VSoft Technologies Blogs

Black Friday Sale 2025 - 40% off all new licenses - Extended!

Sun, 23 Nov 2025 23:20:19 GMT

Black Friday Sale - 40% off all new licenses until midnight (utc) 9th December 2025.

No coupon code required, the store will apply the discount automatically.

ClickOnce and VSTO Application Signing with Signotaur

Tue, 14 Oct 2025 00:23:40 GMT

If you've been working with ClickOnce or VSTO applications, you know that signing them isn't quite like signing a regular executable. We're pleased to announce that Signotaur now handles ClickOnce and VSTO application signing, taking care of the manifest orchestration so you don't have to.

What Makes ClickOnce and VSTO Different?

When you sign a standard executable or DLL, you're dealing with a single file. The process is straightforward: calculate a hash, sign it, embed the signature. One file, one operation.

ClickOnce and VSTO applications are a different beast entirely. These deployment packages consist of multiple files tied together by manifest files that describe the application structure, dependencies, and deployment configuration. The challenge? Everything needs to be signed in a specific order, and those manifests need to be updated with new hash values after each signing operation.

Here's what's happening under the hood:

Application files get signed first (your assemblies, dependencies, etc.)
The application manifest (.manifest) needs to be updated with the new hash values of those signed files
Then the application manifest itself gets signed
The deployment manifest (.application) needs to be updated with the hash of the signed application manifest
Finally, the deployment manifest gets signed

Miss a step or do things out of order, and Windows will reject your deployment package. It's tedious and error prone to manage manually, which is exactly why we've automated it.

Certificate Requirements

ClickOnce and VSTO signing requires an RSA certificate with specific characteristics:

Algorithm: RSA only (ECC/ECDSA certificates are not supported by the ClickOnce/VSTO signing infrastructure)
Key size: Minimum 2048 bits, though 3072 bits is recommended for better security
Certificate type: Must be a code signing certificate (Authenticode) from a trusted Certificate Authority
Key storage: Since June 2023, CA/B Forum requirements mandate that private keys be stored on secure hardware (USB tokens or HSMs)

Signotaur supports all of these requirements, whether your certificates are stored on YubiKeys, SafeNet tokens, other PKCS#11 HSMs, or in the Windows Certificate Store.

The Publisher Name Challenge

Getting the manifests signed is only half the battle. Making your application display the proper publisher name instead of "Unknown Publisher" during installation is notoriously tricky. Even with a properly signed application, several factors can cause Windows to show "Unknown Publisher":

Certificate chain issues (missing intermediate certificates)
Publisher name in the deployment manifest not matching the certificate's Common Name exactly
Whitespace differences introduced during the signing process
Self-signed or test certificates (which will always show as unknown)
Certificate not from a trusted root CA

When everything is configured correctly, users see a clean installation prompt with your verified publisher information:

When something's wrong — even if the manifests are technically signed — users see the dreaded "Unknown Publisher" warning:

This is why using certificates from trusted CAs and ensuring proper manifest configuration is so important. Signotaur handles all the signing mechanics correctly so all you need to display the verified publisher name is a valid certificate from a publicly trusted Certificate Authority.

Signing Made Simple

To sign a ClickOnce or VSTO application, you only need to point Signotaur at the deployment manifest:

SignotaurTool.exe sign -a  -s  -t  --tr  --td SHA256 path\to\MyApp.application

Signotaur will parse the manifest, identify all the files that are part of the application, sign them in the correct order, and update the hash values throughout the manifest chain. Any files sitting in the deployment folder that aren't referenced in the manifest will be ignored, even if they match your file spec. This keeps things clean and ensures only application files get signed.

Command-Line Parameters

We've added a new --application-name parameter specifically for ClickOnce and VSTO deployments. This value appears in the Windows Start menu when users install your application, giving it a proper identity in the system.

The existing --description and --description-url parameters are used to populate the publisher name and support URL in the deployment manifest. This means if you're already using these parameters for other signing operations, your scripts should work with minimal changes.

What This Means for Your Build Process

If you've been juggling multiple tools or scripts to handle ClickOnce and VSTO signing, you can simplify your build pipeline. Signotaur handles the entire process as a single operation, maintaining the correct signing order and manifest updates automatically. This is particularly useful in CI/CD environments where you need reliable, repeatable signing without manual intervention.

The usual benefits of Signotaur apply here: your certificates stay securely on the server, private keys never travel over the network, and the command-line interface integrates cleanly with your existing build scripts.

For detailed command-line syntax and examples, check out the Signotaur documentation. If you run into any issues or have questions about signing ClickOnce or VSTO applications, our support team is here to help.

Using YAML with Delphi - VSoft.YAML

Tue, 16 Sep 2025 13:21:38 GMT

Introduction

Almost every modern Delphi application needs a way to store structured data: configuration settings, runtime options, or even project metadata. For decades, developers have relied on INI files for simple key/value storage, XML for deeply structured documents, or JSON as a lightweight alternative.

But there’s another option that has grown into the de facto standard in DevOps and configuration management: YAML.

This article introduces VSoft.YAML - an open-source Delphi library that makes working with YAML straightforward. We’ll cover why you might choose YAML over INI, XML, or JSON, then dive into practical Delphi code examples for parsing, editing, and writing YAML.

Why YAML?

Human-Readability

YAML is designed for humans first. Compare the following formats describing a database configuration:

YAML

database:
  host: localhost
  port: 5432
  user: admin
  password: secret

JSON

{
    "database": {
    "host": "localhost",
    "port": 5432,
    "user": "admin",
    "password": "secret"
    }
}

XML


    localhost
    5432
    admin
    secret

The YAML version is the least noisy, especially when configurations get larger.

Expressiveness

Supports mappings (key/value), sequences (lists), and scalars (strings, numbers, booleans).
Handles deeply nested structures naturally.
More flexible than INI files, which are limited to sections and key/value pairs.

Adoption

YAML is everywhere, especially in DevOps.

Introducing VSoft.YAML

VSoft.YAML is a pure Delphi implementation of a YAML 1.2 parser and emitter:

No external dependencies — just add the source to your project.
Round-trip capable — parse, modify, and write YAML without losing formatting.
Supports multiple documents in a single YAML stream.
Supports reading/writing JSON
Extensive JSONPath support

Getting Started

Installation

Clone the repo or add it as a Git submodule:

git clone https://github.com/VSoftTechnologies/VSoft.YAML.git

Then add the VSoft.YAML\Source folder to your Delphi project’s search path.

Parsing YAML

The most common scenario is loading YAML from a string or file.

uses
  VSoft.YAML;

var
  Doc: IYAMLDocument;
  YamlText: string;
begin
  YamlText :=
    'database:' + sLineBreak +
    ' host: localhost' + sLineBreak +
    ' port: 5432' + sLineBreak +
    ' user: admin' + sLineBreak +
    ' password: secret';

    Doc := TYAML.LoadFromString(YamlText);
    Writeln('Database host: ', Doc.Root.Values['database'].Values['host'].AsString);
    Writeln('Database port: ', Doc.Root.Values['database'].Values['port'].AsInteger);
end;

To load from a file, just call TYAML.LoadFromFile

Traversing Sequences

YAML supports lists (called sequences).

