It's that time again (code signing certificates)

As I said in a previous, post code signing annoys me these years like as networks did many years ago. I've just had to renew my Comodo code signing certificate, and as usual K-Software (a Comodo reseller) made it as painless as possible. 

The process has not changed, but the graphical interface of Firefox has. So for my own future self and for others in my position now here's how it is done.

Once you have ordered the certificate from K-Software, and they have worked their magic in the case of any hiccups with Comodo, your'll get an email from Comodo, something like this:

Click on the link in the email and  the next thing you'll see is a web page on the Comodo site which asks you to enter your collection code. If all has worked well the collection code will appear in the web page automatically:

Click on the Collect Certificate button and the next screen you see should be like this:

The phrase about backing up the private key is a bit misleading if you intend to use the certificate to digitally sign your executable file. "Backing up" the certificate actually creates the file you'll use to do the code signing. So it is not really just a backup, it is central to the reason I bought the certificate.

You can see the certificate you have just collected by doing this (in FireFox):

And then selecting the certificate you want to view as shown below. Note that you can assure yourself that it is a SHA256 certificate by going into the details tab, also shown below.

 Remember that you save the pfx/p12 file by "backing it up" as shown below:
So if you've managed to save the file you can now use it to sign your executable programs.

And it does not guarantee anything to the person downloading your file, it only gets rid of the big red warning message when they download it. But that warning message could mean a lost sale...


Xamarin: Finally compiled a C# program and ran it on an emulator

After about 20 hours of downloading Xamarin and Android SDKs (see here) I finally got VS2015 (apparently) able to compile C# code into an Android program. Remember that the native language of Android is Java, so Xamarin cleverly converts from C# to Java. Anyway the download and install carried on apparently without errors and with a condesceding message from the programmer in the dialog box:

"Don't worry we've got this. Why not do some tutorials while you wait?"

I hate it when programmers talk to the public in that "I'm friendly but I know better than you" tone. Or even like this. Or this

Despite my cynicism the download and install completed without error. So I could start the tutorial (again).

I followed the tutorial. There were a few mis-steps, but I noticed immediately that I felt at home, I knew my way around VS2015, while Android Studio was a new beast. As I saw the fragments of C# my annoyance at the huge Xamarin download began to float away.

I got these errors as I trundled along, for example: "This project contains resources that were not compiled":

Hmm. Ah. Does it? I'd followed the tutorial, so why the message? I closed the project and re-opened it, and all was well. Ah. Hmmm.

Then: "String types not allowed (at id with value..."

I was completely baffled by this one, and only a Google search for the exact phrase could resolve the question. I'd used " @+id/TranslateButton" instead of "@+id/TranslateButton". Spot the difference. There is a leading space in my erroneous version. My fault.

Once when I tried to open the layout of the screen I got a "Incorrect parameter" message box. Ok. Tried again and it worked. It feels like lots of complex, delicate and not bug free stuff is running around behind the scenes. Nervous making.

Then, after changing target Android versions (a slightly scary nightmare in itself) I got the "For some reason we could not reload the project." message:

"For some reason..."? "For some reason..."? What does that mean? It's a bit like the "Something went wrong" message I talked about in the previous post. The programmer who wrote that message...he's found out there's an error, but can't understand what it is. Hmmm.

Luckily since I'd already tested Android Studio the Android emulator was installed.  But it crashed or my program crashed or "something else went wrong" to use the technical gergo of Xamarin. Eventually, after fiddling around with SDK versions and emulated phones I got the Phone Word app to run. It crashed in the end, I think because I tried to phone from the emulator, and the emulator can't do that.

So...so I'm not used to getting errors like this in VS2015, C++ and C# for Windows. But I found myself anyway more comfortable in this more error prone environment than in Android Studio. 

So I'll probably stick to Xamarin in VS until I can see a compelling reason to change.


How does Xamarin compare to Android Studio? (Something went wrong.)

Well, for a start, I found the Xamarin versions and options and downloads totally confusing. After a lot of work and a lot of hours uselessly downloading I've understood (maybe I'm wrong) that
  1. Xamarin Studio only really exists for the Mac (free).
  2. You can use Visual Studio (preferably 2015) with a Xamarin add on to create Xamarin programs.
  3. What is called Xamarin Studio for Windows is really "Mono", an open source program. It is hard to find out if it is still maintained and usable.

As I say I may be wrong and it took me a long time to garner even this little information.

