Monday, February 29, 2016

Southwest Fox 2016 Session Proposals Due Friday

This is just a reminder that session proposals for Southwest Fox 2016 and Southwest Xbase++ 2016 are due by 8 AM EST this Friday, March 4. If you are interested in presenting at either conference, please read the Call for Speakers and submit your proposals via the Geek Gatherings Submission Web site.

Thursday, February 25, 2016

Subscribe to ssUltimate

Jun Tangunan, the 2012 Ceil Silver Ambassador to Southwest Fox, is an incredible resource to the FoxPro community. His blog has great tips and sample code, with particular emphasis on interesting user interfaces such as colorful buttons and containers, date/time pickers, popup calculators, and much more.

Although almost everything Jun provides is free, he does ask for a $35 US fee for his ssUltimate library. That small fee is well-worth it: you get a ton of really cool classes (some of which I showed at Southwest Fox last year) that help modernize and polish your application’s UI. However, the best part is that Jun doesn’t keep any of the money for himself: it goes to helping out flood victims in the Philippines.

This is a no-brainer, folks. You get a great library of classes from a very talented and really nice guy and help out flood victims at the same time. Payment can be made via PayPal to ss.classes.jun@gmail.com. Subscribe today!

Friday, February 19, 2016

Executable Signing Using SHA-256 Certificates

A few weeks ago, a customer complained that when they downloaded the installer for Stonefield Query, they got a warning that the download was corrupted. I tried it myself and couldn’t reproduce it, so I assumed their anti-virus software was the culprit. Then a second customer had the same problem, and then a third. Googling the error message led me to this article describing the real problem: executables signed with SHA-1 certificates (which ours are) are blocked after January 1, 2016 (although it appears to be an issue on some operating systems and not others because, as I said, the downloads worked for me). Although my certificate provider had been sending me emails about upgrading to a SHA-256 certificate, for some reason, I thought it only applied to web servers.

Several years ago, I discussed signing executables with Inno Setup (which incidentally is my most popular blog post ever). There are a few changes necessary to using a SHA-256 certificate with Inno Setup, so I thought I’d document the entire process here, even those things that aren’t specific to the new certificates.

Once you’ve purchased a certificate from your chosen provider, you’ll likely get an email with a link to download the certificate into the certificate store on your machine. Normally, you’ll want the certificate in file form to make signing easier, so you need to get it out of the certificate store after you’ve downloaded it. To do so, do the following:

  • Start the Certificate Manager snap-in by running CertMgr.msc.
  • The downloaded certificate is in the Personal\Certificates section. Right-click the certificate and select All Tasks, Export to bring up the Certificate Export Wizard.
  • In the Export Private Key step, choose Yes, export the private key.
  • In the Export File Format step, Personal Information Exchange (.PFX) is already selected. Make sure Include all certificates in the certification path is turned on (it should be by default). Turn on Export all extended properties.
  • In the Security step, turn on Password and enter a password.
  • In the File to Export step, enter the name of the PFX file to create.

You can then use SignTool to sign EXEs using the PFX file. SignTool comes with Microsoft Visual Studio and the Microsoft Windows SDK. If you don’t have Visual Studio, you can download the SDK from Microsoft’s web site; search Microsoft.com for “download Windows SDK” to find the appropriate download page. You can typically find SignTool.EXE in C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1a\Bin (the version number may be different depending on what version of the SDK you download and it may be in C:\Program Files instead). Here’s an example of a command to sign an EXE (the section highlighted in yellow is new for SHA-256 certificates):

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1a\Bin\signtool.exe" sign /fd SHA256 /tr timestampServer /td SHA256 /f certificatePath /p password /d "description" fileToSign

where timestampServer is the URL to your certificate provider’s timestamp server so the certificate can be timestamped (see your provider’s documentation), certificatePath is the path to the PFX file, password is the password for the PFX, description is the description for the digital signature, and fileToSign is the path to the EXE to sign. Remember to add quotes around any path containing spaces.

It’s actually even easier than that to sign the installer generated by Inno Setup. You can do it one of two ways:

  • In the Inno Setup Compiler, choose Configure Sign Tools from the Tools menu, click Add, specify a name (I use “Standard”), and enter something like the following for the command:

C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe sign /fd SHA256 /tr timestampServer /td SHA256 /f certificatePath /p password $p

Note there are no quotes in the path and that $p is a placeholder for the SignTool parameters specified in the [Setup] section. Then add the following to the [Setup] section of your ISS file:

SignedUninstaller=yes
SignTool=Standard /d $q{#MyAppName}$q $f

$q is a special symbol meaning insert a quote (you can’t use actual quotes here) and $f is a placeholder for the name of the file to be signed. This assumes you have a constant defined for MyAppName. If not, use whatever you wish for the description.

  • If you compile your ISS file using the Inno command line compiler, pass the following parameter to the compiler:

"/sStandard=C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\ signtool.exe sign /fd SHA256 /tr timestampServer /td SHA256 /f certificatePath /p password"

Be sure to put the certificate in a path with no spaces in any of the folder names or you’ll get unhelpful error messages when you build the setup.

Tuesday, February 16, 2016

New VFPX Gauge Project

The new VFPX Gauge project allows you to quickly and easily draw attractive gauges and dashboards in your VFP applications. It uses an open source .NET component to do the actual drawing along with a small VFP wrapper class. A couple of sample forms show how to use the gauge control. Check it out!

gaugedashboard

Friday, February 12, 2016

Southwest Fox/Xbase++ 2016 Call for Speakers

Anyone interested in speaking at this year's conferences is invited to submit topics. See the Call for Speakers page for details.