Example YAML

servers:
- name: web01
  ip: 10.0.0.1
- name: web02
  ip: 10.0.0.2

Delphi Code

var
    doc : IYAMLDocument;
    servers: IYAMLSequence;
    server : IYAMLMapping; 
    i: integer;
begin
    doc := TYAML.LoadFromFile('c:\test\config.yaml');
    servers := Doc.Root.Values['servers'].AsSequence;
    for i := 0 to servers.Count - 1 do
    begin
        server := Servers.Items[I].AsMapping;
        Writeln(Format('%s (%s)',[server.Values['name'].AsString, Server.Values['ip'].AsString]));
    end;
end;

Modifying YAML

Once parsed, you can update values and write them back out:

var
    root: IYAMLMapping;
begin
    root := Doc.Root.AsMapping;
    root.AddOrSetValue('environment', 'production');
    TYAML.WriteToFile(doc, 'c:\test\config.yaml')
end;

Practical Use Cases for Delphi Developers

Configuration files — ship your app with config.yaml instead of INI or XML.
DevOps integration — generate or consume YAML configs for devops tools.
Structured data — when you need nested lists or dictionaries without verbosity.
Collaboration — YAML files are easy for non-developers to read and edit.

Tips and Best Practices

Use JSON when machine-only consumption is expected.
Use YAML when humans will edit the config.

YAML Rules to be aware of

Even though YAML is designed to be human-friendly, it comes with its own quirks. Here are a few issues you might run into when using YAML with Delphi:

1. Indentation Rules

YAML is indentation-sensitive.
Spaces only — tabs are not allowed for indentation.
A single misplaced space can completely change the structure.

valid:
  key1: value
  key2: value

invalid:
  key1: value
   key1: value # wrong indentation

2. Duplicate Keys

Unlike JSON, YAML technically allows duplicate keys in mappings, but this can lead to unexpected behavior. YAML Parsers will typically keep only the last occurrence.

settings:
  timeout: 10
  timeout: 30 # overwrites the first one

VSoft.YAML has a parser option to control the handling of duplicate keys

options := TYAML.CreateParserOptions;
options.DuplicateKeyBehavior := TYAMLDuplicateKeyBehavior.dkError; // default is dkOverwrite
doc := TYAML.LoadFromFile(fileName, options);

Best practice: avoid duplicates in configs, and add validation in your app if needed.

3. Scalars and Quoting

YAML is permissive about quoting strings, which can sometimes surprise you:

path: C:\Temp\file.txt # might be misinterpreted due to backslashes

Safer to quote unusual strings:

path: "C:\Temp\file.txt"

4. Boolean Values

YAML recognizes a wide set of values as booleans: yes/no, true/false, on/off.

feature_enabled: yes # interpreted as boolean true

If you actually mean the literal string "yes", you must quote it:

feature_enabled: "yes"

5. Comments

While YAML supports # comments, they are not part of the data model and usually not preserved

VSoft.YAML does attempt to preserve comments. This is non standard. Generally, comments before mappings (objects) and sequences(arrays) are preserved, comments after scalar values may be preserved.

Blank lines will not be preserved.

6. Large or Complex Documents

For deeply nested structures, readability can drop.
Split configs into multiple YAML files if possible.
Use ---(start) and ...(end) to separate documents in a single file if needed.

7. Type Guessing

By default, YAML interprets unquoted values:

42 → integer
3.14 → float
3.1.4 → string
true → boolean

If you want to enforce string semantics, quote the value:

port: "5432"

8. CRLF vs LF Line Endings

VSoft.YAML is tolerant of Windows vs Unix line endings, but if your configs are shared across systems, normalize line endings in your source control to avoid “it works on my machine” issues.

Conclusion

YAML offers developers a unique combination of human readability, expressiveness, and versatility. Unlike INI files, it can represent complex nested structures; unlike XML, it remains clean and concise; and unlike JSON, it's easier for humans to read and maintain.

The full list of features support by VSoft.YAML is available here.

Useful MSBuild Properties for Production Builds

Tue, 16 Sep 2025 08:25:32 GMT

When deploying dotnet applications to production, the difference between a development build and a properly configured production build can be significant. MSBuild provides numerous properties that allow you to optimize your builds for performance, security, and reliability. This article explores essential MSBuild properties for production builds, with particular focus on configuration for CI servers like Continua CI.

Core Production Build Properties

Release Configuration

The foundation of any production build starts with the Release configuration:


  true
  portable
  true

Optimize enables compiler optimizations that improve runtime performance by inlining methods, removing dead code, and performing other optimizations. DebugType set to "portable" creates portable PDB files that work across platforms while maintaining debugging capabilities. DebugSymbols should remain true even in production to enable proper stack traces and debugging when issues occur.

Deterministic Builds

Deterministic builds ensure that identical source code produces identical binaries, which is crucial for security auditing and reproducible deployments:


  true
  path1=sourcePath1,path2=sourcePath2

PathMap removes replaces the actual paths in your projects, so instead of having "c:\CI_AWS\WS\123\srs\myclass.cs" baked into your executable, you get something like ".\src\myclass.cs" .

The syntax is straightforward - path1 is the real path on your build machine, and sourcePath1 is what you want it to look like in the output. If you need to map multiple paths, just separate them with commas.

CI-Specific Properties

ContinuousIntegrationBuild

One of the most important properties for CI environments is ContinuousIntegrationBuild. According to the Microsoft documentation, this property enables several CI-specific optimizations:

Suppresses certain warnings that are only relevant during development
Enables deterministic builds by default
Optimizes source link generation for better debugging experience
Improves build reproducibility

For Continua CI, you can configure this property using the built-in ContinuaCI.Version environment variable:


  true

Alternatively, you can set it in your CI build configuration by adding ContinuousIntegrationBuild=true to the MSBuild Action Properties list.

Build Metadata

Including build metadata helps with traceability and debugging:


  $(ContinuaCI.Build.LatestChangeset.Revision)
  $(ContinuaCI.Build.Version)+$(SourceRevisionId)

This embeds the source control revision ID into the assembly, making it easier to identify which exact code version is running in production. Most CI servers provide information like revision, version etc using environment variables.

Security and Code Quality Properties

Treat Warnings as Errors

In production builds, warnings often indicate potential issues that should be addressed:


  true
  CS1591

TreatWarningsAsErrors ensures your production code has no compiler warnings. WarningsNotAsErrors allows you to exclude specific warnings (like CS1591 for missing XML documentation) that shouldn't break the build.

Code Analysis

Enable static code analysis for production builds:


  true
  latest
  true

Nullable Reference Types

For C# 8.0+ projects, enable nullable reference types to catch potential null reference exceptions:


  enable
  true

This option can be quite painful to enable on an existing code base - be prepared for a lot of clean up work!

Performance Optimization Properties

Ahead-of-Time Compilation

For applications where startup performance is critical, consider enabling ReadyToRun:


  true

Note that ReadyToRun is platform specific - you must specify a Runtime Identifier (e.g., win-x64, linux-arm64) when publishing with PublishReadyToRun=true.

Trimming for Self-Contained Deployments

For self-contained deployments, enable IL trimming to reduce application size:


  true
  partial

Be cautious with trimming as it can break applications that rely heavily on reflection.

