 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows Vista / Security / May 2006Signing an executable
Hi, we have the requirement to sign an executable in order to ba Vista-approved (whatever the official term is). Consider me a complete newbie in this. I haven't even sen Vista yet. How do I start? What do I need to do? Schobi  SignatureSpamTrap@gmx.de is never read I'm Schobi at suespammers dot org "The sarcasm is mightier than the sword." Eric Jarvis It doesn't need to be "Vista" approved, just "approved" :o) If you go to Verisign or somewhere and obtain a certificate for your application, this verifies where the file actually came from and replaces the "Unknown author" in the setup which usually makes the user a bit weary about installing it. If you have a name or a software vendor on there, it looks genuine :o) SignatureZack Whittaker » ZackNET Enterprises: www.zacknet.co.uk » MSBlog on ResDev: www.msblog.org » Vista Knowledge Base: www.vistabase.co.uk » This mailing is provided "as is" with no warranties, and confers no rights. All opinions expressed are those of myself unless stated so, and not of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared that up! --: Original message follows :-- > Hi, > [quoted text clipped - 6 lines] > > Schobi For .Net executables, you can have Visual Studio generate a digital signature. Although it's not publicly registered with a reputable Certification Authority, (which costs a bundle), it should be enough. SignaturePierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------ | Hi, | [quoted text clipped - 6 lines] | | Schobi Hmm, pardon my ignorance and I don't mean to sound smarmy. But isn't the idea of signing supposed to be to provide some authentication, accountability and nonrepudiation in terms of who wrote the code? If anyone can just sign an executable however they want, what's the point of signing? What would prevent someone from creating a tainted version of an app and signing it as though it were the original app? > For .Net executables, you can have Visual Studio generate a digital > signature. Although it's not publicly registered with a reputable [quoted text clipped - 9 lines] > | > | Schobi You're quite correct, of course. However, once you've installed a signed app, even if it's not certified, a modified one with a different digital certificate will be detected. SignaturePierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------ | Hmm, pardon my ignorance and I don't mean to sound smarmy. But isn't the | idea of signing supposed to be to provide some authentication, | accountability and nonrepudiation in terms of who wrote the code? If anyone | can just sign an executable however they want, what's the point of signing? | What would prevent someone from creating a tainted version of an app and | signing it as though it were the original app? So on the initial installation would the user see something like "Publisher can't be verified"? And then what would happen on a subsequent attempt to replace or change it? > You're quite correct, of course. However, once you've installed a signed > app, even if it's not certified, a modified one with a different digital [quoted text clipped - 7 lines] > | What would prevent someone from creating a tainted version of an app and > | signing it as though it were the original app? That's about it. AFAIK, if the digital certificate's signature is different from the original installation's, you'd get a message to that effect, which should alert you to possible hanky-panky. SignaturePierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------ | So on the initial installation would the user see something like "Publisher | can't be verified"? And then what would happen on a subsequent attempt to | replace or change it? All a certificate buys you is that you know "who" the exe came from...there is a trail. Lots of "ware" has used signing to bypass security even when they are less than reputable. I don't trust certs anymore... Josh > That's about it. AFAIK, if the digital certificate's signature is > different [quoted text clipped - 6 lines] > to > | replace or change it? Which kind of defeats the whole purpose of digital signatures, doesn't it? ;)) SignaturePierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------ [snip] | I don't trust certs anymore... > Hi, > [quoted text clipped - 4 lines] > > How do I start? What do I need to do? Thank you everyone for commenting on this. It seems we'll buy a VeriSign ID and sign using this. Schobi SignatureSpamTrap@gmx.de is never read I'm Schobi at suespammers dot org "The sarcasm is mightier than the sword." Eric Jarvis |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.