Home > certificate > Digitally Signing Software - self signing cerificate

Digitally Signing Software - self signing cerificate

August 17Hits:1
Advertisement

I'd like to experiment with signing a software executable. I am afraid that there is something that escapes me.

I will get to the point where I will acquire a certificate from a CA, but before then I would like to know what I am doing, so I did a test:

I created a self-signed certificate:

makecert -r -ss myPrivateCert -sk c:\test -n "CN=My Company Inc." testCert.cer 

then signed an executable:

signtool sign /v /s myPrivateCert /n "My Company Inc." /t http://timestamp.verisign.com/scripts/timstamp.dll c:\folder\my_installer.exe 

For both commands, I got success.

Step 3: "Install the Test Certificate": http://msdn.microsoft.com/en-us/library/bb756995

Success.

(Note: in the folder c:\test, I placed certificates downloaded from Microsoft's suggested cross-certificate list, like VeriSign Class 3 Public Primary Certification Authority - G5.cer - I'm just guessing that I was supposed to do that.)

I run certmgr c:\folder\my_installer.exe

and I got a list of 3 certificates I had added, with Subject, Issuer, , Serial Number... (from My Company Inc. and Verisign), so apparently everything is good.

Even after that, if I double click the installer (or the executable), I get the UAC message about Unknown publisher...

So what else do I need to do to have that box either disappear or say "My Company Inc." for producer ? And that is only for the local machine, doing everything by hand...

For testing for real, I am assuming that my client is a VirtualBox environment... so ? The next step: move the installer in a VirtualBox and run it ?

But how do I tell the client about the key or certificate or whatever ? Do I copy the cer file along with the exe ? Do I have to put it in a special place ? Do I copy any other files ? Do I have to run mmc again ? Will users have to do something like that ? Because it seems exceedingly complicated, from a user perspective... This is very confusing...

I am assuming that, if I purchase a real certificate from Verisign for example, it would authenticate over the web and I would not have to do anything else (except the two commands above, minus the -r) ?

I have found lots of directions about this on the web, but each left me as confused as when I started - perhaps they each had assumptions of some prior knowledge...

Answers

It doesn't "authenticate over the web" (other than, perhaps, checking the Certificate Revocation List (CRL)) -- the root CAs are hard-wired into the operating system and installed either by Windows Update or by the OS install disk. In other words they are a set of static data on the hard drive that is not (easily) modifiable.

The way you get the annoying box to go away is to either:

  • Trust your snakeoil signing CA (generally a bad idea, but it'll work); or
  • Get it signed by a publicly-trusted official root CA or one of their intermediates.

You cited Verisign. Good. They are one of several possible providers for giving you a code-signing certificate. The box is still appearing because, AFAIK, Windows is programmed to automatically pop up the warning for all self-signed certs. If you were to try and generate a CSR based on your own created root CA, you could get the box to disappear by trusting your root CA, and that would work. But then you'd have to get your clients to trust your root CA, which defeats the purpose in most situations. Hence the public trust network is the easiest path. The vendor usually even gives you explicit instructions on how to use their service and how to sign your code.

Related Articles

  • Digitally Signing Software - self signing cerificateAugust 17

    I'd like to experiment with signing a software executable. I am afraid that there is something that escapes me. I will get to the point where I will acquire a certificate from a CA, but before then I would like to know what I am doing, so I did a tes

  • signed software :: installer - system software and package installer tool (Apple *.pkg)

    signed software :: installer - system software and package installer tool (Apple *.pkg)January 4

    Does anybody know a few details about signed software and /Applications/Utilities/Installer.app? I didn't find more at Wikipedia and the UNIX-Manual (man 8 installer). Here's the valid signature from iLife 11 Installer.app: Does this mean I can be 10

  • What does it mean for a digital certificate to be "signed"?June 28

    When someone says that a particular digital certificate (like an SSL cert) has been "signed with a key", what does that imply? Does that mean the certificate simply includes a key that should be used for further message exchanges? Does that mean

  • A regex in Java. Latin letters, digits, dots, and minus signsDecember 3

    There is a user login, and the requirements are the following: The login must start with a Latin letter. The login must finish with either a Latin letter or a digit. There may also be digits, dots, and minus signs in the login. Min. login length is 1