Assembly and Versioning Properties

Strong Naming

For libraries that will be consumed by other applications:


  true
  key.snk

Version Information

Properly configure version information for easier identification:


  1.0.0.0
  $(BuildNumber)
  $(ProductVersion)

Output and Packaging Properties

Symbol Package Generation

For NuGet packages, include symbol packages for debugging:


  true
  snupkg

Source Link

Enable Source Link for better debugging experience:


  true
  true

Platform-Specific Optimizations

Reference the Microsoft documentation on code generation options for platform-specific optimizations:


  x64
  false

Conclusion

Properly configuring MSBuild properties for production builds is essential for creating robust, performant, and maintainable applications. The ContinuousIntegrationBuild property provides an excellent foundation for CI-optimized builds. Remember to test these configurations thoroughly in your CI environment before deploying to production, as some optimizations may have unexpected effects on applications that rely heavily on reflection or dynamic code generation.

Signotaur and Certificate Revocation Lists

Wed, 09 Apr 2025 08:08:24 GMT

We recently had a report from a customer that code-signing using Signotaur was taking a long time — in this case, around a minute to sign one file. This is obviously far too slow for practical use.

The customer provided us with logs from two machines, which showed different results. When comparing the logs, the only thing that stood out was the Certificate Chain elements — the bad log only showed one element, whilst the good log showed three.

These chain elements make up the certificate path — each certificate is signed by another, and up the path we go until there are no more.

Seeing only one certificate in the path is a red flag. You would not typically see a code-signing certificate that is signed by a root certificate; there would be one or more intermediate certificates in the path.

Installing the Certificate Authority's intermediate certificates solved that part — the chain was complete. It did not solve the timing issue.

So we added more debug logging, and after much head scratching, we realised the issue was that the delay was due to the fact that, by default, when building the certificate chain, the .NET X509Chain class performs online checks of the Certificate Revocation Lists (CRLs).

Each certificate includes a CRL Distribution Points field that points to the CRLs. These CRLs are used to check if the certificate has been revoked.

Performing Online CRL checks (the default) can run into problems. In our customer's case, they were being blocked by their firewall — so each HTTP request timed out, resulting in signing taking longer than expected. Note it didn't fail the signing, since the CRLs were not retrieved. After the customer allowed those URLs in their firewall configuration, code signing was fast again.

If your internet connection is slow or has high latency to the CRL hosts, that will also impact code signing time.

The X509Chain class has two alternatives to online checks: Offline and NoCheck.

- Offline will use cached CRLs if available, and will not attempt to retrieve the CRLs online.
- NoCheck does what it says — skips the CRL/OCSP checks — and really should only be used in an emergency.

Signotaur v1.0.0.444 adds a new -rm option, which allows the values: Online (default), Offline, and NoCheck.

FinalBuilder 8.5 and Automise 5.5 Release

Wed, 09 Apr 2025 01:50:56 GMT

It's no secret that we are always working on the next version of FinalBuilder and Automise - that's the nature of software development. That said, the next major versions are taking much longer than we would like - the reason for this is dealing with serious technical debt (active scripting).

With this extended development cycle, there are changes that we finished some time ago that we decided just could not wait for the next major version. We backported those changes to the FinalBuilder 8.x and Automise 5.x - but since some of these changes break project compatibility (with the x.0 releases) we are releasing FinalBuilder 8.5 and Automise 5.5

Encryption Algorithm

FinalBuilder & Automise have always used the Blowfish algorithm (with a 160 bit key) for encrypting passwords, apikeys etc.

FinalBuilder 8.5/Automise 5.5 adds the AES 256 Algorithm (with a 256 bit key) as an option.

There is a new IDE option to specify the default project encryption for new projects - this defaults to AES256. Note this only affects New projects. To change the algorithm used for existing projects, open the project info window from the Project Menu, change the setting and click ok and then save the project.

Note that these options will be removed in FinalBuilder 9/Automise 6, when AES 256 will become the default (and projects still using Blowfish will be upgraded automatically).

It's should be noted that Blowfish is still considered reasonably secure, this change is to enabled the continued use of FinalBuilder in organisations must comply with NIST (US) or ASD (Australia) requirements.

Password Variables

In FinalBuilder & Automise we have always attempted to mask passwords from the logs, but occasionally that can slip through.

Any passwords stored in variables were visible in plain text in project project files. For this reason, we have added a new Password variable type. These variables will be encrypted in project files. The backing type is string.

Password UI

All password fields on all now utilise a new password edit control that allows peeking at the value (like the windows 11 password box).

Windows Credential Manager Actions

The Windows Credential Manager actions enable you to read/write/delete credentials stored in the credential manager.

Project file compatibility Warning

FinalBuilder 8.5 project files are NOT downward compatible with FinalBuilder 8.0 - or put another way, FinalBuilder 8.0 cannot load FinalBuilder 8.5 projects. The same applies to Automise 5.5 projects. This is due to some of the changes outlined above.

Code Signing with Inno Setup and Signotaur

Fri, 31 Jan 2025 01:04:38 GMT

Inno Setup has long supported code signing (since v5.2.4). Fortunately, the way the authors of Inno Setup implemented this feature makes it really easy to use custom tools to do the code signing. In this post we'll take a look at how to use Signotaur with Inno Setup.

There are a few different ways to specify which command to run during signing with Inno Setup.

Sign Tool settings in Inno Setup IDE

The first is to define "Sign Tool" commands in the Inno Setup IDE. You can create multiple commands - for example if you have multiple certificates - and then in your scripts you can point to the "Sign Tool" you want your setup script to use.

To define a "Sign Tool" command in the IDE - tools menu, Configure Sign Tools...

The name can be anything you want, however if you are including other third party inno scripts you should make sure the name is unique to make sure those scripts cannot redefine the command (this is pointed out in the docs)

Imagine if a third party script did this

[Setup]
SignTool=Default cmd /c format.com z: $f

If a Sign Tool named Default is defined in the inno IDE, that would be used. Of course you should always review any third party code before using it!

After providing a name, you are prompted for a command. This is where we can provide our Signotaur command line.

Inno Setup will replace a few placeholders

$f, replaced by the quoted file name of the file to be signed. (required)

$p, replaced by the Sign Tool parameters (more on this later).

$q, replaced by a quote, useful for defining a Sign Tool which contains quotes from the command line.

$$, replaced by a single $ character.

So with that, lets build our command line (adjust to suite your scenario).

e:\SignotaurClient\SignotaurTool.exe sign --sign-server https://mysignotaurhost:91/ --api-key *** --thumbprint YOURCERT-THUMBPRINT --fd "SHA256" --description "My Application" --tr http://timestamp.sectigo.com --td "SHA256" --allow-untrusted $f

Note - in Inno Setup 6.3.3 and earlier, the Sign Tool command line limit is 256 chars, which is a problem when using signotaur - this was fixed in 6.4.0. The work around for 6.3.3 or earlier is to modify the registry - under HKEY_CURRENT_USER\Software\Jordan Russell\Inno Setup\SignTools find the value for the Sign Tool you added and enter the full command line there.

Make sure to restart the Inno Setup IDE after making the registry change.

Now we can define which Sign Tool to use in our Innosetup project.

[Setup]
SignTool=signotaur

That's all we need for now - you should be able to see Signotaur being invoked to sign the uninstaller and the installer.

One downside to this configuration is that there is no way to parameterize the Sign Tool command, so no way to avoid hard coding the ApiKey in the command (which is stored insecurely in the registry). For that reason alone, I do not recommend configuring the Sign Tool this way.

