Using Git source code control with Delphi and RAD Studio – all the reasons why and EVERYTHING you need to know

The replay of this webinar is here..

Why Git?

  • A lot of developers are not using SCCS even though they feel they should
  • If you Google “how do I use Git” there are a tsunami of questions and answers
  • Git dominates the open source and professional development ecosystem ▪Git is built into Rad Studio

Other Source Code Control Systems

Apart from Git there is also

“I don’t work in a team, why would I use a SCCS”

  • It’s all about the tornadoes
  • Fire
  • Theft
  • Foul-ups
  • It’s almost impossible to avoid Git – you will be assimilated!

What does Git actually do?

  • Tracks all the changes you make
  • Stores those changes as a viewable history, with comments
  • Handles changes from multiple developers
  • When used with a cloud provider – saves your code safely off-site
  • Allows you to create branches for bugs fixes or new features you are working on
  • Can merge changes from multiple developers and even your own branches into the main source tree
  • Allows you to easily revert bad changes or experiments which didn’t work out
  • Allows you to collaborate with major open source projects
  • Can pinpoint who made a change and therefore who to blame 😋
  • Allows others to make changes to shared source code in a very managed way
  • Allows you to share your source code on public web-based services like GitHub, GitLab and BitBucket

Tools to make Git a lot easier

Git can sometimes be a little challenging to use 😎

Installing Git on your machine

Use the official “Git for Windows” installer

Git for windows found at

Accept all the Git for Windows defaults…

Make a note of where it installs because you will need it later.

The default for 64bit Windows is:

 C:\Program Files\Git\bin\git.exe

It will install some other cool Open Source things too – including SubVersion!

After it Git is installed, check it’s working correctly:

Go to the terminal / command and type

   git --version

Git 101

Git keeps track of your files in a special collection / folder it calls a repository – commonly abbreviated to “repo”.

This works best if you keep all your source files for a particular project in one folder on your computer – one folder for each project.

Don’t worry if that’s not how you do things – there are ways around it.

For anything other a purely local set up you will need an account with a Git hosting provider

The main ones are

The local repo is tracked in the same folder it ‘lives’ in using a hidden sub-folder and some ‘magic’ files.

Everything else is just your regular Delphi source code, images and project resources.

Once you have created a repo in a project folder any changes you make in the repo folder are tracked by Git from then on.

  • Files that existed when you created the repo
  • New files created
  • Files deleted
  • Files edited/changed

This means everything including things you might not want to track – but you can tell Git which files to ignore, for example the _history folder contents and files ending in .~pas and .~dfm

Telling Rad Studio your Git settings

  1. In the Rad Studio IDE select tools and then options from the menu.
  2. From that menu select version control and then Git.

Remember the path I told you to make a note of when you installed Git For Windows?  This is where you need it 😉

The user name and email are the ones you use with your Git hosting company and/or typed in during the Git for Windows installation.

Using Git – opening an existing repository

We are going to ‘clone’ an existing repository. In other words we’re going to copy it to our local machine.

So, first, select File, Open From Version Control from the Rad Studio main menu.

Now choose Git from the dialog which appears.

Now enter the repo’s URL and where you want it to be saved on your local machine

You can find the repo URL on GitHub by clicking on the “code” button

Other hosts are very similar – the keyword to look for is “clone”.


You’ve just cloned your first repository. 

If you look in the folder you entered in the ‘destination’ field when you opened the project from version control you should see all the Delphi code for the project there along with the magic ‘.git’ files and folders we talked about. If all you wanted to do was get a copy of an open source repo then there’s nothing else to do but use the code.

Using Git – creating a new repository

I find this is easier if you use one of the external tools rather than the Rad Studio IDE 😲

  • You can either create a new repo from existing code


  • Create a blank (empty) repo and then create a Delphi project in there

Either way you need to have an existing folder on your local machine to hold the repo.

I’m using GitHub Desktop.

I have put the name of the repo as the same name as the folder where I will store my source code.

I have chosen to create a “.GitIgnore” magic file with Delphi settings so it ignores _history and .~* backups.

Now my new empty repo is ready to use. 

All it contains are the ‘magic’ Git files and in this case an empty default readme file.

