.

In the password field put the password which you used when securing your certificate file. You’ll know which one this is when you’ve got your certificate.

Now when you select build and deploy it the resulting application will have been signed with your certificate.

The next post

Coming tomorrow (or when I get a chance to write it – I am a working developer and very busy!) will be about the various Windows 10 specific VCL components available in Delphi 10.3 Rio with a few examples of them in use.

There are so many things to talk about with Delphi and Windows 10 this could all go on some time…

High-re DPI and Per Monitor v2 with Delphi and RAD Studio

It is very common now that users have more than one monitor; even laptop users often dock a screen which gives them two screens.  People even sometimes use tablets as second screens.  All of these can use different resolutions. 

Microsoft caught on to this trend and with successive versions of Windows 10 they introduced the “Per monitor v2” technology. This allowed users to have different DPI scaling for each monitor. Now, for example, users could have a laptop’s LCD panel showing at its native resolution and an additional external monitor displaying at perhaps a higher resolution of DPI. Note that this is not just the pixel width and height but the actual denseness of the pixels per inch.

If you dragged your legacy Delphi apps from one window to another you could see that change in pixel density. Things would look sharper or less sharp, scaled weird or, even worse, drew text in the wrong places because the coordinates were worked out on a machine running on and launching at 96DPI and was dragged over to a screen now running at 120DPI.

Prior to Delphi 10.3 this made our apps look bad.  Not so now. 

Rio to the rescue…

In Delphi 10.3 Rio there is now some settings found in the main menu by selecting project, options and then clicking on manifest. You can also press SHIFT + CTRL + F11 to get to the same place.

The red lines in the image above show you where to check. Under DPI awareness you should have Per monitor v2 selected. For new projects and those upgraded from legacy versions of Delphi you should find it’s already been chosen for you.

In addition to the Delphi runtime taking care of enabling Per Monitor v2 by notifying Windows that our app understands it there is also a new event which gets triggered on your forms if the screen’s DPI changes, perhaps due to them changing the Desktop resolution in the Windows preferences.

This event is OnAfterMonitorDpiChanged and it triggers just as your would expect.

Other options on the project options page

While we’re on the project options page, just above the setting for Per Monitor v2 you can see an option which says “Enable Runtime Themes“.

This setting needs to be checked for the themes to work (it’s checked by default). We’ll talk more about runtime Themes in a later blog post. This setting actually does a similar thing to the old TXPManifest component which has been around since the days of Delphi 7. It essentially includes extra information in the application’s manifest which tells it to render native controls in a particular way. I’d recommend you have it checked.

Execution level is another setting on the same page and is actually a pretty important feature too.  It controls the user permission level at which the app runs – default is “as invoker” but you might not want that. This setting tells the Windows runtime what execution privileges you wish to run with. If you select “as invoker” then you inherit the rights of the shell or app which launched your app. So if the shell launching your app is very restricted your app will be restricted too. Conversely if the launching process is, for example, ‘administrator’ then you’ll inherit the rights which come with that. Sweet.   The two other options are “Highest available” and “Administrator” which are fairly obvious – but both of these might need a normal mortal user to enter an administrator password or credentials before your app can run. In most cases you’re going to leave the setting at “as invoker”.

Next article – provisioning, Windows application store and code signing

In the next article I’m going to cover the new Delphi 10.3 Rio features which allow you to package your Windows apps for the Microsoft App store as well as a discussion about code-signing; what it is, how to do it and where to obtain a code-signing certificate.

Modernizing Delphi VCL apps for Windows 10 – part 2

This post follows on from part one: https://www.codedotshow.com/blog/modernizing-delphi-vcl-apps-for-windows-10/ which in itself is a recap of my recent webinar, the replay of which can be found here: register.gotowebinar.com/register/4125077757680574467?source=social

Windows 10, the subtle bits

The great thing about Delphi is that it’s totally rock solid. I mean bullet proof, runs for ever, doesn’t need a bunch of dependencies, keeps on going for ever solid.

Because of that there’s a lot of legacy code out there. Many millions of lines of Delphi code, quietly doing its thing without fuss or drama. That’s great, but of course, the world keeps on spinning and eventually Moore’s Law means that while our programs work the environment in which they operate has changed.

Often these changes are in fashions of user interface look and feel such as new colors and the adoption or abandonment of passing trends like skeuomorphism or super-flat designs mean our older apps start to look very dated, often breathtakingly quickly as a new version of Windows wobbles its way down the now-ubiquitous always-on internet.

One of the most subtle changes to come about is the advent of 64bit Windows. For many people it happened silently. They bought a new laptop (75% of computer sales in 2018 were either laptops or tablet devices) and that laptop, in the last few years at least, ran a 64bit version of Windows 10.

