Book Review – TMS WEB Core Author: Dr. Holger Flick

Picture of Margaret Hamilton with a printout of her source code for the Apollo navigation system - source:
Not Ian Barker

I’ve become book-wealthy. This is the status you achieve when you have lots of books stacked up and their critical mass is such that they start to softly cry out to you for attention. I am the kind of programmer who revels in – and is still slightly awed by – the fact that he is paid to write programs when really it’s the thing he loves to do most in the whole world. Programming: I love it. I love designing code. I love writing code. I love writing about code and I love reading about code.

Right now, sitting on my “do this” shelf I have just shy of a half-dozen of Delphi coding books. New Delphi coding books too, not slightly moth-eaten getting-a-bit-out-of-date Delphi coding books. And because they are all shiny spanking new books, I’ll write some reviews here in case it helps you out.

The first one to join my wonderous collection is specifically about TMS WEB Core from TMS Software which is perhaps why it’s called “TMS WEB Core, Web Application Development With Delphi by Dr. Holger Flick”.

Before I dip into the review, I feel I should point out a few things. Those of you who follow along with the Embarcadero Webinars and conferences may have seen me talk about TMS WEB Core before. I make no secret of the fact I think it’s an excellent framework. You may even have seen me jointly present a couple of videos with the author, Dr. Holger Flick. Holger and are friends. We originally bonded over our shared love of Delphi and as fellow MVPs based in the USA; but we share some other interests since we are both Europeans from slightly liberal socialist-leaning countries who are married to Americans and live in the Southern United States. It’s a challenge sometimes but I think we both like the sunshine here a little more than the wonderous damp gray of your average Northern European climate. That said, Holger is far enough away I can say mean things in this review safe in the knowledge I will be hidden in a tool shed before he can drive up and wreak Teutonic revenge.

Holger’s written style is, much like his spoken English, precise, brutally accurate and perfectly proper in the way only an English-speaking German can be. Where I err on the side of colloquial with a plump vocabulary of fluffiness, Holger writes like he cut each sentence into the paper with a razor blade. Given that he used to work for Borland in a QA position back in the mists of time it’s no surprise that he slots together the chapters and examples like a finely engineered craftsman. I know in the past he’s had some discomfort from someone trying to score low blows by trying to criticize his writing and sneeringly saying that “a native English-speaking author would have written things differently” but <politician mode>let me be clear</politician mode> that’s a stack of jealous, whiny, claptrap. There are some syntactical constructs Holger uses which are perfectly valid yet hint at his German origins but you’ve got to be a bit of a pedantic word wanger like me to be in any kind of position to throw some shade. As my daughter would say: fight me.

The book is written so that it comes in the form of sections. Each section starts with a contents page. It doesn’t include an index. Personally, I think an index in any technical book is, for me, pretty useful when it comes to the point where you’ve read the book and return to it later as a reference. It’s a lot harder to find “that bit where it tells you how to parse JSON” without an index. When Holger reads this, I’m sure he and I will have some kind of frank exchange of views but, to coin an Americanism, it’s a hill I’ll die on. There is a master contents page at the start which helps make up for it. If you’re an author and you’re reading this – add an index to your book if it’s a technical book. Please?

But this is the only thing I can waft a critical finger at – the rest is an absolute cornucopia of Very Good Things.

Honestly, it’s a cracking good book. It’s a solid inch and a quarter thick and covers just about everything you need to know with regard to TMS WEB Core ranging from installing and configuring it in RAD Studio / Delphi, through basics like a simple single page app, debugging, progressive web apps or PWAs, Electron apps (shriek!) to full client-server database-driven web apps, drag and drop, bootstrap, maps, interacting with web services and even the Swagger UI. There is more to TMS WEB Core. You could write another three or four books about it and still not cover everything. It’s a nebulous subject.

I don’t want to go into massive detail about the contents because it’s pretty comprehensive – but you will learn, with Holger’s help, how to go from knowing nothing about TMS WEB Core to being able to write fairly complex web apps using nothing more than pure Delphi Object Pascal code.

If you want to know some more detail go to the Amazon link here: their “look inside” feature will allow you to browse the full main contents page.