Sign Tool settings in the setup project

So lets look at the second option, which is to fully define the SignTool command in the [Setup] section. IMPORTANT : Firstly, to keep the IDE happy, define your signtool as above, but with a command of

$p

then in your innotsetup project :

[Setup]
SignTool=signotaur e:\SignotaurClient\SignotaurTool.exe sign --sign-server https://mysignotaurhost:91/ --api-key **** --thumbprint YOURCERT-THUMBPRINT --fd "SHA256" --description "My Application" --tr http://timestamp.sectigo.com --td "SHA256" --allow-untrusted $f

Note that Signtool name in the project must be one that is defined in the IDE

That works fine, but of course now instead of hard coding the ApiKey in the registry, we have it in our project file - which is potentially worse since it's likely checked into version control (perhaps even in a public repo on GitHub!).

Sign Tool settings on the command line

To get around this, we need to change how we compile our Inno Setup projects. Using the Inno command line compiler lets us get around all of the issues.

To do this, remove the Sign Tool configurations from the IDE - we won't be using them.

In our project, we can use the pre-processor to only run the SignTool when Release is defined.

[Setup]
#ifdef Release
SignTool=signotaur SignotaurTool.exe sign --sign-server {#signotaurServer} --api-key {#apiKey} --thumbprint {#thumbprint} --fd "SHA256" --description {#MyAppName} --tr {#timeStampServer} --td "SHA256" -v --allow-untrusted $f
#endif

On the command line we can can provide values for the pre-processor defines

/DRelease /DapiKey=abcdef ...

That now moves the ApiKey to your build script.

There is one last option we can explore here - that is to provide the entire Sign Tool command on the command line for the iscc compiler

 
/Sname=command

Sets a SignTool with the specified name and command

e.g.

/Ssignotaur e:\SignotaurClient\SignotaurTool.exe sign --sign-server https://mysignotaurhost:91/ --api-key **** --thumbprint YOURCERT-THUMBPRINT --fd "SHA256" --description "My Application" --tr http://timestamp.sectigo.com --td "SHA256" --allow-untrusted $f

This is what the FinalBuilder InnoSetup action uses when you use the SignTool property. Of course you can use FinalBuilder variables for the ApiKey and other parts that might change. If you are calling FinalBuilder from a CI server, those variables can be provided from the CI tool - so the secret is stored and secured in one place.

One last comment before I wrap this up - why would I need Innosetup to handle Code Signing, can't I just sign the resulting setup.exe myself? The main reason for letting Innosetup handle code signing the installer is that it also signs the uninstaller.

Introducing Signotaur - Remote Code Signing Server

Wed, 04 Dec 2024 08:45:00 GMT

Over the last few years, code signing has changed somewhat. With the requirement that private keys be secured, many developers have run into the issues that USB tokens present, or the limitations and costs associated with cloud-based signing solutions. Gone are the days of sharing a PFX file around the dev team or with the CI server (unless you managed to snag a 3-year renewal just before the new requirements were enforced).

Signotaur

Signotaur is a self-hosted code signing server that makes sharing certificates simple, all whilst maintaining the security of your private keys. Signing can be done (using the client) from any machine that has network access to the server.

Secure Code Signing

Private keys never leave the server, or the USB token or HSM for that matter. The client/server both support TLS (and can generate a self-signed certificate during the install), and administrators can configure access controls to limit who can use certificates for signing. Signing uses API keys rather than passwords, so no more dreaded SafeNet or YubiKey password prompts!

Supported Certificates

We have tested with PFX files, SafeNet, Certum and YubiKey USB tokens, and Windows certificate stores. Signotaur may work with other USB tokens or HSMs that have 64-bit PKCS#11 drivers.

Lightweight

Signotaur Server uses very little memory, CPU, or disk space. It uses SQLite for its database. Installing Signotaur takes a few minutes at most.

Signotaur Client is a single native Windows executable (around 15MB). It's installed with the server and can be downloaded from the server's home page. The command-line interface is very similar to SignTool.

How does it work

In simple terms, the client calculates a digest of the files you want to sign, sends that to the server, which then uses the private key to create the signature and sends that back to the client. The client then writes the signatures to the files.

Supported Platforms

For this initial release, Signotaur (client and server) runs on 64-bit Windows 10+, Windows Server 2016, or later. Linux support for the server is in development.

Affordable

Unlike cloud-based services, we don't charge per signing, and the price isn't "available on application" like some "enterprise" products. The introductory price is USD $199 per server, and with the Black Friday Sale extended to midnight 8th December, that makes it USD $119.40 (discount applied at checkout). The price includes 12 months of updates and support. Renewals after 12 months are 30% of the new purchase price.

Download it here. After installation, login and browse to the admin\licenses page and request a 14 day trial license key.

Black Friday Sale 2024 - 40% off all new licenses

Thu, 28 Nov 2024 09:38:11 GMT

Black Friday Sale - 40% off all new licenses until midnight (utc) ~~4th December 2024.~~ Extended to midnight (utc) 8th December 2024.

No coupon code required, the store will apply the discount automatically.

FinalBuilder and Automise on Windows 11 24H2

Thu, 21 Nov 2024 22:35:00 GMT

The problem

Windows 11 24H2 breaks scripting in FinalBuilder and Automise. You will see a range of different errors depending on your scripts or the actions you use (some actions use jscript).

The cause

Windows 24h2 enables a policy by default that causes JScript.dll (the com dll) to load JScript9Legacy.dll rather than JScript9.dll

JScript9Legacy.dll is a replacement engine using Chakra - which is an odd choice since it seems abandoned since Edge moved to using chromium. The reason they did this was because of a security issue - which is understandable - but unfortnately it introduces a whole host of bugs they do not seem to interested in fixing (I guess it works for them).

This issue even affects some of Microsoft's own applications (like Visual Studio)

The work around

The workaround is to disable the policy

Run regedit.

navigate to (for all users) :

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main

or (for the current user only)

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Main

Note these keys did not exist on my machine, so I added them.

Right click the Main key and select New DWORD (32-bit) Value, name the new value JScriptReplacement and the value to 0.

Restart FinalBuilder (no need to reboot).

Obviously, this is not ideal - we have been looking to replace JScript for some time - unfortunately so far our efforts have not resulted in something that is 100% backwards compatible - so we still have some work to do in this area.

FinalBuilder 8.0.0.3378 and Automise 5.0.0.1593 breaking changes.

Tue, 16 Jul 2024 05:30:16 GMT

Throughout the lifespan of FinalBuilder and Automise, we have worked very hard to avoid breaking changes - however sometimes they are unavoidable.

Today's updates to FinalBuilder 8 and Automise 5 have a breaking change in the SSH Batch Execute action. Previously, this action would manage it's own connect/disconnect - the breaking change is this action now requires separate SSH Connect/Disconnect actions.

The reason for this is complicated, but it was brought about by us changing the client library we use for the SSH actions. The previous client library had too many issues that we were unable to work around. The most annoying example - the actions would not work correctly/reliably with openssh running on windows servers. We did try to fix this issue, but in the end the only viable option was to replace the library (something we were planning to do in the future anyway). The new library (Rebex) is much more stable and performant. We plan to re-implement the SFTP actions (which have issues with some servers) with this library in a future update.

We have been using a build with these changes in production for some time now to dogfood these changes.

To use the SSH Batch Execute action, add an SSH Connect action before it and an SSH Disconnect after, set the connection name on the SSH Batch Execute and SSH Disconnect to the name of the new SSH Connect action's connection name and you should be all set.

