Code signing certificates for AHK compiled scripts

[JnLlnd]

I distribute freeware AHK apps compiled with Ahk2Exe. More and more often, users installalling one of the apps receive malware alerts from their protection software. To prevent this, I want to sign my exe compiled files with a certificate. Does anybody here has experience with this?

From my research, I understand that I have to:
- buy a certificate "Microsoft Authenticode certificate" from one of the trusted root certificate
(http://social.technet.microsoft.com/wik ... april.aspx)
(http://www.softwarepublishercertificate.com/)
- install the Windows 10 SDK in order to use the SignTool.exe utility included in this kit.
(https://developer.microsoft.com/en-us/w ... ows-10-sdk)
- use the SignTool.exe
(https://msdn.microsoft.com/en-us/library/8s9b9yaz.aspx)
(how-to from a certificate vendor: https://www.digicert.com/code-signing/s ... d-line.htm)

This is where I am in my research. Would you have any advice or suggestions? Any specific advice related to signing apps compiled with Ahk2Exe?

Thanks,

Jean

[Guest]

Mr Joe knows it seems https://autohotkey.com/boards/viewtopic.php?t=15676

[JnLlnd]

Thanks, I have not found it when I searched the forum. I'm going to read it right now.

[JnLlnd]

To follow-up about the thread mentioned by Guest, yes, Mr Joe knows. This thread answered most of my questions. The author of the OP had issue with its signed compiled file but this was related to using an incorrect version of the AutoHotkey runtime, not about the signing itself.

One question remains. Is is correct to think that signing an exe will prevent malware false alerts as described in this thread?

[lexikos]

It may or may not reduce the risk of false positives. I doubt that every antivirus cares about digital signatures and "Microsoft Authenticode", but if you're specifically concerned about MSE and Defender, it might help.

It might reduce the risk of "red flags", like Microsoft's SmartScreen service preventing your file from being download/run due to lack of "reputation".

[JnLlnd]

It may or may not reduce the risk of false positives. I doubt that every antivirus cares about digital signatures and "Microsoft Authenticode", but if you're specifically concerned about MSE and Defender, it might help.

It might reduce the risk of "red flags", like Microsoft's SmartScreen service preventing your file from being download/run due to lack of "reputation".

Thank you for this follow-up, Lexikos. I was a little more optimistic about the effect of digital signature. But, as you mentioned, it won't hurt...

[Visioneer]

Hi,
I was looking for cheapest solutions for this and I came across K Software with free ksign companion program.
They are a Comodo reseller.
http://codesigning.ksoftware.net/
https://www.raymond.cc/blog/cheapest-co ... getting-it

I would want to use it for signing a Unicode AHK_L mpress compiled exe inside a XXXsetup.exe file made with
INNO Script Studio Setup Compiler.

Anyone tried this? Would it work for above. It seems cheaper and the free ksign seems much simpler than all
the MS routines. I would want to use it within the INNO Script Studio (Inno Setup Compiler v5.5.4 u) program
to auto add the signing whenever I update the setup.exe file.

Anyone know about the coupons referred to in the raymond.cc blog link posted above?

I am using old W7, 32 bit, IE11

Thanks