I'm interested in Xamarin for two reasons
  1. I know C# so I don't have to learn Java, which I would have do with Android Studio.
  2. I know the VS2015 IDE, so I would not have to get used to the Android Studio way of doing things.
But what, I hear you say, about targetting Apple products, which is supposed to be the great advantage of using Xamarin? Here are the reasons I don't care about portability:

  1. Mr. Google tells me that in February 2016 Android devices had a 80.7 percent market share, while iOS recorded 17.7 percent market share (economic reason).
  2. I tried to write a program for the Apple Mac years ago, found the IDE a crashing disaster, help a crashing disaster, Objective C a bastard language (emotional reason).
As Android devices continue to fall in price I doubt that the iPhone market share will increase.

Anyway. After multiple attempts to get the Xamarin add-ins into VS2015 I work through an example project, and within 2 minutes I'm presented with this screen inside VS2015:

Hmmm. Android Studio is not looking so bad now. I have to go now, but I'll let you know if the update of the Android SDK improves anything...

13 hours later and the Android SDK manager is still downloading even though I unchecked all of the older versions...

Getting there...


Running the Android Studio emulator

Ha! I'm beginning to grok this thing (a Robert Heinlein would have said).

When you click on the green run button in Android Studio...

...you need to have run the emulator at least once in that session to get it to appear in the list of available devices. Otherwise you just get a blank list. So if you intend to run your program in the emulator click on AVD manager:

On my machine the Tools menu is only built up over the first minute that Studio is run. So initially it only contains Tasks & Contexts and Save File as Template, which is disconcerting. You just have to be patient till al the menu items are loaded.

Then hopefully you'll see a list of virtual devices which you have previously set up. Once the emulator is running you can get your app running by pushing the main green button in Android Studio...

It did run but I got a scary message that I was trying to use 1500MB in a 512MB emulation.
Ah. What now? Mr google and stackoverflow came to the rescue by telling me to edit the virtual device, reducing the ram setting. 

If you are used to Windows changing the properties of something is often done with a right click and selection of properties. So I tried that. There was a menu, but no properties entry. Hmm. I put all three of my neurons to work and saw the pencil icon...

Clicking on the pencil gave me the dialog to change the ram size of the emulated device, once I'd click on "advanced". I found the edit box to change and clicked on Finish...

...But again Android Studio seemed to hang. It hadn't, but there was no indication (with a hourglass cursor or something) that it was working away properly. It was disconcerting.

In the end though changing the ram down to 512MB got rid of the warning.

I'm still not sure about Android Studio, it seems clunky and slow, but maybe Xamarin is worse! Which is the reason for these blog posts, I want to be able to compare the two...

Here's how I got on with Xamarin...


Why I tried Android Studio first, and how I got on.

As I mentioned in my previous post, I have a 3 neuron brain, and I require clarity and simplicity to get anywhere in my thought processes.

Android and Android Studio seemed to me a good choice because everything was already set up. I just had to write the program, let Studio create the APK, and count the groats from the Android app store, or play shop or game supermarket or whatever it is called.

I was also attracted by the tutorials, there seemed to be a good place, developer.android.com, where I could follow step by step lessons in creating apps. It seemed to me that there was a one stop shop for writing, debugging, delivering and monetizing mobile apps. It was that in the end which decided me.

Xamarin lost because of the huge download, and JavaScript + HTML + Cordova lost because the tutorials I found seemed less appetising. Depending on how Android Studio goes I may come back to either or both of these.

So I downloaded and installed Android Studio, it took several hours, but seemed to go without problems, apart from a component download which failed, which it re-downloaded automatically without any prompting from me. I guess the whole download was about a fifth of the Xamarin one (which I never finished).

Once installed I noticed it seemed very very slow, especially compared to what I was used to with Visual Studio 2015.

Anyway I went here https://developer.android.com/training/basics/firstapp/index.html to learn how to write my first app with Android Studio.

You have to enable Developer Options in your device (smartphone or tablet)  if you want to be able to send APK files from Android Studio to it. If you can't see Developer Options under Settings go into the About Phone and tap the Build Number 7 times.  Developer Options is sometimes hidden by default, hence the 7 tap system to make sure it is only activated if you really really know what you are doing. Or at least think you know what you are doing.

All went well until I tried to load the program onto my Lenovo tablet. It is oldish, but I had selected the lowest Android OS (JellyBean I think it was) as the target of my simple app. Android Studio could not see the device:

"No USB devices or running emulations detected." Hmmm. I tried a phone, still same problem. I had to change USB socket. Then it worked. Compared with the first USB I used, the second working one was USB 2.0. Maybe that was the problem.