One of the key strengths of TMS WEB Core is that you don’t need to know HTML or CSS, although it helps, and you will be thoroughly shielded from the depths of unpleasantness that is JavaScript. You write regular Delphi code – and out comes regular HTML website pages with CSS and JavaScript, all ready to go. You either just put it up on some normal web space like GoDaddy or, (even better) DreamHost – or some other place with a webserver such as your a corporate intranet – and it works just like a regular web page, except it’s a program you wrote, using Delphi code. It’s magical. Holger fully covers this, of course.

This book, combined with the attendant code samples which are available online, as well as the excellent sample apps from TMS themselves, will get you to some basic but fundamental mastery of creating web apps using Delphi. When I have demoed Web Core in the past it always blows people’s minds that I hit F12 on the web browser, set a breakpoint and up pops lines of Delphi source code. Yes, you can set breakpoints and debug the website and it shows your DELPHI object Pascal code. It’s a total mind-frack. Add into that things like the TMS FNC Components and some database stuff like XData – and you have some true power going on there; in fact things which would be quite long-winded and fiddly with other languages such as .Net. With Dr. Flick’s TMS WEB Core book you’ll know how to do all of this and a lot more besides.

Book: TMS WEB Core.  Web Application Development with Delphi
Author: Dr. Holger Flick
Author Website:
Available in: English, German
Amazon US Direct Link:

For more about TMS WEB Core:

Creating interactive web sites with Delphi

Earlier this week I presented a webinar with fellow Embarcadero MVP and TMS Evangelist Dr. Holger Flick about the superb TMS Web Core product.

You can view the official replay here:

TMS Web Core allows you to create fully interactive web pages using Embarcadero Delphi as the ‘back end’ programming language. When you hit the compile button instead of a traditional Windows executable being created you get instead pure HTML pages with CSS ready to copy over to a plain old regular web server – no further requirements beyond that.

The programmable functionality of the web application is delivered as a JavaScript file. You don’t have to write or even understand JavaScript – you just write Delphi code and the compiler converts that code into the JavaScript for you.

Web Core really highlights how easy and yet powerful the Delphi language is for writing programs. The ‘strong typing‘ is part of the secret sauce and the “R” in RAD truly demonstrates itself to mean “rapid”. Using Delphi you can frequently and repeatedly produce robust, performant and richly functional applications with embarrassingly minimal effort. Seriously, it’s sometimes a little too easy and you think to yourself, “did I miss something?” – but no, it doesn’t have to be hard to create applications – and TMS Web Core extends that understated power to creating interactive web sites using Delphi.

I can’t even begin to tell you how game- changing TMS Web Core is for Delphi programmers. There are creditable alternatives such as the venerable IntraWeb, but TMS Web Core feels a little more ‘right’, to me, and genuinely the experience is one of creating a regular Delphi application which just happens to pop out as a set of HTML pages. No mess, no fuss and easy to put up on to any web host on any hosting service of your choice.

I’m going to stream some more about this soon as I think the way I would present the product is slightly different to Holger – not better or worse, just an alternative angle!

Holger has written several excellent books on using Web Core and Delphi in general. He’s an excellent developer with broad experience, even working for a time for Borland. I recommend taking a look at the books by clicking here.

This I deign, for delicious Delphi

I thought, given my past as a published poet, that I would at least use a more rare word in a title for a Delphi blog post I was prompted to produce and, with that, add some pseudo-pentameter look and feel. In short, having a little lyrical laugh, to show that density of prose and a divers or archaic choice of words does not always serve to promote clarity. To say more sometimes is to say less and by saying less I mean this to say you, who I choose to hope to help by writing will gain more when I write the right thing succinctly, without literary ornamentation and, I believe, even more is to be gained by you if I show you things, by streaming, either live or re-recorded so you can, should you elect, pause, rewind, stop, skip through any boring bits and get value from it in and of itself, as I, in my mind, perhaps in a folly of imagination, like to think you do.


Those proceeding 170 words are a bit of a word spaghetti aren’t they? Here’s the thing (to be said in your mind like Adrian Monk) – I always, when I write on this blog and when I stream, strive to be clear and approachable. Not only that, I will try and be as honest as I can and show you code and techniques that are not fancy for the sake of being fancy – I want to show things that maybe you don’t know how to do (otherwise, what’s the point?) and will really help you, generally because they helped me.

