topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Wednesday December 11, 2024, 10:47 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Digital Signature to verify Publisher...  (Read 22941 times)

Codebyte

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 160
  • "Premature Optimization is the root of all evil."
    • View Profile
    • CodeByter.com
    • Donate to Member
Digital Signature to verify Publisher...
« on: June 26, 2008, 10:47 PM »
So I was wondering how I could sign my executables with something that would verify the true Publisher... Here is a sample image referring to what I am talking about:



I wanna get it to look like this:

CodeByter.com - http://www.codebyter.com

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #1 on: June 26, 2008, 11:48 PM »
I've never actually done it myself, but have worked at companies that signed their code - apparently it's a little complex getting set up, but once you have the scripts and certificates in place it's all basically automatic.

You can get started and test things using tools in Microsoft's SDKs:

http://msdn.microsof...aa379872(VS.85).aspx

But to sign code for public release, you need to purchase an official code signing certificate, which apparently costs at least $80/year:

http://www.wintellec...han-you-thought.aspx


Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,939
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #2 on: June 27, 2008, 10:59 AM »
Installing OpenVPN and OpenSSL gives you the option to create your own certificates, Certificate Authority etc, etc...for free! Besides that, you can select the strength of them as well (512/1024/2048bit keys).

It is easy to do. Instructions are included and if it still gives problems send me a message.

EDIT: Ooops, did not read right. For showing your name in a certificate you need to register yourself with the big names in the field (VeriSign and others like that)...
« Last Edit: June 27, 2008, 11:11 AM by Shades »

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #3 on: June 27, 2008, 11:05 AM »
Shades: would that work in that dialog? Doesn't the certificate have to be signed by microsoft somewhere along the chain?

Codebyte

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 160
  • "Premature Optimization is the root of all evil."
    • View Profile
    • CodeByter.com
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #4 on: June 27, 2008, 11:16 AM »
eww... doesnt look like this is gonna be cheap...
CodeByter.com - http://www.codebyter.com

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,939
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #5 on: June 27, 2008, 11:20 AM »
Some two years ago I did quite some research on the matter and I learned then that you have to pay a lot (annually) if you are a person who wants to certify...and a whole lot more if you are a business.  >:(

By that time there was an Israeli company that didn't charge for this at all, but it was not accepted as a valid CA. However, that should be done by now. Unfortunately the name escaped from my mind  :o

Codebyte

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 160
  • "Premature Optimization is the root of all evil."
    • View Profile
    • CodeByter.com
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #6 on: June 27, 2008, 11:31 AM »
Ahh, that would have been cool, but no worries... The more that I'm thinking about it, ill just deal with it lol... Unless of course I happen to write something worthwhile lol! Thanks for all the help Shades!
CodeByter.com - http://www.codebyter.com

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,939
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #7 on: June 27, 2008, 12:41 PM »
Some links that might be interesting:

The Israeli company:
http://cert.startcom.org/

Overview root CA's (pie chart):
http://news.netcraft...rvey/CMatch/certs_il

Reasoning behind the use of root certificates:
http://www.math.ucla...uments/certauth.html

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #8 on: June 27, 2008, 02:16 PM »
However, remember that not any SSL certificate is considered acceptable for the purposes of code signing.  The certificates accepted for code signing are different from the certificates that browsers accept for SSL.

As far as I know, there are no free code signing certs.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #9 on: June 27, 2008, 05:46 PM »
As mwb says, code cert != SSL cert. And self-signed certs aren't very good for SSL sessions, unless you have pretty specific purpose. It's a good thing that there aren't any free code signing certs, and that you can't self-sign... Yes it's a damn bother, and yes it should be a lot cheaper, but it helps in the fight against nasty malware.
- carpe noctem

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,939
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #10 on: June 27, 2008, 07:11 PM »
I totally agree with your reasoning f0dder. And indeed, my research served a specific purpose, it was for a piece of software that quite a lot of big companies pay annually for (a number with 4 to 5 zeroes behind it, depending on their size)...so there was already a level of trust and with self signed cert's also an increased level of safety.