So. Voila.

You can just about see Hello World at top left.

The next lesson was about using an emulator to run your APK on a virtual Android device. I followed the steps and got to the final screen:

It was confusing because although Finish was not greyed out clicking on it did nothing. Casting my eyes around the dialog I see a "recommendation." A recommendation...what's that? A bit of advice?

"VT-x is disabled in BIOS" Hmmm. Is it? Do I care?

Will it run anyway? I mean. Maybe there is software emulation (which I thought this was) and fiddling with the BIOS will just make it run faster...? I mean, a recommendation is not an error is it? Yes it is.

I've never come across this ever before, but you need to enable hardware emulation in the BIOS before you can run the (software?) emulation of an Android device. Well if that it true the emulation must run really fast...!

I had to restart my computer three times before I found out which thing to click on the BIOS to enable virtualization, as it is called. On my machine it is this button:

I had to wait for a lot of things to get going inside Android Studio before the emulation would run. I mean, lots. In fact I thought the thing had crashed. So after a minute or so I pushed the RUN button again (it was alive and green, no indication that it should not / could not be pushed)... And I got this scary message:

I imagine that what had happened was that the emulator was still loading up its first instance, and there was no memory for two instances of the emulator. That is my guess. But it was unclear from the above message, so it is only a guess.

Finally I got to the stage of seeing my app in the emulator:

It takes time to gain confidence in a new development environment, but I am not impressed so far. It is very very slow, messages are ambiguous, greying out is not used (or is not used consistently) to indicate which buttons are validly actiove or not.

Still, I admit that a bit more experience may change my mind...

The next post is again about the emulator.


Can I learn to program mobile devices?

Not sure how long this will last, but I'm doing these entries because
  1. I've heard that the best way to learn is to trying to teach what you are trying to learn. That seems to be have been true when I wrote my book "Candelas Lumens and Lux".
  2. I've learned so much from other blog posts maybe I should join the contributing community.
  3. Publicly committing to something makes it more likely that the thing will get done.
I was faffing around wondering which platform to use for a few ideas I have for mobile apps. I've already done one WEB app, which has had rather limited success (Ok, zero sales). It is a web site which allows you to create European Energy Labels. I did it because I know about the labels, and I wanted to learn C#/WEB apps and I hoped I'd be able to sell the service...

Despite the commercial failure of EuEnergyLabels.com I did learn about WEB apps and I did learn C# (which must rate as one of the very best computer languages ever invented). 

(I think I failed commercially because many of the labels had already been required by law for 4 years when I entered the market, so many large companies already had graphics studios or internal software for creating them.)

The energy label app works on all devices, Windows, Android, iPhone, Mac etc. So why not use the same technology (C# running on a web site) for my other ideas?

One thing I saw was that paid apps on Android devices often work by the user paying and downloading the APK (Android application package) of the full package, and that is that. With a web app how would I monetise the thing?

I found out that there are systems for turning a web page of javascript and HTML5 and graphic libraries into APKs, but I could not really find a clear simple explanation of it. And with a 3 neuron brain like mine clarity and simplicity are essential.

And anyway, was there a way of making a C# + site application into an APK? I did not want to learn a new language after discovering how great C# is.

So I came across Xamarin. Xamarin is a system which is supposed to port C# applications to all systems, including Windows, Android, Apple phones and Apple computers. I started to download it, but two things made me stop:

  1. It was HUGE. It looked to me as if it would take about 2 days to download everything.
  2. I saw that it looked (from the icons) like it installed Visual Studio. I don't know which version, but since I already have Visual Studo 2005 2010 2013 and 2015 on my PC I did not want some new installation to upset my money earning working compilations. Maybe a silly fear, I know.

Whether my reasons were good or not I interrupted the Xamarin download. I intend to look at Xamarin in another computer another day.

So I went back and looked again at HTML5 + JavaScript + ... + what? Cordova apparently,

Cordova seems to be a way of packaging your app so it will run on all mobile devices. But again the confusion in my mind put me off. Is it Apache? Why is there Cordova inside VS2015? Does Microsoft's Cordova compete with Microsoft's Xamarin? If so will one lose? Which one? How do I monetise? If it is Apache open source am I even legally allowed to monetise? What is Phone Gap? Who cares? Pass the whiskey. Can I have some ice in that?

My next post will be about my first Android app created with Android studio. And why I chose Android Studio.

If the self is an illusion...