With this in mind, August is going to be a little bit of a tsunami of me taking part in some streams. Texas is way too hot to go outside in August anyway so I may as well spend an extra amount of time scrunched over a clicky keyboard and putting my reputation at the mercy of several webinars. Ah, what could possibly go wrong? 😋

Plus, it appears, that this brutal pandemic seems to be not quite ready to ride off into the sunset. Social distancing and the temporary interruption to what we’ve all previously thought is normal: going out, having a social life; even the simple pleasure of eating is curtailed – so we have a little more time on our hands to learn new things, myself included.

I really think Delphi is my super-power. If that sounds like a sales line, it’s not. If you watched the recent Fireside Chat session I had with Jim McKeeth you’ll hear me go into a lot more detail about what it is I do for a ‘day job’, my background and history as well as a few of my thoughts on Delphi and code in general. It’s that faith in the ability of Delphi to produce ROCK SOLID stable applications in a very short space of time using a language which has an elegance to it which totally clicks for me and has the power to Get Stuff Done that enthuses me to write things here and to take part in the webinars and so on.

So, all that said and done, what have I got planned for August?

On Wednesday 19th August…

How to give your apps the REALLY COOL Windows 10 Fluent UI look and feel with Delphi

(Note that I originally had planned this for 5th August but that proved to be too short notice).

Fluent UI is the new hotness. If you have a recent version of Windows 10 then you’ve surely noticed it by now. Buttons with very cool grad fills which follow the mouse as it hovers over them, icons which are either scaled vector graphics (SVGs) or are drawn from the epic Font Awesome set, plus a whole raft of other subtle and not so subtle gizmos like borders which add affordance to windows to help you spot which ones are active or inactive.

And I haven’t even mentioned the ‘acrylic’ look and feel where portions of your screen are semi-transparent and allow a portion of the background to show through, slightly blurred. It’s cooler than ice cold.

Fluent UI is, without doubt one of the best things to happen to Microsoft Windows in the past few years – and I’m going to show you how to do it, in Delphi. There will be a full blog post backing it up along with some sample code on GitHub.

Speaking of GitHub…

On Wednesday 12th August

Using Git source code control with Delphi and RAD Studio – all the reasons WHY and EVERYTHING you need to know

Over the past few months we MVPs have been canoodling together in our secret chat rooms and darkened corners of the web and we’ve come to realize something: there are a heck of a lot of people out there who either don’t use source code control or use it but have this horrible nagging doubt that they’re only using a tiny fraction of its capabilities.

It’s a common theme for people to say “I back everything up to an external hard drive”.

I live in Tornado Alley in Texas. In fact I’ve always lived in the most active tornado zones ever since I emigrated to the USA. Mother Nature can go from blazing hot sunny day to house destroying poop your pants F5 tornado in a very few short minutes here. That gives you a whole new perspective on whether or not your code is really backed up properly. Git and GitHub, GitLab, BitBucket or one of the many and multiplying git hosting services can make this sort of life-changing destruction less… terrifying… and, if you charge for your services, less likely for you to be sued.

But that said, the main point about Git is sharing code with others, controlling the chaos that occurs when you try that – there’s a reason why nearly all verbs to do with source code collaboration are aggressive: blame, force, commit (like a crime), pull (why not sync or combine?)

Rad Studio has all the things you need in it to use Git (and SVN but I’m going to focus on Git). I’m going to show you every single aspect of Git from the why to how to when. I’ll show you some very cool tools which will make the whole process a lot less painless. Git is notorious for being a little reticent to mere mortal programmers like you and I. I’m going to pull back the kimono a little in this webinar. Even Marco Cantu (who apart from being a Delphi legend is also a certified genius) said he was looking forward to the Git webinar. No pressure, Ian, no pressure! 😁

and finally, Esther, we come to a webinar which we’re doing because so many people asked us to at a previous webinar…

On Wednesday 26th August

I’ll be co-hosting with TMS Product Evangelist Dr Holger Flick a webinar titled :-

Creating fully interactive web applications using Rad Studio, Delphi and TMS Web Core

If you’re a Delphi developer there are more than a few different ways of producing web apps. I’ve personally used the excellent Intraweb. I’ve also used Web Broker and Datasnap. However the thing which really clicked for me when I first came across it was Web Core from TMS Software.

Honestly, you pretty much write regular Delphi code, design the screens the way you would normally – and out pops a proper web app: HTML, CSS and JavaScript all ready to run on any web server. It can also produce Electron Apps as well as Progressive Web Apps (PWAs).

Holger will whizz through what TMS Web Core can do and show some excellent, easy to digest demos. He’s also got a few books available which will give you a leg up too should you need it.

