ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

Digital Signature to verify Publisher...

<< < (4/4)

Ehtyar:
Microsoft's code signing is nothing short of a complete disgrace. I'll stick with the good ol' gpg sig with the release.-Ehtyar (July 12, 2008, 08:41 AM)
--- End quote ---
It's a good idea, but probably not implemented/enforced in the best way possible... especially because it's not really attainable for hobbyist developers.
-f0dder (July 12, 2008, 10:10 AM)
--- End quote ---
You can hardly give them credit for the idea...authors were attempting to package signatures with their works for a very long time before Microsoft waddled along with their "code signing". It's a bit of a slap in the face to most developers IMO, especially when Microsoft already had SSL/MIME certs at their fingertips, and chose to completely ignore them in favor of charging developers exuberant amounts of money for something they're already capable of doing in a slightly-less-integrated manner.

Ehtyar.

f0dder:
Random companies signing their stuff in random ways = no level of trust.

That you have to go through Microsoft to get code signing means not just everybody can do it, and gives the certs some degree of trust. After all, if anybody could self-sign their executables, what would stop me from making über-evil malware and making the cert look like it came from Macromedia? :)

Ehtyar:
Random companies signing their stuff in random ways = no level of trust.

That you have to go through Microsoft to get code signing means not just everybody can do it, and gives the certs some degree of trust. After all, if anybody could self-sign their executables, what would stop me from making über-evil malware and making the cert look like it came from Macromedia? :)
-f0dder (July 12, 2008, 06:57 PM)
--- End quote ---
It's called a certificate authority, and they've been doing what Microsoft took upon themselves and charged through the nose for, for quite some time. They also provided the infrastructure, already available in Windows as Microsoft so....generously....provide their users with Internet Explorer. As far as I'm concerned, Microsoft will never be the knight in shining armor in this case.

Ehtyar.

f0dder:
I don't really have faith in the CAs... iirc there were some posting about just how easy it is to do a little social engineering and get certs you really shouldn't have.

Ehtyar:
I don't really have faith in the CAs... iirc there were some posting about just how easy it is to do a little social engineering and get certs you really shouldn't have.
-f0dder (July 12, 2008, 07:11 PM)
--- End quote ---
And I'm sure Microsoft, having been in the CA role for all of...what, two years?...are completely invulnerable to any such thing. It's all well and good to play Devil's Advocate, but i think you're clutching at straws here f0d man.

Ehtyar.

Navigation

[0] Message Index

[*] Previous page

Go to full version