Currently the repo is local only – just on your computer.  Click on the publish repository button in GitHub desktop to make a copy of it on the cloud hosting company’s storage space.

IMPORTANT! Tick the “keep this code private” checkbox if it’s a secret/private repo.

Using Git – changes get automatically tracked

Using Git – changes get automatically tracked

At first the new repo has only one automatically recorded change.

It may show other files if you used an existing folder which already contained a Delphi project or some resources such as graphics.

As you start to work on your project and create new files they will be ‘noticed’ by Git and automatically tracked.

Using Git – saving the changes to the repo

Mark a batch of changes so they are saved into a history point is called a commit.

There are three ways to “make a commit”:

1. You can do it within Rad Studio Delphi itself by right-clicking on the changed file or the project in Project Manager and selecting “commit”.

2. You can do it via the Windows Terminal (a.k.a the ‘command line’) using the Git command line

3. Or use GitHub Desktop / SourceTree to commit the changes:

Whichever way you choose you need to add a “commit message”.

A commit message is a note to say what you changed and why.

These messages are visible to other developers who have access to your repo. 

For Open Source projects this could mean literally anyone so it’s best to keep the comments at a professional level 😁


Even though you have committed (saved) your changes to the repo’s history log they still are only on your local machine.

In order for them to go up to the Git repo hosting space you need to push the changes to the remote copy of the repo.

Depending on what way you prefer you can either

On the command line/terminal you use Git push origin master


With Rad Studio, right click on the project root and select “Git” and then “push”, “from Repository Root”


Easiest of all, with GitHub Desktop click on the “Push origin” button

Using Git – You nearly know the basics!

So now we know how to

  • Download and install Git
  • Some popular tools for Git
  • What is Git and how it works
  • How to clone (get a copy) of an existing repo
  • How to create a new repo
  • How to commit (save) our changes
  • How to push (send) those changes to the remote (“origin”) internet host

Using Git – but there’s more…

Git has a lot of other things we’ve not shown yet.  These include:

  • Fetch – getting any new changes from a shared repo.
  • Pull – this is confusingly-named; it’s where someone makes some changes on a public or shared repo and would like you to merge them into the main branch of the code.
  • Resolving merge conflicts – this is where two sets of changes to the same file can’t be merged automatically and someone has to intervene to decide which ones to keep.

Branches and pull requests are the two biggest things you will need to understand.

Because we have limited time for this webinar we can’t show you everything so we’re going to do a part two covering the next stage: Collaborating with other developers using Git.

Good resources

Live webinar with Holger Flick demonstrating TMS frameworks plus two new books

This past week I helped host an Embarcadero Webinar with Dr Holger Flick who, like me, is an Embarcadero MVP but in addition to that he’s also a tech evangelist for TMS Software.

Holger has written some books on how to create Delphi apps using various TMS frameworks as well as their excellent TMS Web Core which I absolutely love.

The webinar is an hour long and you can see the official replay for it here:

You can get Holger’s books either directly from the links on his website here: or via various sites like Amazon. Visit Holger’s pages to view the details.

Live coding

A few of us have been getting together every Saturday and Sunday for the last ten or so weeks and playing around with live coding in Delphi.

We did this mainly to show some live coding in Delphi of various techniques as well as how to do things like a REST server/client at scale but also to show off some things like TMS Web Core which is a relatively new way of producing web apps using Delphi as the coding language.

This has taken place on Craig Chapman’s ChapmanWorld youtube channel. If you subscribe and hit the bell icon you’ll be notified the next time one of us streams. If you’ve not seen any of Craig’s videos/podcasts before you should pop on over. Craig and I are friends going all the way back to the late 90’s early 2000s when we used to both live in the UK and would rock up at the excellent Delphi User Group meetings at the POSK center in Hammersmith. Times have changed a lot since then. Craig and I are both now living in the USA and married to American wives with American kids. I swear this is something neither he nor I would believe if we could time-travel back to those days in London and tell our 90s ourselves that this would happen!

Others on the videos include Frank Lauter from Germany, Andrea Magni from Italy and I think even Jim McKeeth from Embarcadero in the US also popped in at least once. I apologize if I’ve not name-dropped others (for example, Gus and “The other Ian” both turned up to play almost every week) – in total we’ve collectively streamed 14 FOUR HOUR long episodes of live coding in Delphi.