So.. August…

All of these webinars will start at 11:00am CST, 4pm UTC, 5pm BST. You can check the times in your time zone via Embarcadero. I’ll update this blog post with the links when I have them.

I intend to write some fairly extensive blog posts to accompany the webinars. If you have any other ideas for Delphi-related subjects we could cover – let me know.

August is going to be an interesting time. Wait until you find out what’s planned for September!

Live webinar with Holger Flick demonstrating TMS frameworks plus two new books

This past week I helped host an Embarcadero Webinar with Dr Holger Flick who, like me, is an Embarcadero MVP but in addition to that he’s also a tech evangelist for TMS Software.

Holger has written some books on how to create Delphi apps using various TMS frameworks as well as their excellent TMS Web Core which I absolutely love.

The webinar is an hour long and you can see the official replay for it here:

You can get Holger’s books either directly from the links on his website here: or via various sites like Amazon. Visit Holger’s pages to view the details.

The lock-down continues – so we stream more live coding

Are you at a loose end and like watching people code live and enjoy hearing coders chatting about code and generally hanging out? Then you might want to subscribe to the Apocalypse Coders live stream.

It’s streamed live on Saturdays and Sundays – sometimes for as long as four hours – and features a group of Embarcadero MVPs and Delphi coders creating a cloud-based card game live on the stream using a multitude of technologies.

I’m one of the MVPs on the stream and you’ll see us using all sorts of coding methods and techniques to produce the server-side services as well as several versions of the client-side apps to showcase various technologies including VCL, FMX/Firemonkey and TMS Web Core. We intend to produce clients for Windows, Mac and Linux as well as a browser-based web client and we might even stretch out and produce iOS and Android clients too if the mood takes us.

We’re not intending to get too serious, it’s more to stream coding in Delphi rather than a huge formal tutorial, but even so we might lay out a few techniques which fellow coders may not have seen or wanted to know more about.

One of the MVPs, Andrea has produced a playlist of the most recent stream as well as an online Delphi Italia event here:

I’ll be there again this Sunday at 9am CST, 8am MNT, 14:00 UTC / BST – you can subscribe to Craig’s ChapmanWorld YouTube channel and get notified when we go live and catch the stream by going here:

Live coding – using TMS Web Core

Streaming live coding in Delphi

If you’ve been using Delphi for a while you’ve almost certainly come across the fabulous TMS Software with their enormously useful and comprehensive set of components. If you haven’t heard of them yet it’s worth clicking on the link and taking a look at what they have to offer – you’ll definitely end up saving yourself a massive amount of time using something ready-made from TMS rather than writing a whole bunch of code of your own.

Anyway, recently, Craig Chapman, Frank Lauter and myself have recently been streaming live coding on Craig’s Chapmanworld YouTube channel. For the last couple of weeks we’ve been writing a game loosely based on Apples to Apples and/or Cards Against Humanity type games.

The code is all open source and purely for the fun of it to demonstrate various coding techniques. You can follow along on the stream and also get the code from the GitHub repo which can be found here:

This week I took over quite a large part of the streaming time to show TMS’ Web Core components which allow Delphi programmers to produce fully-capable web apps from within the Delphi IDE which are then transpiled into pure HTML and CSS. That’s right: write Delphi object Pascal code, design the forms and HTML pages in the IDE in the normal way – and out pops a real self-contained web app all ready to go.

The stream is quite long, 4 hours, but I start getting down to actually using TMS Web Core and writing code around 1 hour 6 minutes in. The embedded video below starts from that point onwards although you can wind back to the start of the stream if you want to hear Craig, Frank and myself discussing various things (and getting the kinks out of the streaming technology).

We’ll be streaming every Sunday at the same time at least for the next few weeks – 8am CST, 2PM BST, 1pm GMT. Go to the Chapman World web pages for more details and subscribe to the YouTube channel to get notifications of when we’re next live again.

TMS Web Core for Apocalypse Cards
it began Delphi

25th birthday for Delphi #Delphi25th

Incredibly it has been 25 years this Valentine’s Day since Delphi was first released. I read a pre-release magazine article about it and it was completely obvious that this was going to be a whole new way of doing things for me – and all for the better too.