If the self is an illusion (as some Buddhists and some pyschologists and some scientists say), then...er...who or what ...er... is "illuded"?
The definition of illusion is "a thing that is or is likely to be wrongly perceived or interpreted by the senses." So something/one percieves or interprets.

I've no doubt  "selves" change and die, but at the moment, now, who or what is having the illusion that the self exists?

(And for all those who say the self is an illusion I'd ask them to go and do some painful dental work without an anasthetic, and find out who or what feels the pain.)

But my main question remains who or what is illuded?



You are going to be dust sooner than you think, so...

I was born before smartphones phones had been invented, (before even mobile phones were around come to that). I won't bore you with my objections to their use. Not objections to the objects themselves, but their use. Anyway. I'll try to stop being a boring old fart.



I was at restaurant with some friends by an Italian lake one evening.  The view was, well...

And the Moon was out. I walked ten meters to the shore to look. I took a photo.

I said "There's a lovely crescent Moon." (A bit blurred in the photo, wonderful in reality.)

Someone else took a photo on their phone. They showed it to a third person seated at the restaurant table (outside, not in the restaurant). This person said: "But Owen, it's a full Moon! Not a crescent Moon!" 

"It is a crescent Moon... have a look," I replied. They didn't.

The smartphone camera made the Moon look full, on the screen. That is not what I am objecting too. Smartphone cameras are amazing but they can't be perfect.

I object to the fact that someone would rather believe a photo rather than get up, walk a few paces and look at the Moon themselves. Directly.

And I object to the fact that rather than looking at the world in front of their eyes they prefer to look at photos on tiny screens.

I went to see Cirque du Soliel' at the Milano Expo last year. As usual they were amazing, and the climax so full it was hard to know what to look at on the stage. And there were a few idiots in the audience filming it on their mobile phones, looking at the little screens, maybe imagining that like that the experience would be eternally preserved. They were missing everything.

There is only now, especially with something like the Moon over a lake, or a 'Cirque du Soliel' performance.

You are going to be dust sooner than you think, so look at the world in front of you now.

(This post has been a bit preachy I know, but I'm too far along the road to give a flying $!£k.)


At Ease.

I listened to a tribute on Pierre Bourdieu. On the BBC Thinking Allowed podcast. According to the podcast, one of his ideas was that the French system of egalitè to some extent does not work because working class people do not feel at ease with middle/upper class people, even though the working class people are as intelligent as the others. That ill at ease is a barrier which few can overcome, (though Bourdieu did).

Which reminded me of two meetings I had in the same week some time ago and how I felt ill at ease in one of them (in an art gallery) and totally at ease in another (in a technical design office).

Two art professionals (not artists) had finished organising the details of my exhibition and so passed onto a more interesting subject. They tested each other out about the living and relatively famous artists they knew and could count as friends. It was a gentle battle of name dropping. I remember feeling uncomfortable and wandering away to look at the art in the gallery. I left the two combatants to carry on testing each other.

Then a few days later I had a meeting with some engineers and technicians to discuss the sizing of a power supply for some custom test equipment. I actually had little to contribute, it was a bit out of my field, but I remember sitting there completely comfortable with the people and what they were discussing.

And I like meeting other (visual) artists too. The ones who actually do stuff with their own minds and hands. We exchange tips, experiences and jokes and there is no competition.


"Science is Limited" said Dorothy Cross.

I nearly fell out of my bed as I listened to a podcast of this idiot as she described her latest artwork. Bath tubs with gold at the scum line being watched by a shark's eye which the viewer of the exhibition cannot see but must be told exists. Sorry, she may not be an idiot,
maybe she's just in bad faith, or maybe just deluded.

And then she said "Science is limited."

It's a bit of a cliché but what has science (and technology) ever given us? Everything this imposter has ever used. The building she exhibits in. The cell phone she uses. The lighting in the gallery. The bed where she sleeps. Her credit card. Asprin. Surgery. Brain surgery. Ideas beyond her paltry imagination certainly. Relativity. Knowledge of genes. Super-computers. Shrek. Images from a space beyond imagination, beyond even an artist's imagination. Presumably also the embalming used on the shark's eye. 

Maybe she's not be a detail person. Let the mere technicians do that.

Anyway let's compare once instance of what she has done with one instance of what science has done.

Artwork by Dorothy Cross

Image from the Hubble Telescope, This turbulent cosmic pinnacle lies within a tempestuous stellar nursery called the Carina Nebula.