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #11 on: June 27, 2008, 07:20 PM »
I totally agree with your reasoning f0dder. And indeed, my research served a specific purpose, it was for a piece of software that quite a lot of big companies pay annually for (a number with 4 to 5 zeroes behind it, depending on their size)...so there was already a level of trust and with self signed cert's also an increased level of safety.
Yes, for some very specific situations, a self-signed cert can be safer than blindly trusting root CAs. But you need to design your software just right, otherwise it's a train wreck on it's way :) - and self-signed cert certainly isn't a good idea for regular web sites.
- carpe noctem

jojo99

  • Participant
  • Joined in 2008
  • *
  • default avatar
  • Posts: 40
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #12 on: July 12, 2008, 04:59 AM »
One of the bigger companies that sell code certificates is Comodo (the same people who offer the free Comodo firewall).  Looks like code signing certs are $167/year.  Go here:
http://www.instantss...e-signing/index.html

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #13 on: July 12, 2008, 08:41 AM »
Microsoft's code signing is nothing short of a complete disgrace. I'll stick with the good ol' gpg sig with the release.

Ehtyar.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #14 on: July 12, 2008, 10:10 AM »
Microsoft's code signing is nothing short of a complete disgrace. I'll stick with the good ol' gpg sig with the release.
It's a good idea, but probably not implemented/enforced in the best way possible... especially because it's not really attainable for hobbyist developers.
- carpe noctem

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #15 on: July 12, 2008, 06:48 PM »
Microsoft's code signing is nothing short of a complete disgrace. I'll stick with the good ol' gpg sig with the release.
It's a good idea, but probably not implemented/enforced in the best way possible... especially because it's not really attainable for hobbyist developers.
You can hardly give them credit for the idea...authors were attempting to package signatures with their works for a very long time before Microsoft waddled along with their "code signing". It's a bit of a slap in the face to most developers IMO, especially when Microsoft already had SSL/MIME certs at their fingertips, and chose to completely ignore them in favor of charging developers exuberant amounts of money for something they're already capable of doing in a slightly-less-integrated manner.

Ehtyar.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #16 on: July 12, 2008, 06:57 PM »
Random companies signing their stuff in random ways = no level of trust.

That you have to go through Microsoft to get code signing means not just everybody can do it, and gives the certs some degree of trust. After all, if anybody could self-sign their executables, what would stop me from making über-evil malware and making the cert look like it came from Macromedia? :)
- carpe noctem

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #17 on: July 12, 2008, 07:08 PM »
Random companies signing their stuff in random ways = no level of trust.

That you have to go through Microsoft to get code signing means not just everybody can do it, and gives the certs some degree of trust. After all, if anybody could self-sign their executables, what would stop me from making über-evil malware and making the cert look like it came from Macromedia? :)
It's called a certificate authority, and they've been doing what Microsoft took upon themselves and charged through the nose for, for quite some time. They also provided the infrastructure, already available in Windows as Microsoft so....generously....provide their users with Internet Explorer. As far as I'm concerned, Microsoft will never be the knight in shining armor in this case.

Ehtyar.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #18 on: July 12, 2008, 07:11 PM »
I don't really have faith in the CAs... iirc there were some posting about just how easy it is to do a little social engineering and get certs you really shouldn't have.
- carpe noctem

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Digital Signature to verify Publisher...
« Reply #19 on: July 12, 2008, 07:18 PM »
I don't really have faith in the CAs... iirc there were some posting about just how easy it is to do a little social engineering and get certs you really shouldn't have.
And I'm sure Microsoft, having been in the CA role for all of...what, two years?...are completely invulnerable to any such thing. It's all well and good to play Devil's Advocate, but i think you're clutching at straws here f0d man.

Ehtyar.