shahine.com/omar/

Twitter

About

Me: I live in Silicon Valley with my wife, child and cat. I have worked at Microsoft since I graduated from College, both in the Macintosh Business Unit on products such as Outlook Express, Entourage, IE, and Virtual PC and in Windows Live on Hotmail, Calendar and People. I am currently a Principal Lead Program Manager on the Windows Live Social Networking team. I basically manage a team of Program Managers responsible for delivering features to support our web and client applications. I've been blogging since 2001 and like to play around with .NET in my spare time working on projects such as dasBlog (the blog that powers this site) and Send to SmugMug (an application for uploading photos to SmugMug). I blog about a number of technology and productivity related topics.

Total Posts: 1168
This Year: 15
This Month: 0
This Week: 0
Comments: 3700

Disclaimer
The posts on this weblog are provided "AS IS" with no warranties, and confer no rights. The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

E-mail

Thursday, December 06, 2007

« Windows Mobile 6 Windows Update | Main | HP MediaSmart Processor »

Authenticode Signing

Frankly, I've been embarrassed for years that all my little freeware applications display a scary security warning when anyone installs them. This is because they are not authenticode signed.

I never bothered to go get a certificate to do so cause they cost about $200 a year. Well I have enough people downloading (and donating!) Send to SmugMug that I finally thought it was time to do something about this. The SmugMug folks have been kind enough to feature my downloader on their page for over a year now so I figured it was high time to stop scaring people.

Well Eric Lawrence (creator of Fiddler and SlickRun) clued me in to Tuows who offers Authenticode Digital Signatures for about $80 a year. So I bit the bullet. The process of getting a cert and signing your msi is pretty easy:

Create an account at Tucows
Buy a Cert
Email them your Drivers License
Download the Cert
Export your certificate from the machine and store in a safe place
Grab signtool.exe from the .NET 2.0 SDK
Sign your binary using the certificate from step 4

Voila.

The nice thing about a Certificate is now I can sign anything I distribute including Excel Spreadsheets with Macros to prevent them from working properly.

So if you are a freeware author, for $80 bucks a year you can save your users some grief.

I used the following tutorial to help out.

.NET | Software

Posted Friday, December 07, 2007 Permalink Comments [4] View blog reactions

Related posts:
Will Apple Go .NET?
GotDotNet Sample: Shell Path Name Convert
Refactoring code in Visual Studio.NET
Modify TextBox Control Tab Stops
Changing the tab stop in a textbox
Tablet PCs improve employee productivity at Microsoft

Friday, December 07, 2007 8:53:34 AM (Pacific Standard Time, UTC-08:00)

What does it take to get a cert revoked?
What kind of notification would the user get if the cert were revoked?

That is, a malware author could get a cert. After some damage has been done or identities stolen, etc, how does the signing process help people who come across his malware installer?

sean

Friday, December 07, 2007 10:10:48 PM (Pacific Standard Time, UTC-08:00)

A cert gets revoked the same way any cert gets revoked. The Certificate Authority publishes the certificate ID in ther Certificate Revocation List (CRL). Web browsers and operating systems are responsible for checking the CRL and alerting the user tha the certificate is invalid.

Omar Shahine

Tuesday, April 08, 2008 6:31:39 PM (Pacific Daylight Time, UTC-07:00)

Hi Omar. I'm a shareware author like yourself and I have been thinking about getting a code signing cert myself for the reasons you mention. However, I couldn't find a great deal of information on the Tucows cert.

Thanks for outlining the process, that sheds a bit of light on things, but I am still wondering:

What string gets shown as the "Publisher" for a signed piece of software, and to what degree are you allowed to customize this/what are your options?

I am not a corporation, but I do have a sole proprietorship business registered under the name "The Little Software Company", and that is what I would like to show up as the publisher.

Is that going to be possible, or am I only allowed to use my personal name or something (which would kinda suck).

Thanks for the informative post.

Logan

Friday, September 12, 2008 8:37:32 AM (Pacific Daylight Time, UTC-07:00)

Pinging back from http://www.dougv.com/blog/2008/09/12/my-experience-getting-a-code-signing-certificate-from-comodo/, where I describe my experience getting a Comodo cert via Tucows. Thanks for the heads-up on this!

https://me.yahoo.com/a/3_mI3lt93Ib7ZYD_yB35dhfX

OpenID
Please login with either your OpenID above, or your details below.

Name
E-mail	(will show your gravatar icon)
Home page

	Remember Me
Comment (Some html is allowed: `a@href@title, b, blockquote@cite, em, i, strike, strong, sub, super, u`) where the @ means "attribute." For example, you can use <a href="" title=""> or <blockquote cite="Scott">.
Enter the code shown (prevents robots):
Live Comment Preview

homepage | contact

Twitter

Recent posts

Tags

About

Thursday, December 06, 2007

Authenticode Signing