If you experience any issues with the SSH actions in these new updates let us know (with as much info as you can about the server and action settings).

Black Friday Sale 2023 - 50% off all new licenses

Fri, 24 Nov 2023 02:27:58 GMT

50% OFF. No, that’s not a typo! Our first ever Black Friday sale - 50% off all new licenses - valid to midnight Tues 28th Nov (UTC).

No coupon code required, the store will apply the discount automatically.

Code Signing with USB Tokens

Mon, 03 Oct 2022 16:40:22 GMT

Update Nov 2024

Whilst the content of this post is as valid today as it was originally, we became frustrated with being limited to signing on one machine. That meant our build agents were doing a lot of copying of files to and from the server with the token.

Our solution was to build a Code Signing Server - Signotaur - keep reading and then take a look at how Signotaur solves the problems we talk about in this post.

Big changes are coming for code signing certificates in 2023. New and reissued publicly trusted organisation validation (OV) and individual validation (IV) code signing certificates will have to be issued or stored on preconfigured secure hardware by the issuing Certificate Authority (CA) and the device must meet FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent security standards.

This is already the case for EV (Extended Validation) certificates, and it presents some problems in an automated build environment. In this post we'll take a look at the issues with hardware-based certificates and how to work around them.

Why is this change necessary?

If you work in IT, you will have heard or read about the SolarWinds supply chain hack. It was a big deal. It's more common than we might think - in February 2022 NVIDIA had their code signing certificates stolen and they were used to sign malware (those certificates have since expired).

These (and other) episodes made many in the industry (Microsoft in particular) very nervous. Trust is a big deal when it comes to certificates, and that is certainly the case when it comes to certificate issuance, but there is not a lot of trust in how those certificates are secured by the developers using them. Ask anyone who has done the merry validation dance with a CA, it's not that easy to get a code signing certificate these days. With that in mind, the CA/Browser forum adopted a proposal to change the requirements for how issued certificates are stored.

The change makes a lot of sense - it's much harder to steal hardware than it is to steal files.

What does this mean

From 1 June 2023, all new and reissued publicly trusted OV and IV code signing certificates will have to be issued or stored on a pre-configured secure hardware device by the issuing certificate authority (CA) and the device must meet FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent security standards.

Existing OV/IV certificates will continue to work, but if you need your certificate to be reissued you may encounter issues due to key size requirements changing (so don't lose your certificate). The reality is that most certificate providers have already switched to issuing certificates on tokens (or discontinued selling OV/IV certificates). This is the end of simply downloading a pfx.

What are these hardware devices

These devices fall broadly into 3 categories:

Network-attached Hardware Security Modules (HSM)

HSM's in this class bring a lot of benefits and functionality (like key usage audit logs) - code signing is just part of that. These devices are not cheap - usually in the "if you have to ask you probably can't afford" price range! There's a reason for that steep price though. They are designed to be ultra-secure and tamper proof - open the lid and you will likely lock it up or brick it.

CA's will charge you a premium if you BYOD (bring your own device) - expect an audit fee of around $500 - or you can employ your own suitably qualified auditor (no idea what the criteria is for that but it sounds expensive). You will also have to deal with creating a Certificate Signing Request (CSR) to send to the CA. The process varies depending on the device, and the CA websites don't offer much guidance there.

Cloud HSM's

Azure, AWS, Google and others provide cloud HSM's, a service layer in front of network-attached HSM's - you basically rent time/space on them. They typically charge a monthly fee and then a fee per cryptographic operation. CA's charge a hefty fee to create certificates for use on these services - up to $1200 - and on top of that some CA's charge per number of signings per year (no idea how they police that). You also need to do some work to configure secure access to the HSM. These services make sense if you are already running on the cloud. Like other HSM's you will need to create a CSR to send to the CA during the order/validation process

SSL.com offer an eSigner cloud-based service (they are also a CA), but the prices will make you think twice about code signing: USD $100 per month for 10 signings, plus $10 for each additional signing. We sign every build that might escape the building and each build has several files that need signing!

USB tokens

In my research so far, the most common USB token is the Gemalto/Thales SafeNet token. The only other ones I have encountered are Yubikey (only SSL.com seems to be using those) and Certum (for which I could find very little info on the client software). The token tends to be included in the price of the certificate (I did see one case where it was not). You do not need to create a CSR (unless you are using your own existing token) as the CA loads the certificate on the device before posting it to you. The one I have (from Digicert) is a Safenet token. It's already obsolete and cannot be used for new certificates as it doesn't support the larger key size required now (newer model required).

Locked In

One thing to note about all the possible hardware devices, whether it's yours or one you rent, is that once a certificate is installed on that device, it's private key cannot be exported. So if you decide the cloud service you are using is too expensive and want to move, well it's time for a new certificate.

Some CA's say they cannot reissue EV's on USB tokens, whilst others provide a procedure - it's likely you will be up for a new token cost and more verification hoops to jump through. So don't lose or damage it!

In the rest of this post, I'm only going to cover USB tokens. If you have access to network or cloud HSM's then you are probably well past this point.

So, what's the problem then?

Different USB tokens might use different client software/drivers - but they all have one thing in common - the USB token needs to be present (i.e. plugged in to the machine) when code signing. This seemingly innocuous little USB token (which looks just like a memory stick) needs to be physically secure. If someone walks past your machine and takes it (likely thinking it's a memory stick), well you are up a creek without a paddle. My SafeNet token has a bright blue LED on the end that just screams "Take me!". Our build servers are colocated at a data centre - so leaving things like USB devices plugged in is asking for trouble. It's not like I can walk over and plug it in when needed (every day!). The data center is 300km from where I live/work.

Add to this that build machines are typically virtual, so you are into the realm of USB passthrough. If you use Hyper-V Server (as we do), well you are bang out of luck.. not supported. I have heard that VMWare ESXI supports it just fine but have never used it. I tested with XCP-ng and did get it working, but it was a major hassle to configure (reams of commands and copying of guids).

USB - Remotely

Fortunately, there are alternatives to USB passthrough. I looked at a bunch of USB remoting products (USB over IP/UDP), and after poor results with most, I found one that works. In fact it works incredibly well, with much better pricing than the others.

That product is VirtualHere (VH). Of all the vendors I contacted, they were the only one who actually responded and answered the question I asked - "Does it support code signing tokens?". The author responded, "Actually I use my (Digicert) JC Token via VirtualHere to sign VirtualHere when I build VirtualHere inside a VM." Good enough for me to give it a try!

The VH Server runs on Windows, Linux, MacOS, a bunch of NAS servers, even a Raspberry Pi! The server licence is locked to the host machine, so if you decide to move the USB token to another host you will need to purchase another license - but at USD$49 that probably won't break the bank!

I installed the VH server software on my XCP-ng host - installation was trivial and took all of 2 minutes (I'm no Linux expert). I then plugged the USB token in (the server is in my mini rack at home) and installed the VirtualHere client software on my Windows machine.

The VH client can auto detect servers, however in my case the two machines were on different subnets, so I had to manually specify it. With the trial version, a message box shows up when it first connects. The client immediately showed a tree of the USB devices plugged into the server. The SafeNet token shows up as Token JC, right-click on it and select "Auto use this device" so it connects automatically. When I did this, the familiar Windows sound indicated a device had plugged in. I already had the SafeNet software installed so it didn't prompt me for drivers etc.

