shahine.com/omar/

Thursday, December 06, 2007

« Windows Mobile 6 Windows Update | Main | HP MediaSmart Processor »

Authenticode Signing

Frankly, I've been embarrassed for years that all my little freeware applications display a scary security warning when anyone installs them. This is because they are not authenticode signed.

I never bothered to go get a certificate to do so cause they cost about $200 a year. Well I have enough people downloading (and donating!) Send to SmugMug that I finally thought it was time to do something about this. The SmugMug folks have been kind enough to feature my downloader on their page for over a year now so I figured it was high time to stop scaring people.

Well Eric Lawrence (creator of Fiddler and SlickRun) clued me in to Tuows who offers Authenticode Digital Signatures for about $80 a year. So I bit the bullet. The process of getting a cert and signing your msi is pretty easy:

Create an account at Tucows
Buy a Cert
Email them your Drivers License
Download the Cert
Export your certificate from the machine and store in a safe place
Grab signtool.exe from the .NET 2.0 SDK
Sign your binary using the certificate from step 4

Voila.

The nice thing about a Certificate is now I can sign anything I distribute including Excel Spreadsheets with Macros to prevent them from working properly.

So if you are a freeware author, for $80 bucks a year you can save your users some grief.

I used the following tutorial to help out.

.NET | Software

Posted Friday, December 07, 2007 Permalink Comments [3] View blog reactions

Related posts:
Will Apple Go .NET?
GotDotNet Sample: Shell Path Name Convert
Refactoring code in Visual Studio.NET
Modify TextBox Control Tab Stops
Changing the tab stop in a textbox
Tablet PCs improve employee productivity at Microsoft

Friday, December 07, 2007 8:53:34 AM (Pacific Standard Time, UTC-08:00)

What does it take to get a cert revoked?
What kind of notification would the user get if the cert were revoked?

That is, a malware author could get a cert. After some damage has been done or identities stolen, etc, how does the signing process help people who come across his malware installer?

sean

Friday, December 07, 2007 10:10:48 PM (Pacific Standard Time, UTC-08:00)

A cert gets revoked the same way any cert gets revoked. The Certificate Authority publishes the certificate ID in ther Certificate Revocation List (CRL). Web browsers and operating systems are responsible for checking the CRL and alerting the user tha the certificate is invalid.

Omar Shahine

Tuesday, April 08, 2008 5:31:39 PM (Pacific Standard Time, UTC-08:00)

Hi Omar. I'm a shareware author like yourself and I have been thinking about getting a code signing cert myself for the reasons you mention. However, I couldn't find a great deal of information on the Tucows cert.

Thanks for outlining the process, that sheds a bit of light on things, but I am still wondering:

What string gets shown as the "Publisher" for a signed piece of software, and to what degree are you allowed to customize this/what are your options?

I am not a corporation, but I do have a sole proprietorship business registered under the name "The Little Software Company", and that is what I would like to show up as the publisher.

Is that going to be possible, or am I only allowed to use my personal name or something (which would kinda suck).

Thanks for the informative post.

Logan

Name
E-mail	(will show your gravatar icon)
Home page

	Remember Me
Comment (Some html is allowed: `a@href@title, b, blockquote@cite, em, i, strike, strong, sub, super, u`) where the @ means "attribute." For example, you can use <a href="" title=""> or <blockquote cite="Scott">.

Live Comment Preview

homepage | contact

Recent posts

Tags

Archives

About

Thursday, December 06, 2007

Authenticode Signing