  • Forum Sign up and Sign in software

    Forum Sign up and Sign in softwareJuly 30

    I would love to have your reviews of this sign in and sign up system. You can see the main structure: For now, I have a total of 13 files (index.php, top_bar.php, header.php, container.php, footer.php, sign_in.php, sign_up.php, members.php, help.php,

  • Issuing own certificates for signing softwareJuly 1

    We have a windows based infrastructure. Recently I was asked by our software developer if we can issue our own certificates to sign some small programs we're sending to out partners. But I don't fully understand process of doing so. What exactly I su

  • Digital Signature SoftwareApril 1

    What is the digital signature software? What it takes to digitally sign software? I'm using the Kaspersky antivĂ­rus and the software I wrote, in Delphi, is flagged by the antivirus software due to lack of digital signature, as an untrusted software.

  • Advantage of group signing over single signingMarch 7

    As I know, signing is used to ensure integrity and authenticity of sender. What is the advantage of group digital signing over individual signing? Can anyone explain this using a scenario? --------------Solutions------------- A digital signature bind

  • Is using the same RSA key pair for both (signing and encryption) & (signing and encryption) a bad idea? May 13

    Possible Duplicate: Why should one not use the same asymmetric key for encryption as they do for signing? I'm new to IT Security. I still can't figure out why using the same RSA key pair for both (signing and encryption) & (signing and encryption) is

  • how can redirect sign in and sign out link front-end page rather then wp-login .php in comment form in wordpressApril 29

    I want to redirect the signin and signout link from comment form in Wordpress. I am using a plugin to register users from the front-end; there I have two pages: sign-in and register. When someone registers from this page and logs in from this page, t

  • Sign Up and Sign In widget on every page: Slide-down Panel or LightboxMarch 28

    I have a question about implementing a sign up and sign in widget that works on any page on a site (i.e. without redirecting users to a sign in page when they want to log in to interact with content on the current page.) My planned approach is: Keep

  • What's the difference between 'sign up' and 'sign in' with Facebook? January 29

    This question already has an answer here: Should we restrict signup for a service to Facebook accounts only? 14 answers Is there any advantage of signup before login with social plugins? 10 answers In Airbnb, I see that the user can 'sign up' with Fa

  • Why should my certificate signing request be signed by my private key?December 27

    Why should my certificate signing request be signed by my private key? Even if I obtain a bogus certificate out of someone else's public key, that is going to be useless, since in SSL the communication can happen only via session key. That session ke

  • customizing devise routes for sign in and sign upFebruary 5

    I have the sign-up and sign-in form on the same page and want any sign-up and sign-in errors such as 'email already exists' to appear on this page. I've customised the Registrations controller using this solution and also created a custom DeviseFailu

  • Looking for free software to sign word documentsJanuary 11

    I have a document which normally would be physically signed by two or more people. This document is internal use for the company I work for. I'd like to do away with the physical signatures and what I'm looking for is some software that I can digital

  • Are digital signatures secure for signing lots of small messages?May 7

    I need to sign the numbers from 1 to 1 billion (literally this, it's not an analogy) using a digital signature and then send these numbers in a particular order to someone. The message is not private and the receiver should be able to verify its auth

  • Can I use a "Microsoft Office" Digital ID / certificate to sign PDFs in Adobe Acrobat?September 8

    I've been needing to sign PDFs lately - fortunately everyone's been fine with me using a self-signed certificate, however I feel it's unprofessional. I'm looking for a personal certificate I can use to sign PDFs and other documents (such as emails).

  • How to make computer (or user) trust signed softwareAugust 14

    I have an application, which I sign and timestamp using a code-signing certificate issued by thawte, with intermediate authority Thawte code signing CA - G2. The signature is OK (as it shows in file properties) and you can view the certification chai

  • Certificate advice for deploying code-signed software as a 3rd party vendorFebruary 19

    I am in the process of developing an application for an organization, and am looking for a sanity check on my strategy, especially given the the nature of the SuperFish nonsense that was exposed. The users are on a windows domain and the desktop appl

  • Digital signature software with mobile access

    Digital signature software with mobile accessJuly 20

    I'm looking for ideas how to resolve a business need for digital signatures. For context, I'm an Excel / Access VBA developer with little experience in digital signatures other than the solutions present in the latest versions of Office and Adobe Acr

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.469 s.