Now, 25 years on, I am an Embarcadero MVP for the USA and I spend every single day coding in Delphi. It has for the last couple of decades been the primary source of my income. But it doesn’t just stop with me – it’s also chugging away behind the scenes working to provide services for millions of employees in the UK through my apps and I have software in 66 different countries translated into almost as many languages.

It’s a pretty wonderful thing. If I could travel back in time to when I was 14 years old I could show Younger Me all I have achieved as a software developer, the countries I’ve visited and even amaze my teenage self by telling him how I no longer live in rainy England but instead bask in the Texas sunshine in Dallas – and as a US Citizen too with an American wife and daughter. Mind blowing. Delphi has played a consistent and on-going part in how my life has turned out, for the better.

As part of this week’s celebrations a few of the MVPs, myself included, have made videos talking about how they were influenced by Delphi and what it means to them. My video, which includes some personal history and background to the work I do, appears above.

Happy 25th birthday Delphi!

Delphi 10.3 Rio – Code signing, provisioning and the Microsoft App Store

before we start, note that this article describes code-signing on Microsoft Windows for applications designed to run on Microsoft Windows 32 or 64bit. Apple’s macOS, iOS and the Android OS also use code-signing but this process is different and uses a different chain of incompatible tools.

Open the pod-bay doors

We all know that writing code is a non-stop smorgasbord of fun, adventure games and caffeine-induced migraines. But eventually the party music has to stop and we need to get our programs out into the sweaty hands of the unsuspecting general public.

Or as Embarcadero (and Microsoft) call it: deploy.

Deployment of applications back in the halcyon days of Windows XP really meant “copy it to a CD” or, if you’re a “mature” programmer like myself maybe even a floppy disk. Oh such happy, carefree, virus-laden days.

Now of course operating systems have become a lot more sophisticated and gained complexity in deployment thanks to the preponderance of computer viruses, worms and trojan apps.

The old ways of trusting our luck just don’t work any more and the virus-writers are almost constantly engaged in a digital arms race against the anti-virus and operating system vendors.

Add to that the huge improvement in connectivity with fiber-optic cables or super-fast internet being ubiquitous in most of the Western World and gradually to the neglected rest too, then installation of applications is often digital – a link on the internet – rather than via some physical medium.

It’s a matter of trust

With easy digital distribution problems started to crop up. The hackers and crackers started to spoof URLs of popular application vendors. More than once popular applications were copied and injected with viruses. The spoofing got so good that it soon became very difficult to tell if the program you had downloaded was actually from the genuine vendor or from some nefarious bandit chomping Cheetos in a sweat-laden bedroom viper pit while he/she scooped up your banking details.

Enter a solution – code signing. Code signing uses a mechanism to embed a cryptographic-protected digital ‘certificate’ into your application’s exe or package. The certificate is issued by a Certificate Authority which is one of a handful of well-known, publicly-listed companies. The certificate is issued to the application vendor using a secure mechanism after which the application vendor (that’s you!) then uses one of a selection of special tools to sign their applications with the certificate.

This ‘signing’ embeds the certificate into the application’s exe or executable module. Once embedded in this way the certificate or any other part of the signed application file cannot be changed without breaking the certificate. This is important as it stops viruses from infecting your application and then giving the user a false sense of security because they trust you and the appearance of the certificate means you and only you created that application module. Note that it doesn’t mean you can’t accidentally code sign an application module which has already been infected with a virus or contains trojan code – but it does mean everyone will know you did it. Of course, I’m sure you use several layers of anti-virus protection on the computers which you use to build and deploy apps… right?

With the advent of Windows Vista the Windows operating system introduced User Account Control started to look for these embedded certificates and if the application you were trying to launch didn’t have a certificate Windows would show a slightly fear-inducing message telling you the publisher was unknown with a passive-aggressive hint that this would be a Bad Idea

Once you code-sign your app the sick-yellow warning gets replaced with a much more comforting blue-skies thumbs up:

As you can see in the above dialog – my name appears by “verified publisher”. This is because this was the name of the publisher on the code signing certificate. So it’s important to pick the right name if you go to purchase one.

Now, signed like this no-one can be in any doubt over who created this application because it was me who signed it or at least someone I gave the code signing certificate to along with the credentials to use it.

How to get a code-signing certificate

Nothing to do with code signing!

There are a few types of code signing certificate. Note that none of them are the same as SSL certificates used for web sites.

This is a confusion which seems to crop up regularly – the two things are similar in nature but used for different purposes and you can’t use an SSL certificate to sign code and you can’t use a code signing certificate to enable SSL and make the padlock appear on your website.