We’ve been coding a card game and it’s taken ages, but we’ve kind of got to the point where we’re all going to move on to streaming about some other subjects. I will stream and finish the TMS Web Core client part of the game since we’re nearly done with it and it wouldn’t be right to just walk away.

Here’s a link to the most recent session. I’ve made a few changes since we did it – for example I removed the models.gamedata unit and put the object it contained as a field on the datamodule. I also changed the “type” declarations to remove the repeated ‘type’ keyword as it broke Gus’ brain to see them done that way. In subsequent streams I will put in the rest of the API calls and make the game work. I might also change the inner core to use a proper controller/data model/view with full dependency injection just to make it clear how it can be done despite the slightly weird world of Javascript placing its boots all over our lovely Object Pascal language.

A couple of notes about what’s going on in the stream. I am using TMS Web Core 1.3 running in Delphi 10.3.3 for the code. There is actually a version 1.4 of TMS Web Core out but I didn’t want to swap to using that as it was only released in the previous week and it does do a few things differently – although it also uses a later version of the Pas2JS cross-compiler which would have been helpful. Also, if I had been writing the server side (Frank and Craig did most, if not all of that) I would have used TMS XData and then linked the web client to the data using that in a cross-platform kind of way. I might do that on a stream soon just to show how quick that would have been. 20/20 hindsight is a wonderful thing 😎

Oh and sorry about the glitches with the audio in the first 20 minutes or so. Craig – who directs and hosts the stream – unwisely got some swanky new audio interface stuff and then found out he needed a PhD in audio engineering to actually use it in anger. Stick with it, it gets sorted out as time goes on.

Anyway, I hope you enjoy watching a bunch of Delphi appear before your very eyes on a live stream. We want to do more of this – Delphi is just TOO good at being the invisible driving force behind a lot of products and applications out in the real world and a bit of live streaming showing what Delphi can or can’t do I think can only be a good thing.

RAD Studio Delphi 10.4

It’s coming soon!!!!!

So many good things coming in the next release of RAD Studio, especially Delphi 10.4. A ton of stuff will crop up in the next few weeks; blog posts, demos, videos showing off delicious things like managed records, the TTitleBarPanel component and many other goodies.

You’re going to hear a lot of good things about Delphi 10.4 – after all, it is packed with lots of new goodness; fixes, new components, tweaks, managed records (you’ll learn about these and when you understand, you’ll totally get why they rock) – but above all else the Shout From The Rooftops new feature is the implementation of a Language Server Protocol or LSP.

Why do you care about this?

Well, it’s not just that it massively improves the code completion and other in-editor helper functions which in turn improves YOUR productivity when writing code..

No that’s not it;

Nor is it that the “red squiggles” (error insight) will now vanish in a puff of smoke when there’s no error – or that they will remain and be a truthful indication of the ACTUAL state of your code’s correctness when there is a genuine problem

No, not that either.


The compiler is already stupid, crazy, fast (you get used to this and it’s a shock if you ever dip your toes in another compiler’s sludgy response and teabreak compilation speed) – but LSP takes all this to another level. FAST FAST FAST.

The sad part is that LSP is so good at just getting on with the job at hand people might not notice in a few weeks time that this is the Oeuvre triumph of the 10.4 compiler team.

Fireside chat with Embarcadero’s Jim McKeeth

If you have access to the RAD Studio Welcome page you’ll see me on it this week taking part in the EMB “Fireside Chat” series with the inimitable Jim McKeeth.

If you don’t have access to RAD Studio or the Delphi IDE then you can view the video directly here:

Ian Barker – Fireside Chat with Jim McKeeth

We cover quite a broad number of things such as fashions in programming (yes they exist, honestly) and converting legacy projects to the latest version of Delphi along with the challenges that brings plus the pros and cons of FireDAC and AnyDac amongst others.

The lock-down continues – so we stream more live coding

Are you at a loose end and like watching people code live and enjoy hearing coders chatting about code and generally hanging out? Then you might want to subscribe to the Apocalypse Coders live stream.

