For my Windows-based application, I would like to use ClickOnce as the deployment technology. My application will be distributed via the Internet.
In the article ClickOnce and Authenticode, I read that:
For ClickOnce applications, you must have an Authenticode certificate
that is valid for code signing. You can obtain a certificate for code
signing in one of three ways:
Purchase one from a certificate vendor.
Receive one from a group in your organization responsible for creating
digital certificates.
Generate your own certificate with MakeCert.exe, which is included
with the Windows Software Development Kit (SDK).
In my case, number 2 is not applicable.
As I read a few rows later:
By default, ClickOnce applications signed with self-certs and deployed
over the Internet cannot utilize Trusted Application Deployment.
(Emphasis mine.)
I cannot understand the meaning of this by default. Is the option #3 possible or not in my case?
And then, to understand all the possibilities, what does the #1 imply ? ("Purchase one from a certificate vendor") What kind of certificate should I buy? Which certificate authority can be recommended? Depending on what I should choose? How much does a certificate cost?
It must be a "Microsoft Authenticode Certificate". It allows us to sign all kinds of Windows executables and code, including .exe, .cab, .dll, .ocx, and .xpi files.
It is not mandatory to sign an application, but if we do it our users won’t see a warning message stating that the author of the software is unknown.
Microsoft Authenticode Certificates need to be issued by a trusted certificate authority. Unfortunately, the prices are quite expensive. More information and some examples
are on page Microsoft Authenticode Certificates.
UPDATE I purchased the certificate through KSoftware, which is a Comodo retailer. The price is quite good compared to alternatives: $95/year. The process is faster than I expected: I applied in the morning and in the evening my certificate was already available. (For those interested, I followed this step-by-step guide.)
See my answer to Stack Overflow question How to sign a ClickOnce application.
I would definitely suggest getting a proper code-signing certificate - your application install screen will look much nicer in this case.
StartCom CA is closed since Jan. 1st, 2018 I got my code-signing certificate from http://startssl.com - and it was $100 or so in total (and you get wild-card domain certificate for your website as well as a bonus).
It's much cheaper than going with VeriSign or TrustWave.
Related
In 2014, I bought a class two code signing certificate from StartSSL which I used to digitally sign my binaries. This certificate has just expired and I actually am in the process of trying to get a new one. However, in an unrelated incident, I ran one of my signed setup programs in a VM and was somewhat ... annoyed ... when Windows brought up the "Unverified Publisher" variant of the UAC dialog.
When I view the digital signature properties I see this:
Of course the certificate has expired, but why is the file (that was signed within the validity period) suddenly unverified? I haven't seen this happen with other software, for example if I look at an old signed copy of Office 2003 setup, that doesn't complain about an invalid signature and that validaty period expired a decade ago.
Why is this? Frankly I'm now wondering what the the point of buying the certificate in the first place was and seriously considering cancelling the in-process replacement. Seems kind of pointless when they invalidate themselves. Or is this the different between class 2 and 3? (Class 3 is the version I'm trying to get hold of now)
This is apparently a by-design limitation on some code-signing certificates, as described in the first footnote to Microsoft's blog post, Everything you need to know about Authenticode Code Signing:
Not all publisher certificates are enabled to permit timestamping to provide indefinite lifetime. If the publisher’s signing certificate contains the lifetime signer OID (OID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13), the signature becomes invalid when the publisher’s signing certificate expires, even if the signature is timestamped. This is to free a Certificate Authority from the burden of maintaining Revocation lists (CRL, OCSP) in perpetuity.
You may wish to check whether the replacement certificate will have the same limitation, and perhaps consider an alternative vendor.
Scenario: I create my own root certificate for Authenticode (used to sign executable only). Easy. Unfortunately, it will only work on computers where I have installed the certificate!
So, I want to become an official CA (the root certificate will be present on all Windows of the world). As a bonus, I can sell this service to others :)
TL;DR: I want to become a official CA recognized by Microsoft for signing executables only (Authenticode, not SSL/TLS).
Questions: is it possible to submit its root certificate to Microsoft for they integrate with Windows? What are the costs? Is it possible for an individual and/or small business?