The main types of code signing certificate are:

Self-signed certificate

You create this yourself and there is even a button in Delphi 10.3 Rio’s provisioning page when you select a distribution type of “Windows Application Store”. It has the least amount of ‘trust’ and is used either for internally-distributed apps (for example within your company) or for testing purposes. You can’t use this type of certificate for ‘regular’ apps that you want to distribute to large numbers of people and even among friends you may find they are unable to run your app as they might have Windows settings which prevent this; in particular Windows 10 S is a particular flavor of Windows, installed on Microsoft Surface devices by default, which prevents installing any apps at all unless they arrive via the Microsoft App Store. In short, self-signed certificates are only just better than unsigned apps. They do have the advantage that they’re easy to create and they’re free but that’s about it.

OV Certificate

OV Certificates – or “organization validated” certificates are the most common and cheapest form of code signing certificate. This certificate costs money. The OV certificate requires the person in whose name the certificate will be issued to go through a verification process. This process can take a day or two – sometimes longer depending on what information the certificate issuing authority asks for and how easy it is for you to obtain.

For registered companies such as Ltd, PLC, LLC, Inc and charities the verification process usually uses publicly-available information such as Dun & Bradstreet and other public legal listings to validate the existence of the organization. There is usually some extra machinations such as providing a letterhead and taking part in an automated verification phone call to a number listed in the public records for that organization. It’s usually straight-forward.

For individual developers it’s a more involved process. In my case when I wanted a code signing certificate in my own name – rather than a company – I had to take various proofs of identity to a Notary Public. This is because I am based in Dallas, Texas, USA. Developers in Europe and other countries will have a different but similar process. The notarized copies of ID (there was more than one document) were then sent by the notary to a specific fax number and scans were emailed too. The whole process took about a week. I used my local UPS store for the notary services – they were cost-effective, less than $10,and I use them now for all notarization (which in the USA seems to crop up a lot!)

Despite what you may hear in most cases an OV code signing certificate is perfectly fine for the job. I write code for a number of software houses and one in particular signs all app resources using an OV certificate. These apps go out to in excess of 10,000 active customers in a huge variety of operating system configurations and deployment scenarios from regular Joe public to small offices to blue chip public listed companies including several airports and at least one Embassy that I am aware of, maybe more.

To code sign with an OV certificate you can use a utility I will describe later or Microsoft’s own MSSign application. Delphi 10.3 Rio also can sign your apps too with the OV certificate as long as you’re targeting Ad-Hoc on Windows.

EV certificates

EV Certificates or “extended validation” certificates are a much more complicated thing to obtain.

For a start the validation process is much more rigorous. Once you pass this validation process you will be issued with a USB hardware ‘key’ which is a device that acts as a ‘token’. This token must be physically present each and every time you wish to sign some code. I know that for some people this has proved to be a problem and can make automated builds a pain since you have to physically type in a password to authorize access to the token – a step which apparently can’t be fully automated.

Once you do obtain an EV certificate it does mean that things like Microsoft Smart Screen will provide you with the highest level of trust. For some scenarios this is going to be an absolute requirement.

For me, I’ve not found it necessary to get anything other than an OV code signing certificate – I recommend you read through the links above and make your own choices.

Microsoft App Store Code Signing

This final type of certificate is a bit of a weird one. When you submit an app to the Microsoft App store – either paid or free – Microsoft pass it through a validation process which checks that you’ve not used any forbidden API calls or included any other obviously infringing content. Once you pass that validation Microsoft will then sign the app for you. The code signing still identifies the author as you and is based on the “publisher” details you provided to Microsoft when you signed up to their App Store as a developer and submitted the package. I’ve yet to work out quite how Microsoft validate this as strongly as an EV or OV certificate but in the end I guess it’s not relevant to you as the developer.

Where to get a code-signing certificate

A disclaimer – I don’t have any association with any of the companies I’ve linked to here and elsewhere in this article. I can vouch for K Software because I’ve used them for a few years now for several customers of mine and always get my certificates from them but beyond that I don’t know them and they don’t know me 🙂

The cheapest/most cost effective certificate vendor I’ve found is – they are resellers for Sectigo (previously known as Commodo) and provide both OV and EV certificates. The renewals are discounted too. I assume they survive off Ramen noodles for lunch every day. Either way, I’ve used them for a while and they’re still going strong so more power to them.