And the sad thing is she is proud of her scientific ignorance. By luck she is making money from this stuff, but probably imagines that it is due to her concepts and skill.

(The podcast was from BBC Radio 3 Arts and Ideas. "Free Thinking - Mystics and Reality"It was saved by intelligent contributions from Joanna Kavenna and Jo Dunkley.)


Like Jewels

It had been raining all night and when I got up in the morning the plants on the balcony had drops of rain on them like jewels hanging down.

First I saw them then the phrase "like jewels" jumped into my mind. Which was a pity because "like jewels" is almost a clichè and took away from the sight the actual beauty of it. Almost as if once described with a poetic clichè … what?

I've said in an other blog post that saying that a cloud looks like a dog with a ball or a laughing head destroys and distracts from the real beauty of the cloud.

And so does the phrase "like jewels" when talking of drops of water, backlit, hanging from the green leaves. After that five second slip I managed to get back to the joy of the vision, without thinking of anything else.

The photo does not convey the reality of what I saw, maybe 5% of it. Real life dynamic human binocular vision is still better than photos.


"There's a bishop at the door." Is that a Euphemism?

You'll have to listen to "Fags Mags and Bags" to find out...

...it takes some time to get into the series, but is well worth the effort.


Neural Fusion

"Hells bells!" I thought to myself. "It's Valentine's Day!"

And though it is very commercial, you can't ignore it. Not if you're married to an Italian. Not if you don't want to wake up dead on the 15th. So, just in time, I went to the florists and bought seven red roses. I was lucky, there were no other customers, plenty of roses left.

(Seven. That's right isn't it? I mean. Twelve seems such an unromantic number. 12 inches to the foot. And twenty-four! That is even more unromantic. Twenty four hours in a day – boring. But seven is a magic lucky number.)

As I handed the florist the money I thought: "It seems only yesterday that I was doing this very same thing, and yet it was a year ago."

And when my wife came in that night she was very pleased to see the vase with the seven roses in the center of the table.

"They're lovely! But why?"

It struck me then that it was March the 14th, not February the 14th. My March and February neurons had fused, temporarily I hope.

"Because you deserve it," I replied.


Before they started making things, did primitive humans...

I wonder, before they started making things, did primitive humans have an idea of a Maker with a capital M?


Violence. Boring. Tension. Boring.

On Saturday morning I reviewed "The Glorious Heresies", a novel by Lisa McInerney, on Amazon. Saturday night I went to see "The Revenant". Both struck me as having the same structure. Violence and boredom, tension and boredom. After 50 pages of "The Glorious Heresies" I got the feeling that the rest of the book would be the same. Portraits of the violence and desperation of the poor in Cork, Ireland. Page after page would be the same.
I stopped reading because of the tedium of it.

After the first 30 minutes of "The Revenant" I began to think that the rest of the film would be more of the same. I was right. Violence, tension, boredom, wishing the film would end. As I sat there I wondered if it was so hard to make an artwork of some kind which is not so... so... violent. It seems to me that it mocks the real stuff happening to real people.

Another thing the book and the film had in common was that they were both very well made. No denying that.

So is it possible to make something engaging and interesting without having to use the cheap easy thrills of blood-splatter and sadistic lust?

(And don't go on about how hard it was to make the film, no doubt DiCaprio was well paid for the effort. And by the way, every time I saw DiCaprio I thought "Oh, look, DiCaprio." That is not his fault. I have no idea if he is a good actor or not. But once an actor is famous I always see the actor before I see the part he is playing. One of my many limits.)


I hate code-signing like I hated networks in the 1980s.

Warning: This blog is a mix of technical help to those in the same situation as myself, as well as a gripe/snarl/outpouring/angry rant about of the idiocy of this. Ends with an expletive not deleted.
In the 1980s getting a network to go between 2 or more computers was, to me, a chaotic enterprise. The knowledge you needed was baroque and ever changing. So as soon as you understood it the technology would change and you'd have to learn new stuff to do the same thing all over again. So I left networks to the masochists who liked them.

Now there's another subject about which I have the same feelings. Code signing. I have to do it once every three years or so and I forget how it works each time, or it changes how it works each time. So I hate the subject.

But I thought: If I blog about it I'll have to be clear, precise and informative in the blog. I'll have to really understand it.

So here goes...

Code signing means adding some bytes to a program so that if it is altered by a virus (or less menacingly copied badly because of a hardware or download error) the infection (or error) can be detected.

Microsoft gives red-alert warnings if you try to download or install a program which has not been code signed.

