After having twice gone through the root-canal that is Sectigo, I just had a much more positive experience getting my new Windows certificate through SSL.com. I ponied up for the Yubikey, instead of subscribing to the cloud signing. I also purchased a five-year term. I’ll be 70 then, and might by then have better things to do. 
In the past I used either KSign or ExeWrapper to sign the app folders. Each would sign the .exe files and the individual DLLs. There is no such batch action in SSl.com’s SSL manager. Each file must be individually signed. At least the Yubikey’s PIN need only be entered once per session.
I seem to have no problem if I just sign the .exe files (multiple .exes in projects that have workers), then sign the Innosetup installer. However, if I also sign the top-level DLLs, I get inconsistent functionality. If I sign the plugins in the Libs folder (again, multiple Libs folder where I have workers) things just completely break, In particular, MBS acts like it it is just missing.
The plugins are a mix of Einhugur and MBS, and should already have their vendor signatures. Can I just leave them like that? Would that also apply to the top-level DLLs? Note that I’m not using DesktopHTMLViewer on Windows, so I don’t have all that Chrome stuff.
On my own systems, everything seems fine with just the .exes and the installer signed.
Thanks.
17 posts - 7 participants