It’s streamed live on Saturdays and Sundays – sometimes for as long as four hours – and features a group of Embarcadero MVPs and Delphi coders creating a cloud-based card game live on the stream using a multitude of technologies.

I’m one of the MVPs on the stream and you’ll see us using all sorts of coding methods and techniques to produce the server-side services as well as several versions of the client-side apps to showcase various technologies including VCL, FMX/Firemonkey and TMS Web Core. We intend to produce clients for Windows, Mac and Linux as well as a browser-based web client and we might even stretch out and produce iOS and Android clients too if the mood takes us.

We’re not intending to get too serious, it’s more to stream coding in Delphi rather than a huge formal tutorial, but even so we might lay out a few techniques which fellow coders may not have seen or wanted to know more about.

One of the MVPs, Andrea has produced a playlist of the most recent stream as well as an online Delphi Italia event here:

I’ll be there again this Sunday at 9am CST, 8am MNT, 14:00 UTC / BST – you can subscribe to Craig’s ChapmanWorld YouTube channel and get notified when we go live and catch the stream by going here:

Live coding – using TMS Web Core

Streaming live coding in Delphi

If you’ve been using Delphi for a while you’ve almost certainly come across the fabulous TMS Software with their enormously useful and comprehensive set of components. If you haven’t heard of them yet it’s worth clicking on the link and taking a look at what they have to offer – you’ll definitely end up saving yourself a massive amount of time using something ready-made from TMS rather than writing a whole bunch of code of your own.

Anyway, recently, Craig Chapman, Frank Lauter and myself have recently been streaming live coding on Craig’s Chapmanworld YouTube channel. For the last couple of weeks we’ve been writing a game loosely based on Apples to Apples and/or Cards Against Humanity type games.

The code is all open source and purely for the fun of it to demonstrate various coding techniques. You can follow along on the stream and also get the code from the GitHub repo which can be found here:

This week I took over quite a large part of the streaming time to show TMS’ Web Core components which allow Delphi programmers to produce fully-capable web apps from within the Delphi IDE which are then transpiled into pure HTML and CSS. That’s right: write Delphi object Pascal code, design the forms and HTML pages in the IDE in the normal way – and out pops a real self-contained web app all ready to go.

The stream is quite long, 4 hours, but I start getting down to actually using TMS Web Core and writing code around 1 hour 6 minutes in. The embedded video below starts from that point onwards although you can wind back to the start of the stream if you want to hear Craig, Frank and myself discussing various things (and getting the kinks out of the streaming technology).

We’ll be streaming every Sunday at the same time at least for the next few weeks – 8am CST, 2PM BST, 1pm GMT. Go to the Chapman World web pages for more details and subscribe to the YouTube channel to get notifications of when we’re next live again.

TMS Web Core for Apocalypse Cards
it began Delphi

25th birthday for Delphi #Delphi25th

Incredibly it has been 25 years this Valentine’s Day since Delphi was first released. I read a pre-release magazine article about it and it was completely obvious that this was going to be a whole new way of doing things for me – and all for the better too.

Now, 25 years on, I am an Embarcadero MVP for the USA and I spend every single day coding in Delphi. It has for the last couple of decades been the primary source of my income. But it doesn’t just stop with me – it’s also chugging away behind the scenes working to provide services for millions of employees in the UK through my apps and I have software in 66 different countries translated into almost as many languages.

It’s a pretty wonderful thing. If I could travel back in time to when I was 14 years old I could show Younger Me all I have achieved as a software developer, the countries I’ve visited and even amaze my teenage self by telling him how I no longer live in rainy England but instead bask in the Texas sunshine in Dallas – and as a US Citizen too with an American wife and daughter. Mind blowing. Delphi has played a consistent and on-going part in how my life has turned out, for the better.

As part of this week’s celebrations a few of the MVPs, myself included, have made videos talking about how they were influenced by Delphi and what it means to them. My video, which includes some personal history and background to the work I do, appears above.

Happy 25th birthday Delphi!

CodeRage 2019 – VCL – The DARK side

As in all things there are fashions in UI and UX design. Right now perhaps the biggest trend is “dark mode”. Unless you’ve been living under a rock you probably know this is where the operating system – Windows, iOS, macOS and Android – supports a user interface theme where the elements can be set to a “dark mode” which generally means all those big swathes of white automagically turn to a dark charcoal or black color.

