Signing an executable

Discussion in 'Windows Vista Security' started by Hendrik Schober, May 4, 2006.

  1. Hi,

    we have the requirement to sign an executable in order
    to ba Vista-approved (whatever the official term is).
    Consider me a complete newbie in this. I haven't even
    sen Vista yet.

    How do I start? What do I need to do?

    Schobi

    --
    is never read
    I'm Schobi at suespammers dot org

    "The sarcasm is mightier than the sword."
    Eric Jarvis
     
    Hendrik Schober, May 4, 2006
    #1
    1. Advertisements

  2. It doesn't need to be "Vista" approved, just "approved" :eek:) If you go to
    Verisign or somewhere and obtain a certificate for your application, this
    verifies where the file actually came from and replaces the "Unknown author"
    in the setup which usually makes the user a bit weary about installing it.

    If you have a name or a software vendor on there, it looks genuine :eek:)

    --
    Zack Whittaker
    » ZackNET Enterprises: www.zacknet.co.uk
    » MSBlog on ResDev: www.msblog.org
    » Vista Knowledge Base: www.vistabase.co.uk
    » This mailing is provided "as is" with no warranties, and confers no
    rights. All opinions expressed are those of myself unless stated so, and not
    of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared
    that up!

    --: Original message follows :--
     
    Zack Whittaker, May 4, 2006
    #2
    1. Advertisements

  3. For .Net executables, you can have Visual Studio generate a digital
    signature. Although it's not publicly registered with a reputable
    Certification Authority, (which costs a bundle), it should be enough.
    --
    Pierre Szwarc
    Paris, France
    PGP key ID 0x75B5779B
    ------------------------------------------------
    Multitasking: Reading in the bathroom !
    ------------------------------------------------

    "Hendrik Schober" <> a écrit dans le message de ...
    | Hi,
    |
    | we have the requirement to sign an executable in order
    | to ba Vista-approved (whatever the official term is).
    | Consider me a complete newbie in this. I haven't even
    | sen Vista yet.
    |
    | How do I start? What do I need to do?
    |
    | Schobi
     
    Pierre Szwarc, May 4, 2006
    #3
  4. Hendrik Schober

    Puppy Breath Guest

    Hmm, pardon my ignorance and I don't mean to sound smarmy. But isn't the
    idea of signing supposed to be to provide some authentication,
    accountability and nonrepudiation in terms of who wrote the code? If anyone
    can just sign an executable however they want, what's the point of signing?
    What would prevent someone from creating a tainted version of an app and
    signing it as though it were the original app?
     
    Puppy Breath, May 4, 2006
    #4
  5. You're quite correct, of course. However, once you've installed a signed
    app, even if it's not certified, a modified one with a different digital
    certificate will be detected.
    --
    Pierre Szwarc
    Paris, France
    PGP key ID 0x75B5779B
    ------------------------------------------------
    Multitasking: Reading in the bathroom !
    ------------------------------------------------

    "Puppy Breath" <> a écrit dans le message de ...
    | Hmm, pardon my ignorance and I don't mean to sound smarmy. But isn't the
    | idea of signing supposed to be to provide some authentication,
    | accountability and nonrepudiation in terms of who wrote the code? If
    anyone
    | can just sign an executable however they want, what's the point of
    signing?
    | What would prevent someone from creating a tainted version of an app and
    | signing it as though it were the original app?
     
    Pierre Szwarc, May 4, 2006
    #5
  6. Hendrik Schober

    Puppy Breath Guest

    So on the initial installation would the user see something like "Publisher
    can't be verified"? And then what would happen on a subsequent attempt to
    replace or change it?
     
    Puppy Breath, May 4, 2006
    #6
  7. That's about it. AFAIK, if the digital certificate's signature is different
    from the original installation's, you'd get a message to that effect, which
    should alert you to possible hanky-panky.
    --
    Pierre Szwarc
    Paris, France
    PGP key ID 0x75B5779B
    ------------------------------------------------
    Multitasking: Reading in the bathroom !
    ------------------------------------------------

    "Puppy Breath" <> a écrit dans le message de ...
    | So on the initial installation would the user see something like
    "Publisher
    | can't be verified"? And then what would happen on a subsequent attempt to
    | replace or change it?
     
    Pierre Szwarc, May 4, 2006
    #7
  8. Thank you everyone for commenting on this.
    It seems we'll buy a VeriSign ID and sign
    using this.

    Schobi

    --
    is never read
    I'm Schobi at suespammers dot org

    "The sarcasm is mightier than the sword."
    Eric Jarvis
     
    Hendrik Schober, May 5, 2006
    #8
  9. Hendrik Schober

    Josh Guest

    All a certificate buys you is that you know "who" the exe came from...there
    is a trail. Lots of "ware" has used signing to bypass security even when
    they are less than reputable. I don't trust certs anymore...


    Josh
     
    Josh, May 9, 2006
    #9
  10. Which kind of defeats the whole purpose of digital signatures, doesn't it?
    ;))
    --
    Pierre Szwarc
    Paris, France
    PGP key ID 0x75B5779B
    ------------------------------------------------
    Multitasking: Reading in the bathroom !
    ------------------------------------------------

    "Josh" <> a écrit dans le message de ...
    [snip]
    | I don't trust certs anymore...
    |
     
    Pierre Szwarc, May 9, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.