Thank you in advance!
i am interested in buying a Microsoft Code Signing Certificate for a kernel mode driver.
My first question is : are Verisign or Globalsign Certificates mandatory ?
They are expensive and i have found another provider called Digicert with only 178$ the first year.
Here is an old question of stackoverflow :
Kernel mode code signing
And here is the link to digicert page :
http://www.digicert.com/code-signing/driver-signing-in-windows-using-signtool.htm
My second question is how long will the users be able to run the application.
If the certificate expires does it mean that the users will not be able to run the application or only that i cannot compile and sign again another executable but that the application will run ?
Thank you
Alex
DigiCert certificates can absolutely be used for kernel mode signing - VeriSign & GlobalSign aren't mandatory, but they may have been the only ones supported at the time of the linked post. DigiCert officially announced kernel mode signing capabilities in February (http://www.digicert.com/news/2012-02-28-kernel-mode-code-signing.htm).
For your second question - you won't be able to sign new trusted applications after the certificate expires, but users can continue running the application if it was timestamped when it was signed.
DigiCert's instructions on timestamping can be found at http://www.digicert.com/code-signing/signcode-signtool-command-line.htm.
In full disclosure, I'm the VP of Marketing at DigiCert. Saw this post come up and thought I could help :-). If you have any other questions, feel free to reach out to our support team 801-896-7973.
How would I sign a Visual C# executable?
SignTool.exe can't find a certificate.
How would I create a self signed key and certificate, and have signtool be able to see the certificate and use it?
OpenSSL and Visual Studio 2010 Express are installed. Running Windows 7 Ultimate x64.
Using SignTool.exe from Windows Driver Kit.
Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).
With .Net, when a binary is digitally signed, it is automatically verified for integrity and authenticity during startup. While I have not personally tested this, using a self-signed certificate is probably going to cause you a great deal of problems.
If you want to digitally sign your programs, you need to invest in a code signing certificate from a CA. There are a number of companies out there that can provide this service (Verisign, Thawte), for a fee.
While the fee might seem a bit extreme in price, remember that you are not just purchasing a digital certificate but also 24/7 validation of that certificate. Any time someone starts your program it will ensure the program was written by you and that the program has not been changed since you released it.
Once you have a certificate, you can digitally sign your program by following the steps in How to: Sign Application and Deployment Manifests.
Update: If this program is strictly an internal application (limited to you or your business), you can created your own CA. Since you would be the only one running it, only you would need to validate it. The CA certificate would need to be installed as a Trusted Root Certificate on all the machines that would run the program (or if you have access to Windows Server, you could set up a real working CA).
ClickOnce is suppose to use a signing cert for distribution. If I was developing a major app, I could understand purchasing a cert. However, my app is for a small sized company and I cannot justify the expensive.
My question is, when my app first installs, how might I install my self signed Root CA into Trusted Root Certificates automatically so there are no issues with my self signed program?
My current self signed CA Root and program cert were setup between Exchange 2010/IIS 7.0 and OpenSSL. The clients will be remote so I do not want to use Microsoft's Certificate Authority. You can see how I developed the certs at http://www.tekcrack.com/creating-your-own-self-signed-sans-certificate-for-exchange-2010-and-iis-70-1of3.html
Has anyone encountered the same problem? What route did you take to work around it...for free?
I don't know if that certificate will work for ClickOnce deployment. What you need is a code-signing certificate. I think you can buy one from GoDaddy for less than a hundred bucks, which is pretty inexpensive for giving your customers that nice warm feeling of having a trusted publisher.
If your customer has a domain administrator and any kind of central IT group, they can create a certificate for you that will be trusted.
You can't install a certificate programmatically on the user's computer. A ClickOnce application will not have that level of privilege. You have to have the customers install the certificate. Plus, it would be a huge security gap if people could install certificates without the user's knowledge.
And my last words of wisdom -- be sure your certificate is password-protected, and nobody can get their hands on it. If they do, and the certificate is installed in the store on the users's computer, they will be able to install applications on the user's computer in your name.
Having said all of that, I think this article will be helpful to you:
http://msdn.microsoft.com/en-us/library/ms996418.aspx#clickoncetrustpub_topic1