The number one main source for code signing certificates is Sectigo (Commodo) themselves and can be found here: – weirdly enough they are a lot more expensive than K Software who resell their certificates. I’m not sure why this is.

There are a large number of other resellers and top-level certificate authorities. I do not have experience of them so I’ll leave you to wade through the morass. Don’t pay too much, is my advice, but make sure you’re getting the correct thing.

How to code-sign your apps

I’m not going to describe the process of actually getting the certificate because the vendors do a good job of walking you through it. But however you do it you will end up with a file which either ends in .p12 or .pfx – here’s a pro tip: some apps and techniques for code-signing ask for P12 files and some want a PFX file. Whatever one you have make a copy of it and rename the copy’s extension to whatever the other one is. So P12 to PFX or PFX to P12. The reason this works is they are exactly the same file format at the binary level. Only the file extension is different. I know of one person who was going to pay for a second code signing certificate “because they had the wrong format”. Luckily they ranted in my direction and I was able to save them doling out cash unnecessarily.

If you have an EXE and you simply want to code sign outside of the IDE

Using KSign

No matter where you got your certificate, go to K Software’s website and scroll to the link which says Download KSign Now. KSign is a small Windows app which allows you to manually code sign any of your exes.

The app has areas for the certificate details and an area where you can drop or select one or more exes to code-sign. It’s easy to use.

Manually signing using Microsoft’s SignTool

You can use Microsoft’s command line code signing tool. This may be already installed on your machine.

If it’s not installed you can go here to read more about it and download the necessary software kit:

Using SignTool is fairly easy. You need to open a terminal Window and use a command line like so:

"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f C:\PATH\TO\YOUR\CERT\certname.p12 /p passwordforthecert "C:\PATH\TO\EXE\myapp.exe"

Obviously that needs to be all on one line. Note the use of the P12 certificate extension.

I use Signtool in some of my automated builds where I am signing several hundred different exes and modules which are built via a script.

Code signing in the RAD Studio Delphi IDE

There are two ways to do this. You can either use SignTool as post-build task in the IDE. You can read more about how to set up these tasks here: – essentially just replicate the line above for the manually signing using SignTool paragraph and tweak it for your situation.

The other way to sign your apps is to target the Windows Application store and select “ad hoc” as the distribution type as shown here:

In the section which says “certificate file” put (or choose) the path to your PFX code-signing certificate.

In the password field put the password which you used when securing your certificate file. You’ll know which one this is when you’ve got your certificate.

Now when you select build and deploy it the resulting application will have been signed with your certificate.

High-re DPI and Per Monitor v2 with Delphi and RAD Studio

It is very common now that users have more than one monitor; even laptop users often dock a screen which gives them two screens.  People even sometimes use tablets as second screens.  All of these can use different resolutions. 

Microsoft caught on to this trend and with successive versions of Windows 10 they introduced the “Per monitor v2” technology. This allowed users to have different DPI scaling for each monitor. Now, for example, users could have a laptop’s LCD panel showing at its native resolution and an additional external monitor displaying at perhaps a higher resolution of DPI. Note that this is not just the pixel width and height but the actual denseness of the pixels per inch.

If you dragged your legacy Delphi apps from one window to another you could see that change in pixel density. Things would look sharper or less sharp, scaled weird or, even worse, drew text in the wrong places because the coordinates were worked out on a machine running on and launching at 96DPI and was dragged over to a screen now running at 120DPI.

Prior to Delphi 10.3 this made our apps look bad.  Not so now. 

Rio to the rescue…

In Delphi 10.3 Rio there is now some settings found in the main menu by selecting project, options and then clicking on manifest. You can also press SHIFT + CTRL + F11 to get to the same place.

The red lines in the image above show you where to check. Under DPI awareness you should have Per monitor v2 selected. For new projects and those upgraded from legacy versions of Delphi you should find it’s already been chosen for you.

In addition to the Delphi runtime taking care of enabling Per Monitor v2 by notifying Windows that our app understands it there is also a new event which gets triggered on your forms if the screen’s DPI changes, perhaps due to them changing the Desktop resolution in the Windows preferences.

This event is OnAfterMonitorDpiChanged and it triggers just as your would expect.

Other options on the project options page

While we’re on the project options page, just above the setting for Per Monitor v2 you can see an option which says “Enable Runtime Themes“.