Now, increasingly, I am finding that many of our corporate customers are looking to only run 64bit versions of apps. This means, if your app or particularly Windows service, is not 64bit then the customer will not allow it on their system. I did a rough count earlier via our support techs training or installing today and it was 3 of 10 servers who expressed either a preference or mandated that the system be 64bit only.

So, your Delphi 7, 2009, XE 1, 2, 3 etc apps are in trouble as they are using 32bit architecture.

Luckily, Delphi 10.3 Rio makes this an easy thing to overcome. Right click on the project in the project manager window and select “add platform”. Now choose “Windows 64bit”.

If you’re running a 64bit version of Windows you can go right ahead and select “build” and, if your components are 64bit compatible, you’ll end up with a pure 64bit exe. Simple as that.

If you’re using a 32 bit version of Windows you’ll need to connect to PAServer on a 64bit machine. To check your Windows version press the Windows key and ‘X’ and then select “system”. It will say “32 bit” or “64bit” like it does in the image at the top of this article.

But I should add a caveat; not all older components can work in a 64bit architecture. Encryption, for example, often is tied quite closely to the processor ‘bitness’. You may find that older code of this type either needs to be tweaked or replaced to work for 64bit Windows.

Likewise, some component vendors annotate their components to target only 32bit Windows, either due to the use of APIs which are incompatible with 64bit or due to other technical problems such as the size of integers and so on.

You can check if a particular component will work when targeting Windows 64bit by pointing your mouse at the component in the component palette in the RAD Studio / Delphi IDE. A hint window will appear listing all the target types on which the component can be used: Windows 32bit, Windows 64bit, iOS, Android, Linux, macOS and so on.

Here’s what the hint looks like (in dark mode) for a component which is only available for Windows 32 and 64bit.

You can read a more full explanation of targeting 64bit with Delphi here: http://docwiki.embarcadero.com/RADStudio/Rio/en/64-bit_Windows_Application_Development

In the next article

We’re going to look at another silent feature of Windows 10 which will make your legacy programs look long in the tooth: high res DPI and the spectacularly-named “per monitor v2“. Come back tomorrow to see what it’s all about.

Modernizing Delphi VCL apps for Windows 10


A few days ago I presented a webinar as part of Embarcadero’s “Modernize with Embarcadero” series this month. If you haven’t caught any of these webinars then there’s still time to drop in and take part. The link to view the topics and presenters along with registration is here: https://www.embarcadero.com/events – there is some seriously good content ranging from novice to advanced and it’s all completely free!

My session can be caught on replay, which includes the live Q & A section by going to here and registering after which you’ll be taken directly to the video: https://register.gotowebinar.com/register/4125077757680574467?source=social

You can view all the replays here: https://community.idera.com/developer-tools/b/blog/posts/windows-10-modernize-webinar-series

Who am I? Why Delphi?

In case it’s not clear – my name is Ian Barker and I am an Embarcadero MVP. As it says on the EMB page – MVPs are experienced Delphi programmers who have a belief that the product provides benefits to developers and are happy to champion Delphi and explain why the MVP thinks RAD Studio and Delphi are great tools. For me, as a Delphi developer since the very first day Delphi 1 was released, it’s a no-brainer. I code every single day in Delphi. I specialize in ‘shrink-wrapped’ software – applications that go out to end-users rather than corporates or in-house walled-gardens.

My income depends on being able to produce apps which work with minimal problems – mostly, I create bugs, just the same as other mortals – and have those apps be stable, reliable and cost-effective to produce. According to contacts and customers I am a very prolific developer and work on a pretty large number of projects in a year. This is despite the fact I am quite lazy and have all the normal demands on my time such as dogs who insist on being walked, my wife, Lisa, who apparently likes to do things called “going out and being social with normal people” and a daughter who insists I do dad things.

Delphi has meant I can write code which works – and keeps on working – on a vast number of operating system versions and devices. It makes me look good. It makes me appear competent. Perhaps more importantly it also makes me employable.

So it’s not too much of a stretch to say good things about it. I don’t work for Embarcadero – I work for myself – although I do get some benefits such as access to the latest products and some insider knowledge.

That said, what you hear from me is the truth – Delphi can give you superpowers.

The webinar

I’ll try and briefly summarize some of the key points in this post – but you really should catch the replay if you can as it includes live examples.

The presentation looked at some RAD Studio and, in particular, Delphi features you can take advantage of today to make your existing – and new – apps look, feel and behave like modern Windows 10 applications.

Windows 10

The thing about Delphi is that it’s solid. Really really rock solid reliable runs-for-ever-without crashing solid. Because of that there’s a LOT of code out in the wild which was created with older versions of Delphi such as Delphi 2009 and even the venerable Delphi 7. Borland, as they were at the time, really got it right with Delphi 7. It was an IDE which worked well, was easy to use and supported a version of Delphi which was unshakable in almost all sorts of wide and varied deployments. No crazy operating systems dependencies, no ‘dll hell’, no need in fact for almost anything other than the finished EXE to provide the functionality.