Windows 10 supports such a mode. If you’re running one of the later builds you’ll find that all sorts of things can be ‘dark’.

Here’s Windows Explorer running in Dark Mode on Windows 10

I personally run all my devices – I use Windows, macOS, iOS and Android every day – in dark mode. I suffer from a harmless but annoying visual issue which people commonly call “floaters”. It’s a factor of my age and eyesight. This means that bright white screens are not optimal since these little whispy things float around in my field of view while I am trying to get on with the job of coding. With Dark Mode enabled the floaters, which are also dark, are almost completely mitigated to the point where I don’t even notice them.

So, for me, and perhaps others, Dark Mode is a huge benefit rather than just an aesthetic choice and I want every app I can to support it.

This is where my CodeRage 2019 video (below) comes in. We can detect whether Windows 10 is running in Dark or regular ‘light’ mode using standard and fairly straight-forward Delphi code. When we know what mode the OS is running in we can use the power of Delphi’s VCL to swap the entire visual experience of our application to an appropriate theme.

In the video I show you how to do this with a simple Delphi unit I wrote which you can include in your own apps. There’s also a demo project you can play with.

One thing I don’t discuss is what to do if your app is already running and then the user changes the Windows theme from light to dark or vice versa.

To cope with that scenario you need to trap the WM_SYSCOLORCHANGE Windows message.

procedure WMSysColorChange(var Message: TWMSysColorChange); message WM_SYSCOLORCHANGE;

When the WM_SYSCOLORCHANGE message is triggered you then need to check the Windows theme mode and react accordingly. Like so:

SetAppropriateThemeMode('Carbon', 'Windows10');

Note that all of this pertains to Microsoft Windows – and Windows 10 onwards. Other OS do it differently. Note also that Delphi 10.3.3 Rio has just been released and this includes specific code for Dark mode in your apps.


The link to the full video is here:

The code samples can be found on my GitHub pages:

Delphi 10.3 Rio – Code signing, provisioning and the Microsoft App Store

before we start, note that this article describes code-signing on Microsoft Windows for applications designed to run on Microsoft Windows 32 or 64bit. Apple’s macOS, iOS and the Android OS also use code-signing but this process is different and uses a different chain of incompatible tools.

Open the pod-bay doors

We all know that writing code is a non-stop smorgasbord of fun, adventure games and caffeine-induced migraines. But eventually the party music has to stop and we need to get our programs out into the sweaty hands of the unsuspecting general public.

Or as Embarcadero (and Microsoft) call it: deploy.

Deployment of applications back in the halcyon days of Windows XP really meant “copy it to a CD” or, if you’re a “mature” programmer like myself maybe even a floppy disk. Oh such happy, carefree, virus-laden days.

Now of course operating systems have become a lot more sophisticated and gained complexity in deployment thanks to the preponderance of computer viruses, worms and trojan apps.

The old ways of trusting our luck just don’t work any more and the virus-writers are almost constantly engaged in a digital arms race against the anti-virus and operating system vendors.

Add to that the huge improvement in connectivity with fiber-optic cables or super-fast internet being ubiquitous in most of the Western World and gradually to the neglected rest too, then installation of applications is often digital – a link on the internet – rather than via some physical medium.

It’s a matter of trust

With easy digital distribution problems started to crop up. The hackers and crackers started to spoof URLs of popular application vendors. More than once popular applications were copied and injected with viruses. The spoofing got so good that it soon became very difficult to tell if the program you had downloaded was actually from the genuine vendor or from some nefarious bandit chomping Cheetos in a sweat-laden bedroom viper pit while he/she scooped up your banking details.

Enter a solution – code signing. Code signing uses a mechanism to embed a cryptographic-protected digital ‘certificate’ into your application’s exe or package. The certificate is issued by a Certificate Authority which is one of a handful of well-known, publicly-listed companies. The certificate is issued to the application vendor using a secure mechanism after which the application vendor (that’s you!) then uses one of a selection of special tools to sign their applications with the certificate.