This setting needs to be checked for the themes to work (it’s checked by default). We’ll talk more about runtime Themes in a later blog post. This setting actually does a similar thing to the old TXPManifest component which has been around since the days of Delphi 7. It essentially includes extra information in the application’s manifest which tells it to render native controls in a particular way. I’d recommend you have it checked.

Execution level is another setting on the same page and is actually a pretty important feature too.  It controls the user permission level at which the app runs – default is “as invoker” but you might not want that. This setting tells the Windows runtime what execution privileges you wish to run with. If you select “as invoker” then you inherit the rights of the shell or app which launched your app. So if the shell launching your app is very restricted your app will be restricted too. Conversely if the launching process is, for example, ‘administrator’ then you’ll inherit the rights which come with that. Sweet.   The two other options are “Highest available” and “Administrator” which are fairly obvious – but both of these might need a normal mortal user to enter an administrator password or credentials before your app can run. In most cases you’re going to leave the setting at “as invoker”.

Next article – provisioning, Windows application store and code signing

In the next article I’m going to cover the new Delphi 10.3 Rio features which allow you to package your Windows apps for the Microsoft App store as well as a discussion about code-signing; what it is, how to do it and where to obtain a code-signing certificate.

Modernizing Delphi VCL apps for Windows 10 – part 2

This post follows on from part one: which in itself is a recap of my recent webinar, the replay of which can be found here:

Windows 10, the subtle bits

The great thing about Delphi is that it’s totally rock solid. I mean bullet proof, runs for ever, doesn’t need a bunch of dependencies, keeps on going for ever solid.

Because of that there’s a lot of legacy code out there. Many millions of lines of Delphi code, quietly doing its thing without fuss or drama. That’s great, but of course, the world keeps on spinning and eventually Moore’s Law means that while our programs work the environment in which they operate has changed.

Often these changes are in fashions of user interface look and feel such as new colors and the adoption or abandonment of passing trends like skeuomorphism or super-flat designs mean our older apps start to look very dated, often breathtakingly quickly as a new version of Windows wobbles its way down the now-ubiquitous always-on internet.

One of the most subtle changes to come about is the advent of 64bit Windows. For many people it happened silently. They bought a new laptop (75% of computer sales in 2018 were either laptops or tablet devices) and that laptop, in the last few years at least, ran a 64bit version of Windows 10.

Now, increasingly, I am finding that many of our corporate customers are looking to only run 64bit versions of apps. This means, if your app or particularly Windows service, is not 64bit then the customer will not allow it on their system. I did a rough count earlier via our support techs training or installing today and it was 3 of 10 servers who expressed either a preference or mandated that the system be 64bit only.

So, your Delphi 7, 2009, XE 1, 2, 3 etc apps are in trouble as they are using 32bit architecture.

Luckily, Delphi 10.3 Rio makes this an easy thing to overcome. Right click on the project in the project manager window and select “add platform”. Now choose “Windows 64bit”.

If you’re running a 64bit version of Windows you can go right ahead and select “build” and, if your components are 64bit compatible, you’ll end up with a pure 64bit exe. Simple as that.

If you’re using a 32 bit version of Windows you’ll need to connect to PAServer on a 64bit machine. To check your Windows version press the Windows key and ‘X’ and then select “system”. It will say “32 bit” or “64bit” like it does in the image at the top of this article.

But I should add a caveat; not all older components can work in a 64bit architecture. Encryption, for example, often is tied quite closely to the processor ‘bitness’. You may find that older code of this type either needs to be tweaked or replaced to work for 64bit Windows.

Likewise, some component vendors annotate their components to target only 32bit Windows, either due to the use of APIs which are incompatible with 64bit or due to other technical problems such as the size of integers and so on.

You can check if a particular component will work when targeting Windows 64bit by pointing your mouse at the component in the component palette in the RAD Studio / Delphi IDE. A hint window will appear listing all the target types on which the component can be used: Windows 32bit, Windows 64bit, iOS, Android, Linux, macOS and so on.

Here’s what the hint looks like (in dark mode) for a component which is only available for Windows 32 and 64bit.

You can read a more full explanation of targeting 64bit with Delphi here:

In the next article

We’re going to look at another silent feature of Windows 10 which will make your legacy programs look long in the tooth: high res DPI and the spectacularly-named “per monitor v2“. Come back tomorrow to see what it’s all about.