The last step in this USB remoting journey was to install the client as a service (right click on the USB Hubs node). This can only connect to licensed servers, so leave this step until you have purchased.

NOTE : I didn't make it clear before, but the VH client and token client software need to be installed on the machine where the signing takes place, ie your build machine or build agent machine.

Prompting for Passwords

Another issue with the USB tokens being present during code signing, is they also expect a human to be present - a password prompt is shown. That flies in the face of conventional wisdom - automate all the things!

Fortunately, for the SafeNet token at least, there is a work around for this.

Open the Safenet Authentication Client Tools, click on the Advanced View button (the gear). You may be prompted for the token password if you haven't already entered it. In the tree on the left, right-click on the certificate (under User certificates) and select Export certificate. Just to be clear here, this is the certificate without the private key (which stays on the token) - you can't use this exported certificate on a machine that does not have access to the USB token.

In the certificate view, under Private Key, take note of the Cryptographic Provider value (likely "eToken Base Cryptographic Provider" and the Container Name (p11#xxxxxxxxxxx). You will have to manually type them out somewhere as it doesn't support the clipboard. Save those values somewhere - as you will need them in your build process for code signing.

Whilst still in the Client tools, select Client Settings and go to the Advance tab, check the "Enable single Login" and "Enable single Logon for PKCS#11." options, and set Automatic Logoff to Never - then hit Save. You can close the client now.

Code Signing

With all that done, we can use Signtool action in FinalBuilder. The Signing option tab is where those values we saved earlier come into play.

The only difficult one is the Private Key container. Fortunately, some clever person on StackOverflow figure out the required format:

[{{%CSPWD%}}]=p11#xxxxxxxxxx

I have used a variable CSPWD for the token password.

That's it. In my tests I have run FinalBuilder from the Windows task scheduler while logged out, and from a Continua CI build agent service (again while logged out) and it worked in both instances. I did a bunch of login/out/reboot testing and it continued to work. VirtualHere has been flawless. The next step is to configure our CI agents to access the USB token over VPN. Sadly our EV token is about to expire (and we never used it once in production, our OV cert still has another year left) - so I first have to jump through the validation hoops to get a new one.

When using this technique on a CI server, you will need to take care that only one build at a time is using the token. In Continua CI, that is trivial to achieve using a shared resource lock.

I would love to test out some of the cloud HSM services too, but purchasing a certificate for each one is too rich for me. If you are using any of those with a cloud-based HSM, jump on our forums and let us know your experiences. If you experiment with or get up and running using VH let us know how it went - I might do a follow up post as we all gain more experience with usb tokens and code signing.

Warning (added 19 Oct 2022)

I probably should have pointed out that most tokens are configured to lock you out after too many authentication failures. So if you are getting auth failures when setting this up, stop, and manually login to the token to reset the failed count.

Rant

CA's (and their resellers) have some of the worst websites I have ever had the displeasure of reading. Pages and pages of useless or contradictory information with links promising more information that take you around in circles. Grrrrr.

Continua CI System Server Properties

Thu, 13 May 2021 12:59:28 GMT

If you are using Continua for your CI, (and if not why not?) ensure that you check out System Server Properties. These allow access to global settings which do not fit on any existing page.

They can be used to configure several aspects of the UI and build process to fit your team preferences. This could simply be the number items to show per page on each of the dashboard views (Server.ProjectsView.*.PageSize), or more complex patterns for detecting errors and warnings in actions settings (Actions.Messages.*Patterns). Some system server properties are rarely needed, but some can be considered essential, such as Server.HostUrl which can be used to ensure the links in notifications go to the correct external host name.

We have recently added some new server properties which allow you to control the tabs on the Queue Options dialog (Server.QueueOptionsDialog.*) and create a banner for displaying a message to all (or a subset of) users (Server.Banner.*).

Here is the result of changing Server.QueueOptionsDialog.TabSequence from "Variables,Repositories,Options"

to "Repositories,Variables,Options".

This is what happens to an existing banner when you change the Server.Banner.MessageType from "Information"

to "Warning".

Server properties can be edited on the "Continua Server - Properties" page located in the "Administration" section of Continua CI. See our documentation for details on all the currently available server properties.

DPM Package Manager - Progress update

Wed, 24 Feb 2021 10:46:15 GMT

In December 2019, I blogged about a package manager for Delphi that I am working on. This post is a progress update that shows where it's at and what's left to do to get to v1.

DPM Recap

For those not familiar with what I am trying to achieve here, I highly recommend reading my original Delphi Package Manager RFC post. In that post I detailed my ideas, and some of the challenges that Delphi presents when compared to other development environments.

In December 2019, the bare bones of DPM were there. We had a command line tool and that was it. We were able to create packages, install packages (and their dependencies) and restore them (restore ensures all referenced packages are present). Oh and we could list the available packages in our package feed (a folder).

IDE Integration

In the last 13 months there were around 175 commits to the DPM repository. In that time I have added an IDE plugin (that works in Delphi XE2 to 10.4). This involved the creation of several custom controls (I wasn't able to bend any existing ones to work how I wanted it to).

In addition to the work in the project repository, I also published several useful libraries that I needed for this project. DPM is now bootstrapped, to build DPM you need DPM, as it requires several libraries that are referenced as dpm packages.

In Nov 2020 I published the first alpha release that included an installer (code signed by VSoft Technologies) for installing both the command line tool and the IDE plugin (single installer, you can choose which IDE versions to install for). The installer allows you to install for the current user, or for all users (requires elevation to install).

I also did a zoom presentation about DPM to the Melbourne chapter of the Australian Delphi Users Group - a recording of that (long) presentation can be found here.

Adding IDE support for DPM was a massive undertaking. I had very little experience in developing Delphi IDE plugins (using the tools api) - and there were lots of subtle changes between delphi versions, getting things working correctly in 12 versions of Delphi was not easy. In particular, with the later versions of Delphi IDE that use VCL themes, getting things to look right (ie like a native part of the IDE) was a challenge.

The above image shows the installed packages for one of the projects in the project group, you get to this view by right clicking on the project node, or the DPM Packages node in the Project tree.

Note the view only shows the directly installed packages, not the transient dependencies - those you can see in the project tree under the DPM Packages node.

Before you can use DPM in the IDE, you need to configure a package source (a folder where your package files will live)

This can be done fron the command line

dpm sources add -name=local -source=path to the folder you created

Or from the IDE Settings

Compile during install

The most recent updates added support for compiling packages during first install. Packages need to declare how to build in their dspec file, and dpm will use that and call msbuild to compile the packages if needed. DPM also records a bill of materials file (package.bom) in the package cache so that it can tell whether the package needs to be recompiled or not.

On first install, packages that are being compiled during the install process will take a little longer, but on subsequent installs or restores, the process is almost instant (a few ms).

Prior to adding this feature, building dpm on our Continua CI build agents took 13 minutes, much of which was taken up with compiling the dpm packages that it references (in particular, earlier versions of Delphi were very slow with spring4d). Since updating dpm on our agents with the new version, the entire build process for DPM (console app and 12 versions of the IDE plugin and the installer) takes less than 2 minutes.

Missing features

Project group support

When installing packages, the dependency resolution code does not know about other projects in the project group, or what packages and versions they reference. This will be a problem for packages that include design time components that need to be loaded - the IDE can only load 1 version of a design time package. This is what I am currently working on.

