At Wed, 20 Mar 2019 07:34:37 -0700 (PDT) Alexandru <
alexandr...@meshparts.de> wrote:
>
> Am Mittwoch, 20. M=C3=A4rz 2019 15:25:29 UTC+1 schrieb Ashok:
> > On 3/20/2019 6:09 PM, Robert Heller wrote:
> >=20
> > > Can one signing certificate be used for multiple .EXE files?
> >=20
> > Yes.
> >=20
> > >=20
> > > Can the EXE file be signed under Linux or does the signing software onl=
> y run
> > > under MS-Windows? In either case can it be used to sign a batch of file=
> s,
> > > *preferably* as a non-interactive process (eg something that can go in =
> a
> > > Makefile or a script).
> > >=20
> >=20
> > I don't know about Linux. On Windows you can should be able to use=20
> > signtool.exe in a batch file provided the certificate does not require a=
> =20
> > hardware token (OV certs do not and suffice for code signing, EV=20
> > certificates generally require a token and are more expensive).
> >=20
> > > I have a bunch of programs (EXE files) that I cross-build under Linux (=
> they
> > > are all in fact Tcl/Tk programs wrapped with SDX). I don't actually ha=
> ve a
> > > machine running any version of MS-Windows, although I do have Wine inst=
> alled
> > > on at least one of my machines. From time to time I get reports that t=
> he
> > > programs might be malware, because MS-Windows discovers that the progra=
> ms are
> > > not signed and complains.
> >=20
> > Now signing tclkits (and probably freewrap exes also) is potentially a=20
> > problem. Tclkits append the "kit" to the back of the executable. If I=20
> > recall correctly, depending on whether you sign first and then attach=20
> > the kit, or the other way around, either the signature check fails or=20
> > the check succeeds but the kit vfs cannot be loaded (because it cannot=20
> > be located by the tclkit init script). I don't think this problem is fixe=
> d.
> >=20
> > Before spending the money, you can test for yourself by generating a=20
> > self-signed certificate and using that for signing. Obviously Windows=20
> > will warn it is not trusted but at least you can verify it is read and=20
> > the tclkit works before springing $$ for a real cert.
> >=20
> > /Ashok
>
> Is it possible to sign using a website cert?
Probably. A cert is a cert...