LiveCode Forums.

ksoftware wrote: Wed Sep 01, 2021 4:58 pm I'm literally compiling a new version of kSign right now and hope to release it soon - it doesn't use signtool at all so that requirement will be gone in the very near future. I am moving away from the browser-based key generation VERY soon as well, so the IE requirement at order time will be gone. It's not technically required now as you're free to generate and submit your own CSR, but that is a pain. I'm writing a utility to help Windows users with that.

I did see somewhere that it's possible to codesign Windows apps on MacOS if you have a different version of the certificate (as per https://mkaz.blog/code/code-signing-a-w ... plication/). Is it feasible produce a version of kSign that will run on macs to codesign windows apps?

Considering the target audience here, that would probably be very well received...
Stam

@Stam

You can use osslsigncode form the commandline to code sign Windows standalones on macOS.

Some time ago i've created a little GUI for osslsignocode in LC along with some instructions how to install osslsigncode.

You'll find it here https://winsignhelper.dermattes.de

matthiasr wrote: Sun Sep 05, 2021 10:35 pm Some time ago i've created a little GUI for osslsignocode in LC along with some instructions how to install osslsigncode.
You'll find it here https://winsignhelper.dermattes.de

Wow thank you!
Looks good - haven't been able to test it yet as installing osslsigncode is turning out to be convoluted situation (Xcode 12.5 tools are taking hours to download), but will definitely check it out.

The actual stack looks really good - thank you for sharing!

ksoftware wrote: Wed Sep 01, 2021 8:17 pm In the end if you're happy and signing, fantastic!

Hi All
i just purchased a 3 year OV certificate with K software as my previous one just expired, but my PC is now on Windows 11 and I belatedly realised that

a) it doesn't have internet explorer - this has been replaced with Edge, with an an 'internet explorer mode', but as far as i can see can't be used to generate certificates (at least according to K software's website this browser cannot be used).

b) IE was actually depracated 2 months ago and is completely unavailable from MS as far as i can see.

Can anyone point out how to get actual IE on Win11, or if not possible what the process should be to generate the certificate, as the process with K Software requires good old IE 11?

Many thanks
Stam

K Software must know about this by now, have you written to them? I expect they have an update or are at least working on one.

Hi Jacque, yes i did send emails and received automated notification of receipt, but as yet no reply - but it is peak holiday season i suppose. I also trawled their support knowledgebase but it does not seem to have been updated for Win11. As a side note, Win11 is sporting a definite mac-like interface but although I'm a mac user at heart, i'm not sure i like the new Win UI...

I also opened a ticket with Sectigo, as K Software resells their certificates, but as yet no reply (although in fairness i sent the ticket yesterday and don't expect to hear from Sectigo until next week).

Hence asking the question here as well, just in case someone had cracked it... I guess i'll have to wait and see what happens...

According to this Q&A on the KSoftware web site
https://support.ksoftware.net/support/s ... supported-

Firefox is the recommended browser for purchases certificates.

Regards,
Matthias

Thanks Matthias,

It's not just Firefox as such, it's Firefox 68ESR - only, as apparently only this version of Firefox allows the same certificate generation that Internet Expolorer does (or did anyway).

I was aware of this and before i sought any kind of support, i downloaded what i could find online - the latest ESR version (couldn't find version 68), but again was met with the message that the browser was not supported...

According to stuff i found online this version of Firefox (68ESR) is now dead:

https://www.reddit.com/r/firefox/comments/iybih0/how_long_will_68_esr_continue_to_be_supported/ wrote:
It is now dead: https://support.mozilla.org/kb/firefox- ... ease-notes
The next ESR based on Firefox 68 (68.12) which will be released August 25, 2020 will be the last Firefox 68 based ESR unless there is a security issue before September 22, 2020. Users of Firefox 68 ESR will start to be automatically upgraded to the Firefox 78 ESR when Firefox ESR 78.3 is released on September 22, 2020.

Even if this version can be found and if it runs, it probably won't continue to do so in years ahead so this is not a long term solution.

Why do we even need a browser for this? Surely it's just a matter of downloading the appropriate certificate file from the seller (much like downloading your certificates from developer.apple.com)... what do i know, i don't really understand the Windows ecosystem

Here you can find older releases
https://ftp.mozilla.org/pub/firefox/releases/

Thanks Matthias!
Will give that a try...

stam wrote: Sat Aug 13, 2022 7:57 pm.
Why do we even need a browser for this? Surely it's just a matter of downloading the appropriate certificate file from the seller (much like downloading your certificates from developer.apple.com)... what do i know, i don't really understand the Windows ecosystem

I don't know the ins and outs, but it strikes me that the requirement for Internet Explorer or other older Firefox versions is purely down to the architecture of the ordering system created by this supplier.
It's not as if the deprecation of IE is a surprise, it's been announced for years and years. This suggests that the investment not being made to update the ordering platform reflects a lack of resources to do this, which would be a concern of mine.

That's not to say that I am drawing the right conclusions but I would definitely ask the supplier why they still say things like

We recommend you use Internet Explorer to order but mobile browsers are not supported in the ordering process.

on https://support.ksoftware.net/support/s ... rtificate-


I would also ask what their roadmap is to change their systems to allow modern browsers to make a purchase.
They make statements here https://support.ksoftware.net/support/s ... supported- like

Some people might note that with orders from other CAs like Thawte or Verisign that the private key is delivered with the certificate. That is absolutely not secure and,...

yet relying on inherently insecure browsers fir the transaction seems to be a greater security problem. On that page they also seem to have contradictory, inaccurate and out of date references to the browser compatibility

The recommended browser for ordering is Firefox, because it works out of the box and doesn't prompt users unnecessarily with warnings, prompts and options like some other browsers do. However, most other major browsers will work as well. 

TL;DR. I don't want to bash them, but would say to them "come on guys! Sort your site out to bring the process up to date."

That's bad news, since my client has a K Software Windows certificate that will eventually expire. If you figure out anything, please let us know.

jacque wrote: Sat Aug 13, 2022 11:50 pm That's bad news, since my client has a K Software Windows certificate that will eventually expire. If you figure out anything, please let us know.

Good news - i didn't really get very far by email/support tickets, so i phoned Mitchell up directly - his support number is on the website. My take away is if you have any difficulties just phone him rather than open a ticket etc. Very helpful and friendly and got it sorted in 5 mins.
He generated the required certificate request for me and submitted it, so just have to wait for validation from Sectigo...

S.

Good to know, thanks. I personally would just update my web site but if he doesn't mind all the phone calls then that's the way to go I guess.

Perhaps no consolation for anyone with a newer Windows PC that requires Windows 11 -- which presumably doesn't support IE -- but I just recently renewed an expiring KSoftware/Sectigo certificate without incident by running IE in Windows 10 via Parallels on my Mac. (This was how I obtained the certificate initially last year, thanks largely to the help of forum members back when I began this thread over a year ago.)

Obviously, Parallels is irrelevant to anyone with a Windows PC. My suggestion is only that (for now) anyone who has kept a bootable backup of a Windows 10 installation that does support IE may still be able to employ this to obtain or renew a certificate. (Once downloaded, it does not matter where the .pfx is saved, because the kSign app can navigate to this.)

Frankly, I don't trust how this may change in the future, so just to be safe I purchased a two-year certificate. Hopefully all will be sorted out by 2024.

jeff k