This ‘signing’ embeds the certificate into the application’s exe or executable module. Once embedded in this way the certificate or any other part of the signed application file cannot be changed without breaking the certificate. This is important as it stops viruses from infecting your application and then giving the user a false sense of security because they trust you and the appearance of the certificate means you and only you created that application module. Note that it doesn’t mean you can’t accidentally code sign an application module which has already been infected with a virus or contains trojan code – but it does mean everyone will know you did it. Of course, I’m sure you use several layers of anti-virus protection on the computers which you use to build and deploy apps… right?

With the advent of Windows Vista the Windows operating system introduced User Account Control started to look for these embedded certificates and if the application you were trying to launch didn’t have a certificate Windows would show a slightly fear-inducing message telling you the publisher was unknown with a passive-aggressive hint that this would be a Bad Idea

Once you code-sign your app the sick-yellow warning gets replaced with a much more comforting blue-skies thumbs up:

As you can see in the above dialog – my name appears by “verified publisher”. This is because this was the name of the publisher on the code signing certificate. So it’s important to pick the right name if you go to purchase one.

Now, signed like this no-one can be in any doubt over who created this application because it was me who signed it or at least someone I gave the code signing certificate to along with the credentials to use it.

How to get a code-signing certificate

Nothing to do with code signing!

There are a few types of code signing certificate. Note that none of them are the same as SSL certificates used for web sites.

This is a confusion which seems to crop up regularly – the two things are similar in nature but used for different purposes and you can’t use an SSL certificate to sign code and you can’t use a code signing certificate to enable SSL and make the padlock appear on your website.

The main types of code signing certificate are:

Self-signed certificate

You create this yourself and there is even a button in Delphi 10.3 Rio’s provisioning page when you select a distribution type of “Windows Application Store”. It has the least amount of ‘trust’ and is used either for internally-distributed apps (for example within your company) or for testing purposes. You can’t use this type of certificate for ‘regular’ apps that you want to distribute to large numbers of people and even among friends you may find they are unable to run your app as they might have Windows settings which prevent this; in particular Windows 10 S is a particular flavor of Windows, installed on Microsoft Surface devices by default, which prevents installing any apps at all unless they arrive via the Microsoft App Store. In short, self-signed certificates are only just better than unsigned apps. They do have the advantage that they’re easy to create and they’re free but that’s about it.

OV Certificate

OV Certificates – or “organization validated” certificates are the most common and cheapest form of code signing certificate. This certificate costs money. The OV certificate requires the person in whose name the certificate will be issued to go through a verification process. This process can take a day or two – sometimes longer depending on what information the certificate issuing authority asks for and how easy it is for you to obtain.

For registered companies such as Ltd, PLC, LLC, Inc and charities the verification process usually uses publicly-available information such as Dun & Bradstreet and other public legal listings to validate the existence of the organization. There is usually some extra machinations such as providing a letterhead and taking part in an automated verification phone call to a number listed in the public records for that organization. It’s usually straight-forward.

For individual developers it’s a more involved process. In my case when I wanted a code signing certificate in my own name – rather than a company – I had to take various proofs of identity to a Notary Public. This is because I am based in Dallas, Texas, USA. Developers in Europe and other countries will have a different but similar process. The notarized copies of ID (there was more than one document) were then sent by the notary to a specific fax number and scans were emailed too. The whole process took about a week. I used my local UPS store for the notary services – they were cost-effective, less than $10,and I use them now for all notarization (which in the USA seems to crop up a lot!)

Despite what you may hear in most cases an OV code signing certificate is perfectly fine for the job. I write code for a number of software houses and one in particular signs all app resources using an OV certificate. These apps go out to in excess of 10,000 active customers in a huge variety of operating system configurations and deployment scenarios from regular Joe public to small offices to blue chip public listed companies including several airports and at least one Embassy that I am aware of, maybe more.

To code sign with an OV certificate you can use a utility I will describe later or Microsoft’s own MSSign application. Delphi 10.3 Rio also can sign your apps too with the OV certificate as long as you’re targeting Ad-Hoc on Windows.

EV certificates

EV Certificates or “extended validation” certificates are a much more complicated thing to obtain.

