I am using a standard (i.e. not EV) Authenticode code signing certificate to sign a Windows desktop application in the hope that Smartscreen Filter will eventually stop blocking it.
I was hoping to certify the application but since my code signing certificate was issued by GoDaddy it appears that I can't do that since you need a certificate from Symantec, Entrust, GlobalSign, WoSign or Digicert in order to create a Windows Certification Dashboard account (the first step in the certification process).
So here's my question: Will my non-certified Windows application signed with a standard GoDaddy SHA-2 code signing certificate still accumulate reputation?
According to these article, most likely yes, but you need to check details in your certificate
https://social.technet.microsoft.com/wiki/contents/articles/51151.microsoft-trusted-root-certificate-program-participants-as-of-january-30-2018.aspx
Related
I have coded an NWjs Windows application (Chromium application) and using Inno Setup, I have signed it using a self-signed certificate. However, I get the "Windows protected your PC" message when trying to install it from the web. I wonder now if signing my application with this self-signed certificate is useless because I get the same result when I don't sign the application and package it as it is.
When I click "more info" it states that the publisher is unknown in both cases when I sign the application with a self-signed certificate and without a self-signed certificate.
I wonder if after sometimes, the data (like the CN of the subject) of the certificate helps to get some reputation when the application is distributed on the internet. I wonder if a self signed certificate help to get rid of the "Windows protected your PC" message after sometimes.
Self-signed certificates are useful only, if can make them trusted on the target machine, by deploying them to Windows certificate store, before installation.
If you want your application to be installed on machines that you do not control, self-signed certificates are useless.
I wonder if a self signed certificate help to get rid of the "Windows protected your PC" message after sometimes.
No. Since everyone can generate a certificate himself, Windows cannot trust all of them and therefore cannot remove the message.
However, it can still be a good idea to sign an executable with your own certificate, if you publish the public key and provide it for people to check whether or not the executable was indeed provided by you. It will be useful for people with some IT or security knowledge.
In 2014, I bought a class two code signing certificate from StartSSL which I used to digitally sign my binaries. This certificate has just expired and I actually am in the process of trying to get a new one. However, in an unrelated incident, I ran one of my signed setup programs in a VM and was somewhat ... annoyed ... when Windows brought up the "Unverified Publisher" variant of the UAC dialog.
When I view the digital signature properties I see this:
Of course the certificate has expired, but why is the file (that was signed within the validity period) suddenly unverified? I haven't seen this happen with other software, for example if I look at an old signed copy of Office 2003 setup, that doesn't complain about an invalid signature and that validaty period expired a decade ago.
Why is this? Frankly I'm now wondering what the the point of buying the certificate in the first place was and seriously considering cancelling the in-process replacement. Seems kind of pointless when they invalidate themselves. Or is this the different between class 2 and 3? (Class 3 is the version I'm trying to get hold of now)
This is apparently a by-design limitation on some code-signing certificates, as described in the first footnote to Microsoft's blog post, Everything you need to know about Authenticode Code Signing:
Not all publisher certificates are enabled to permit timestamping to provide indefinite lifetime. If the publisher’s signing certificate contains the lifetime signer OID (OID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13), the signature becomes invalid when the publisher’s signing certificate expires, even if the signature is timestamped. This is to free a Certificate Authority from the burden of maintaining Revocation lists (CRL, OCSP) in perpetuity.
You may wish to check whether the replacement certificate will have the same limitation, and perhaps consider an alternative vendor.
For my Windows-based application, I would like to use ClickOnce as the deployment technology. My application will be distributed via the Internet.
In the article ClickOnce and Authenticode, I read that:
For ClickOnce applications, you must have an Authenticode certificate
that is valid for code signing. You can obtain a certificate for code
signing in one of three ways:
Purchase one from a certificate vendor.
Receive one from a group in your organization responsible for creating
digital certificates.
Generate your own certificate with MakeCert.exe, which is included
with the Windows Software Development Kit (SDK).
In my case, number 2 is not applicable.
As I read a few rows later:
By default, ClickOnce applications signed with self-certs and deployed
over the Internet cannot utilize Trusted Application Deployment.
(Emphasis mine.)
I cannot understand the meaning of this by default. Is the option #3 possible or not in my case?
And then, to understand all the possibilities, what does the #1 imply ? ("Purchase one from a certificate vendor") What kind of certificate should I buy? Which certificate authority can be recommended? Depending on what I should choose? How much does a certificate cost?
It must be a "Microsoft Authenticode Certificate". It allows us to sign all kinds of Windows executables and code, including .exe, .cab, .dll, .ocx, and .xpi files.
It is not mandatory to sign an application, but if we do it our users won’t see a warning message stating that the author of the software is unknown.
Microsoft Authenticode Certificates need to be issued by a trusted certificate authority. Unfortunately, the prices are quite expensive. More information and some examples
are on page Microsoft Authenticode Certificates.
UPDATE I purchased the certificate through KSoftware, which is a Comodo retailer. The price is quite good compared to alternatives: $95/year. The process is faster than I expected: I applied in the morning and in the evening my certificate was already available. (For those interested, I followed this step-by-step guide.)
See my answer to Stack Overflow question How to sign a ClickOnce application.
I would definitely suggest getting a proper code-signing certificate - your application install screen will look much nicer in this case.
StartCom CA is closed since Jan. 1st, 2018 I got my code-signing certificate from http://startssl.com - and it was $100 or so in total (and you get wild-card domain certificate for your website as well as a bonus).
It's much cheaper than going with VeriSign or TrustWave.
I made my own CA for Authenticode to be used by third party developers for an application I'm writing. I want to make sure that I can revoke certificates, and am testing the CRL behavior of my CA and chain.
For some reason Windows cannot find the CRL even though I can get it with my browser.
A signed exe is here:
http://www.rhino3d.com/developer/authenticode/RmaBrowser.t3.exe
The CRL pointed to by this EXE is at
http://www.rhino3d.com/developer/authenticode/mcneel.crl (corrected typo, this was incorrectly mcneel.exe when I first asked the question)
But when I:
Right-click the EXE in Windows
click Properties
Digital Signatures
Details
View Certificate
Details
I see "Extended Error Information: Revocation Status : The revocation function was unable to check revocation because the revocation server was offline."
How would I sign a Visual C# executable?
SignTool.exe can't find a certificate.
How would I create a self signed key and certificate, and have signtool be able to see the certificate and use it?
OpenSSL and Visual Studio 2010 Express are installed. Running Windows 7 Ultimate x64.
Using SignTool.exe from Windows Driver Kit.
Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).
With .Net, when a binary is digitally signed, it is automatically verified for integrity and authenticity during startup. While I have not personally tested this, using a self-signed certificate is probably going to cause you a great deal of problems.
If you want to digitally sign your programs, you need to invest in a code signing certificate from a CA. There are a number of companies out there that can provide this service (Verisign, Thawte), for a fee.
While the fee might seem a bit extreme in price, remember that you are not just purchasing a digital certificate but also 24/7 validation of that certificate. Any time someone starts your program it will ensure the program was written by you and that the program has not been changed since you released it.
Once you have a certificate, you can digitally sign your program by following the steps in How to: Sign Application and Deployment Manifests.
Update: If this program is strictly an internal application (limited to you or your business), you can created your own CA. Since you would be the only one running it, only you would need to validate it. The CA certificate would need to be installed as a Trusted Root Certificate on all the machines that would run the program (or if you have access to Windows Server, you could set up a real working CA).