Design time packages

DPM does not currently install design time packages into the IDE. This is dependent on project group support, so it's next on the list after project group support.

Package Updates

The ability to detect when package updates are available and make it easy to install those updates. There's an Updates tab in the IDE but it's non functional at this time.

Package Repository

In it's current state, DPM only supports folder based package feeds. This works fine, but it does have some limitations

Limted search abilities - limted to searching on the package filenames.
You have to download packages to a folder.
Package Authors have to host the package files somewhere (mine are under releases on their github projects).

I have made a start on the Package Repository, but not a lot of progress since I'm focusing on the client site right now.

Q & A

Is it usable?

In it's current state, it's only usable for non visual libraries. As I mentioned, the DPM projects all use DPM themselves, and we have DPM actions in FinalBuilder for running the Pack and Restore commands.

If you use any of my open source libraries like DUnitX, Delphi Mocks etc, I have created packages for all of those libraries, and also created mirror projects (just for hosting the package files) for some other popular libraries like Spring4D.

I would encourage library authors in particular to take a look and provide feedback.

Where can we find it?

DPM is an open source project on GitHub, the installer can be found under Releases (under each release, there is an Assets dropdown section).

What versions of Delphi does it support?

Delphi XE2 to 10.4.2 - note that we compile with the latest updates installed for each compiler version.

Why is it taking so long?

Yes, someone asked that recently! This is a side project, free and open source. My primary focus is on running my business and working on our products (that keeps the lights on).

Can we sponsor the project?

Not right now, however it's something I'll look at in the future.

Can we help?

Absolutely. Fork the project on GitHub and clone it to your dev machine and spend some time getting to know the source code. Before making any pull requests, create an issue on github to discuss your ideas and make sure we on the same wavelength!

Advice for Delphi library authors

Wed, 24 Feb 2021 00:57:00 GMT

We use many third-party Delphi libraries to build FinalBuilder and Automise, and that brings plenty of issues when upgrading compiler versions. I've been using Delphi since 1995, both as a developer and as a component vendor, I have learned a thing or two about creating libraries that I would like to share. These are all ideas that make life easier for users, and make it easy to migrate from one version of Delphi to another.

There's no hard and fast rules on how Delphi Libraries are supposed to be structured, these are just my preferences and things I have learned over the years. Hopefully this will help new and existing library authors.

Folder Structure

Keep the Source and the Packages in separate folders, this makes it easier to find the correct packages to compile, e.g :

\Source
\Packages
\Demos

Under Packages, create a folder for each compiler version your library supports, e.g:

\Packages\Rad Studio XE8
\Packages\Rad Studio 10.0
\Packages\Rad Studio 10.1

Package Names

Please, do not put the Delphi version in the package project names.

Bad!!!

MyProjectRun_D10_4.dproj
MyProjectDesign270.dproj

Good

MyProjectRun.dproj
MyProjectR.dproj
MyProjectDesign.dproj
MyProjectD.dproj

Why not put the compiler version in the package project name you might ask? Well the answer is that it makes upgrading compiler versions a major pain for users who link their projects with Runtime Packages (yes, that includes us).

The reason is that when you compile a package, it creates a packagename.dcp file and that is what your project references. So, if your package name is MyPackageRun_D10_4 then that is what will be added to projects that use it.

package MyOwnPackage;
//...
requires
  rtl,
  vcl,
  MyPackageRun_D10_4,
  AnotherPackage_Sydney,
  YetAnotherPackage_D104,
//  ...

When Delphi 10.5 comes out, guess what the user has to do to upgrade their projects.... Yep, replace that all those package references with 10.5 versions (and the multitude of suffixes). Multiply that by a number of projects and a number of libraries (each with potentially multiple runtime packages) and you can see why this might be a pain.

Now you might say, but we don't want 15 versions of MyPackageRun.bpl laying about on users machines, and you would be right. The solution to this is a feature that has been around since Delphi 6 (2001) - LIBSUFFIX.

Setting LIBSUFFIX (on the Description section of project settings) will append the specified suffix to the BPL file name. So a suffix of _D10_4 will result in a package :

MyPackageRun_D10_4.bpl

however, the DCP file will still be generated as :

MyPackageRun.dcp

Remember it's the dcp file that our projects reference (for linking) - so by keeping the dcp file the same for all delphi versions, upgrading to a new compiler version just got a whole lot easier!

So when Delphi 10.5 comes out in the future, all I need to do is install the packages, no changes to my projects.

Update : Someone pointed out that Delphi 10.4.1 support LIBSUFFIX $(Auto) - this will use the Delphi defined PackageVersion - which for 10.4 is 270. This is a nice addition as it makes upgrading the package projects simpler. Of course if you don't like the PackageVersion suffix and use a custom one, then this is not for you.

Use Explicit rebuild, not Rebuild as needed

Have you ever encountered the error

E2466 Never-build package 'XXX' requires always-build package 'YYY'

What this means is, a package, set to Expicit rebuild, references another package, set to 'Rebuild as needed', and it's a pain in the proverbial. Rebuild as needed is also referred to as Implicit Build - in dpk's you will see it as

{$IMPLICITBUILD ON}

If that "Rebuild as needed" package is not part of your project group, guess what, you get to waste time closing and opening projects trying to get it to compile.

I'm sure someone will correct me on this, but I cannot see a good reason to have "Rebuild as needed" set. I suspect this is a hangover from before the Delphi IDE allowed you to specify Project Dependencies and it slows down builds.

Use Search Paths for includes

I often see includes with either hard coded paths, or relative paths like this :

{$I '..\..\MyDefines.inc'}

That's great, if the installer delivers the files in the right place - but they often don't - I hit this issue today, where the package just would not compile. I eventually figured out that the relative path was wrong.

There's a simple fix for this, and that is to remove the path in the $I statement, and use the Project Search Paths feature instead.

I have also seen libraries where there are mulitple copies of the include file and they are slightly different!

Mark packages as Runtime only or Designtime only

Some libraries have their packages marked as "Runtime and Designtime" (the default) - the impact of this is only minor, but it's a pet peeve of mine. The Delphi IDE (in recent versions at least) provides a nice indication of whether packages are runtime or designtime in the project tree, and for designtime packages, whether they are installed.

This makes it simple for me to determine which ones need to be installed or not.

Not Installed

Installed

Summing up

One of the major reasons people do not upgrade Delphi versions is because it's too hard to deal with the third party libraries and all the changes required just to get to the point of compiling. That eventually results in a lack of Delphi sales which results in a lack of investment in Delphi which feeds back into.... well you get the idea ;)

Making third party libraries easier to work with in Delphi has been a bit of a crusade for me, I've been working on this for a while now, and I'm getting closer to a solution - DPM - A package manager for Delphi - if you are a library author, I encourage you to take a look. For examples on how to create a package spec (dspec) take a look at our open source projects https://github.com/vsoftTechnologies/

Announcing the Release of Continua CI Version 1.9.2

Mon, 09 Nov 2020 06:16:32 GMT

We are delighted to announce that version 1.9.2 of Continua CI has passed through the beta and release candidate stages, and has now been released. Here is a reminder of the new features in v1.9.2:

Export and Import: You can now export one or more configurations to a file and import them back from the file into Continua CI.
Requeuing Stages: Requeue a failing stage without restarting the build.
Multiple Daily Cleanup Rules: Each type of build by-product can now have a different shelf life.