For a start the validation process is much more rigorous. Once you pass this validation process you will be issued with a USB hardware ‘key’ which is a device that acts as a ‘token’. This token must be physically present each and every time you wish to sign some code. I know that for some people this has proved to be a problem and can make automated builds a pain since you have to physically type in a password to authorize access to the token – a step which apparently can’t be fully automated.

Once you do obtain an EV certificate it does mean that things like Microsoft Smart Screen will provide you with the highest level of trust. For some scenarios this is going to be an absolute requirement.

For me, I’ve not found it necessary to get anything other than an OV code signing certificate – I recommend you read through the links above and make your own choices.

Microsoft App Store Code Signing

This final type of certificate is a bit of a weird one. When you submit an app to the Microsoft App store – either paid or free – Microsoft pass it through a validation process which checks that you’ve not used any forbidden API calls or included any other obviously infringing content. Once you pass that validation Microsoft will then sign the app for you. The code signing still identifies the author as you and is based on the “publisher” details you provided to Microsoft when you signed up to their App Store as a developer and submitted the package. I’ve yet to work out quite how Microsoft validate this as strongly as an EV or OV certificate but in the end I guess it’s not relevant to you as the developer.

Where to get a code-signing certificate

A disclaimer – I don’t have any association with any of the companies I’ve linked to here and elsewhere in this article. I can vouch for K Software because I’ve used them for a few years now for several customers of mine and always get my certificates from them but beyond that I don’t know them and they don’t know me 🙂

The cheapest/most cost effective certificate vendor I’ve found is – they are resellers for Sectigo (previously known as Commodo) and provide both OV and EV certificates. The renewals are discounted too. I assume they survive off Ramen noodles for lunch every day. Either way, I’ve used them for a while and they’re still going strong so more power to them.

The number one main source for code signing certificates is Sectigo (Commodo) themselves and can be found here: – weirdly enough they are a lot more expensive than K Software who resell their certificates. I’m not sure why this is.

There are a large number of other resellers and top-level certificate authorities. I do not have experience of them so I’ll leave you to wade through the morass. Don’t pay too much, is my advice, but make sure you’re getting the correct thing.

How to code-sign your apps

I’m not going to describe the process of actually getting the certificate because the vendors do a good job of walking you through it. But however you do it you will end up with a file which either ends in .p12 or .pfx – here’s a pro tip: some apps and techniques for code-signing ask for P12 files and some want a PFX file. Whatever one you have make a copy of it and rename the copy’s extension to whatever the other one is. So P12 to PFX or PFX to P12. The reason this works is they are exactly the same file format at the binary level. Only the file extension is different. I know of one person who was going to pay for a second code signing certificate “because they had the wrong format”. Luckily they ranted in my direction and I was able to save them doling out cash unnecessarily.

If you have an EXE and you simply want to code sign outside of the IDE

Using KSign

No matter where you got your certificate, go to K Software’s website and scroll to the link which says Download KSign Now. KSign is a small Windows app which allows you to manually code sign any of your exes.

The app has areas for the certificate details and an area where you can drop or select one or more exes to code-sign. It’s easy to use.

Manually signing using Microsoft’s SignTool

You can use Microsoft’s command line code signing tool. This may be already installed on your machine.

If it’s not installed you can go here to read more about it and download the necessary software kit:

Using SignTool is fairly easy. You need to open a terminal Window and use a command line like so:

"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f C:\PATH\TO\YOUR\CERT\certname.p12 /p passwordforthecert "C:\PATH\TO\EXE\myapp.exe"

Obviously that needs to be all on one line. Note the use of the P12 certificate extension.

I use Signtool in some of my automated builds where I am signing several hundred different exes and modules which are built via a script.

Code signing in the RAD Studio Delphi IDE

There are two ways to do this. You can either use SignTool as post-build task in the IDE. You can read more about how to set up these tasks here: – essentially just replicate the line above for the manually signing using SignTool paragraph and tweak it for your situation.

The other way to sign your apps is to target the Windows Application store and select “ad hoc” as the distribution type as shown here:

In the section which says “certificate file” put (or choose) the path to your PFX code-signing certificate.

In the password field put the password which you used when securing your certificate file. You’ll know which one this is when you’ve got your certificate.

Now when you select build and deploy it the resulting application will have been signed with your certificate.