So I have been signing all my programs and all my install exes for years. I was smug and happy until January 2016.

The idea of code signing is to guarantee two things:

  1. The source of the program. When a program is associated with a publisher's unique signature, distributing software on the Internet is safer.
  2. The fact that the program is not infected by a third party or damaged.

However it does nothing of the sort.

A code signing certificate is something a trusted authority (like Comodo) gives you, the developer. It is the certification authority which says "Yes, this is who made this program." (Note it does not say that the program is safe, just that it purports to say where the program comes from.) Once the program or installation is code-signed you cannot deny that you did. (Even if you didn't.) It makes you take responsibility for the file. (In theory.)

So if you right click on a Windows program and select properties you'll get a dialog with a tab which says Digital Signature. Here it is on an Italian system:

Programs which don't have a digital signature don't have that tab.

The problem for me is that, now, in January 2016, Microsoft is telling users that programs which are code-signed using an older method have corrupt or damaged digital signatures. Here it is in Italian:

With a big red warning! The words corrupt and damaged really scare potential customers. So I need to move to the newer more secure codesigning certificate. I used SHA-1 to avoid that warning in the past, but now have to use SHA-256 to avoid that warning.

That is the only reason I will sign code. I repeat: Code signing does not guarantee anything to anyone, except that user's won't get a big scary red graphic warning on download.

The more I read about code-signing the less I am impressed. I use the Tarma installation creator for my programs. But look what Tarma says about code-signing:

"Digital signatures do not solve any major software problems and introduce a few of their own." All I am doing by signing my executable files is jumping though pointless hoops to avoid the big red warning.

With code-signing there are two numbers, a public key and a private key. The private key is the one I, the developer, own. It is stored in my browser or in a file on my computer. The problem is that anyone who gets hold of the private key can sign any program and say it came from me. And Windows will believe it. In fact so will workers in nuclear power stations, as the stux-net virus proved. Search "stux-net virus and code signing" in your favorite search engine to find out more.

Code-signing works if you know you can trust the issuer of the certificate and the user (me, the developer) of the certificate. But how the hell do you know you can trust the user of the certificate? Because his .EXE files are digitally signed! But the .EXE file may be signed with a stolen private key file. So you'll never know you can trust the user unless you work with him, in the office and see how he stores his private keys.

The private key is only known to the owner, you. In theory. If it has not been stolen. You, the developer, should store you private key well. Like on more than just your old hard disk. The digital signature (which is put inside your EXE) is created using your private key.

The public key is known by anyone who wants to. The private key generates the signature, the public key validates it. 

So when you right click and see the digital signature tab Windows puts the two keys together (one inside the EXE and one on a server) and decides if the EXE is safe.

What is going on is that from January 2016 Microsoft has changed what it considers a valid code sign. Reports of big red warnings on my software began coming in. "Expletive deleted!" and "Hells Bells!" I thought. "I am signing them and my certificate has not expired. What is going on?" MicroSoft changed the hoops to jump through.

So, if you're a developer here is an overview of the steps to code sign your files.

  1. Buy a certificate. I buy mine from K-Software (an excellent service) who are resellers of Comodo.
  2. You will be sent a "collection link." Visit the link using your browser (the same browser you used to order the certificate) and the certificate will be placed inside the "store" of your browser.
  3. Export your certificate from your browser using the advanced options in the browser. It will be a .PFX file. Firefox will call is a .P12 file, just rename it to have the .PFX extension. The .PFX file contains the private key and the certificate.
  4. Use the PFX file in the tools which can be used to codesign your executables.

I was slightly comforted that I heard that Comodo (a code signing authority) had an "insane backup" of upgrade orders, so I wasn't the only one caught out.

(What is the PFX file? It contains the certificate and the private key. It may be password protected. It combines .spc and .pvk, or maybe is directly made from the browser. .P12 and .PFX are the same.)

Anyway. I thought I'd sussed it when I managed to get an SHA-256 siganture:

But I'd forgotten to use the SHA-256 certificate:

So when verifying your EXE files make sure that they are signed with SHA-256 and that they contain a SHA-256 certificate. Thanks again to K-Software for pointing this out.

BUT BUT BUT: Microsoft now does not give a warning when someone downloads my files, however it does give a Big Red Warning when they try to install them from Internet Explorer if the files are new. So I've jumped through the hoops of a security system with huge holes (?!?), imposed by Microsoft... and they still tell users not to install my programs. Expletive deleted. Or maybe not. Fuckit.

(My latest post about code signing, the practical steps, is here.)