Export and Import

Users with Configuration Edit permissions can now export one or more project configurations to a YAML or JSON file. This may be for backup, versioning or migration to another server.

The export wizard has a number of steps allowing selection of one or more configurations, and also any related repositories, variables and shared resources.

The configuration details can be exported to YAML or JSON file formats, according to your preferences for readability and differencing.

The resultant file is downloaded to your computer, allowing you to file it away until you need it.

The import wizard also consists of several steps, allowing users with Project Edit permissions to upload a file, ...

choose which items in the file to import and whether to overwrite any existing matching items of create new items.

The import runs in a transaction, so if any modified file content fails validation it will rollback...

allowing you to make changes and retry.

Requeuing Stages

Sometimes a build stage may fail due to external influences. It could be that a file server was offline, network connectivity was down, or a file was locked for access. If it has taken several long stages to get to this point, then having to run the whole build again from the start can be a pain.

The last stage of a completed build can now be requeued, providing that it has failed, stopped or errored, and the server workspace is intact.

If no parts of the server workspace have been removed by the cleanup process, then a Requeue Stage button will be shown after the last stage in the Stages list on the Build page.

This allows you to requeue and execute the stage again!

You can also optionally make changes to the stage actions and requeue the stage with the latest changes.

Multiple Daily Cleanup Rules

Every build that is executed within Continua CI stores information in the server's workspace, such as artifacts and build logs, and entries in the database. These by-products are vital for executing your build process and tracking build information, however, they can also take up considerable disk space over time and have a negative impact on database performance. The cleanup settings define the shelf life for the build by-products.

Up until now, the cleanup settings have been quite limited - you could set up a single policy per configuration defining the build age and build limits for cleaning up either the database, the workspace, or both. Often, however you would want to cleanup the workspace files to save space, well before removing the build from the database. This update allows you to define multiple cleanup rules, with different shelf lives for each type of build by-product.

Each rule can include one or more by-product to clean up.

Download the installers for Continua CI v1.9.2 from the Downloads page

Introducing Continua CI Version 1.9.2 Beta

Sun, 30 Aug 2020 14:12:26 GMT

We are delighted to announce a new beta release of Continua CI. We have added the following new features:

Export and Import: You can now export one or more configurations to a file and import them back from the file into Continua CI.
Requeuing Stages: Requeue a failing stage without restarting the build.
Multiple Daily Cleanup Rules: Each type of build by-product can now have a different shelf life.

Export and Import

Administrators can now export one or more project configurations to a YAML or JSON file. This may be for backup, versioning or migration to another server.

The export wizard has a number of steps allowing selection of one or more configurations, and also any related repositories, variables and shared resources.

The configuration details can be exported to YAML or JSON file formats, according to your preferences for readability and differencing.

The resultant file is downloaded to your computer, allowing you to file it away until you need it.

The import wizard also consists of several steps, allowing you to upload a file, ...

choose which items in the file to import and whether to overwrite any existing matching items of create new items.

The import runs in a transaction, so if any modified file content fails validation it will rollback...

allowing you to make changes and retry.

Requeuing Stages

The last stage of a completed build can now be requeued, providing that it has failed, stopped or errored, and the server workspace is intact.

If no parts of the server workspace have been removed by the cleanup process, then a Requeue Stage button will be shown after the last stage in the Stages list on the Build page.

This allows you to requeue and execute the stage again!

You can also optionally make changes to the stage actions and requeue the stage with the latest changes.

Multiple Daily Cleanup Rules

Each rule can include one or more by-product to clean up.

Download the installers for Continua CI v1.9.2 Beta from the Downloads page

Daily Builds with Continua CI

Sun, 24 May 2020 09:22:55 GMT

Generally, at VSoft, we like to build. So we build every commit and this allows us to look back at our build history and see which changes caused the build to fail. We use manual stage promotion to prevent every build being released until we decide that it is ready to go.

Many teams like to trigger a build at the end of each day, or during the night, compiling the work for the day in one single package.

The obvious choice for this scenario is the Daily Trigger. This can be set to run a build at a specific time every day, or just weekdays - even just weekends for those with alternative lifestyles.

But what if the team is just having a design day, is off on a team building excursion or, perish the thought, a day of meetings! No commits are made, but the daily build still runs even though there are no changes. One possible solution is to use a Discard condition.

This will prevent the build running if there are no changes since the last build.

Another option has been added to Continua CI recently. The Quiet Period setting on Repository Triggers now allows you to enter an End Time rather than an Interval.

Any builds triggered from a repository change are then queued right through the day until the specified end time. Any additional changes added to the configuration repositories during the day are added to the queued build, and when the end time comes up, the build executes on the latest changeset.

If you're going home earlier than the end time and want stuff deployed already, you can swiftly end the quiet period at the click of a button. Using a repository trigger in this way means that you can ignore changes to some files, changesets with a specific comment, or commits from certain users.

- like that hands-on manager who thinks of his commit count as a key performance indicator.

Introducing DPM - a Package Manager for Delphi

Thu, 12 Dec 2019 09:41:00 GMT

Back in Feb 2019, I blogged about the need for a Package Manager for Delphi. The blog post garnered lots of mostly useful feedback and encouragement, but until recently I could never find a solid block of time to work on it. Over the last few weeks I've been working hard to get it to an mvp stage.

DPM is an open source package/library manager for Delphi XE2 or later. It is heavily influenced by Nuget, so the cli, docs etc will seem very familiar to nuget users. Delphi’s development environment is quite different from .net, and has different challenges to overcome, so whilst I drew heavily on nuget, DPM is not identical to nuget. I also took a close look at many other package managers for other development eco systems.

What is a Package Manager

A package manager provides a standard for developers to share and consume code. Authors create packages that other developers can consume. The package manager provides a simple way to automate the installation, upgrading or removal of packages. This streamlines the development process, allowing developers to get up and running on a project quickly, without needing to understand the (usually adhoc) way the project or organization has structured their third party libraries. This also translates into simpler build/CI processes, with less ‘compiles on my machine’ style issues.

Who and Why

DPM’s initial developer is Vincent Parrett (author of DUnitX, FinalBuilder, Continua CI etc). Why is discussed in this blog post.

DPM Status

DPM is still in development, so not all functionality is ready yet. At this time, it's at the stage where we I would encourage library authors to take a look and play with it and provide feedback (and perhaps get involved in the development). It's very much at a minimum viable product stage. Potential users are of course welcome to look at it and provide feedback, it's just that, well, there are no packages for it yet (there's some test packages in the repo, and I'll be creating ones for my open source libraries). .

What works

Creating packages
Pushing packages to a package source.
Installing packages, including dependencies
Restoring packages, including dependencies.

How do I use it

The documentation is at https://docs.delphi.dev

See the getting started guide.

The command line documentation can be found here.

The Source is on GitHub https://github.com/DelphiPackageManager/DPM

Is DPM integrated into the Delphi IDE

Not yet but it is planned. If you are a wiz with the open tools api and want to contribute then let us know.

Is there a central package source

Not yet but it is planned. At the moment, only local folder based sources are supported. The client code architecture has a provision for http based sources in the future, however right now we are focused on nailing down the package format, dependency resolution, installation, updating packages etc.

Is my old version of delphi supported

Maybe, see here for supported compiler versions. All target platforms for supported compiler versions are supported.

What about C++ Builder or FPC

see here

Does it support design time components

Not yet, but that is being worked on.

How does it work

See this page