I know of code out there running power stations, airport security scanners, Fortune 500 company payrolls, medical patient education systems… I know because I wrote some of these myself.

But as good as the older versions of Delphi 7 was it was released in an era where Microsoft were a very different animal. The modern Windows 10 builds on Windows NT technology behind the UI along with some of the great user interface schmooze ideas that started out back in the days of Windows XP which in itself was a huge improvement on what came before and still hobbles around sporting that Tellytubbyesque green hilly backdrop on dusty computer systems despite Microsoft having long abandoned it. Some operating system versions are really hard to kill.

Windows 10 is a truly useful operating system. When it did away with some of the missteps of Windows 8 – dropping the idea of being a ‘tablet operating system for your desktop’ and instead striving for greatness it accompanied a new CEO, Satya Nadella, to replace the mercurial Steve Ballmer. With Satya came a massive push into Microsoft fanatically embracing open source and an overwhelming campaign to get Windows 10 on every possible PC desktop… for free.

But it didn’t stop there. After dabbling with a mobile phone Microsoft instead reoriented itself to aim at the “internet of things” so that Windows 10 can now power things like the Raspberry Pi, touch devices like the Microsoft Surface and even now includes Linux built in. Even the once sworn enemy of Microsoft – Richard Stallman – just gave an invited talk to the Microsoft Campus in Seattle.

This. Is. Weird.

But also, what it really means is that Windows 10 is absolutely everywhere. This is great, but it also means that all this legacy code from compilers like Delphi 7, Delphi 2009 and yes even the original Delphi XE looks out of date.

Those compilers were perfectly serviceable but their runtime libraries and VCL were created before the release of such things as “fluent design’ which is a user interface design methodology and ethos used not just in Windows 10 but across other devices such as Apple Macs and Linux desktops. They call it a different name and the exact chronology and provenance are complex but suffice to say; if your app was written with an older version of Delphi then it probably looks like it’s a little… how shall I put this… stale?

Getting the beauty treatment

Happily there’s some easy things we can do to freshen things up. If you haven’t already, grab a copy of the latest release of RAD Studio Delphi, open up your projects, recompile and immediately you’ll have given them a waft of that new car smell.

Right, of course, if you’ve used a lot of third-party components – and who doesn’t, that’s part of the strength of Delphi – then you’re going to need to find updated versions. In theory if you have the source code you can recompile the component libraries but in practice it’s never quite that easy, especially if they’re from something more than 5 years ago.

I just converted a fairly significant Delphi 7 project to Delphi XE10 last year – ~1.5 million lines of code – and for the most part it was plain sailing. We went out and found updated versions of the component sets we’d used and for some we converted to either alternative vendors (who frequently have tools to assist with this) or reworked code to use new controls. But overall it wasn’t that horrible. Some sections of code were rewritten, mainly around cryptography and some comms, but really that was about it.

The Delphi language is very good at being backwardly compatible.

Getting a copy of the latest version of RAD Studio/Delphi

Last year a momentous thing happened. Embarcadero, with the blessing of their new parent, IDERA, released a “Community Edition”. This is free as in beer and remains free for developers who are learning to code, experimenters and hobbyists and for Open Source projects.

What’s even more wonderful is that this Community Edition is exactly the same as the Professional Edition of RAD Studio. This means you can produce apps which will run on Windows, macOS, Android and iOS – without the need for anything else (iOS and macOS apps need a Mac – real or virtual – to deploy. That’s an Apple restriction).

Seriously – you could be teaching yourself to create mobile apps today. If you scoot on over to the Embarcadero Academy you can even find a whole load of tutorials on how to do it.

One set of program code – target all those devices. Why aren’t you doing it? 🙂

For those who are professional developers or who do not otherwise fit into the requirements of the Community Edition there are trial versions of RAD Studio where you get to play with the most powerful version of RAD Studio Delphi for free for a limited time.

Why Delphi 10.3?

I summarized it in the webinar like so:

  • GORGEOUS new themes and templates both for VCL and Firemonkey – all of them free via GetIt plus many built-in too
  • A deluge of new Windows 10 APIs
  • Specific VCL components targeting Windows 10 features and capabilities
  • APPx packaging and deployment – for local “ad-hoc”
  • APPx with Windows Store support • 64bit Windows support – especially important now for Windows Server 2019
  • High-res DPI support and “per-monitor V2”

Great – but what are they and how do we use them?

Well, to avoid making this blog post into even more of a word-monster than it is I’m going to create a new post here every day this week covering each of the new features and capabilities.

You can go and watch the webinar replay if you don’t want to wait – but if you can hold off I’ll be covering a whole bunch of Windows 10-specific tips this week you can slot into your own programs, almost without any effort.

Meanwhile, I’m off to carry on coding a Windows 10 alerter service – in Delphi 10.3 Rio, of course.

I’ve said it before – Delphi is my superpower.