Signing an executable

  • Thread starter Hendrik Schober
  • Start date
H

Hendrik Schober

Hi,

we have the requirement to sign an executable in order
to ba Vista-approved (whatever the official term is).
Consider me a complete newbie in this. I haven't even
sen Vista yet.

How do I start? What do I need to do?

Schobi

--
(e-mail address removed) is never read
I'm Schobi at suespammers dot org

"The sarcasm is mightier than the sword."
Eric Jarvis
 
Z

Zack Whittaker

It doesn't need to be "Vista" approved, just "approved" :blush:) If you go to
Verisign or somewhere and obtain a certificate for your application, this
verifies where the file actually came from and replaces the "Unknown author"
in the setup which usually makes the user a bit weary about installing it.

If you have a name or a software vendor on there, it looks genuine :blush:)

--
Zack Whittaker
» ZackNET Enterprises: www.zacknet.co.uk
» MSBlog on ResDev: www.msblog.org
» Vista Knowledge Base: www.vistabase.co.uk
» This mailing is provided "as is" with no warranties, and confers no
rights. All opinions expressed are those of myself unless stated so, and not
of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared
that up!

--: Original message follows :--
 
P

Pierre Szwarc

For .Net executables, you can have Visual Studio generate a digital
signature. Although it's not publicly registered with a reputable
Certification Authority, (which costs a bundle), it should be enough.
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"Hendrik Schober" <[email protected]> a écrit dans le message de (e-mail address removed)...
| Hi,
|
| we have the requirement to sign an executable in order
| to ba Vista-approved (whatever the official term is).
| Consider me a complete newbie in this. I haven't even
| sen Vista yet.
|
| How do I start? What do I need to do?
|
| Schobi
 
P

Puppy Breath

Hmm, pardon my ignorance and I don't mean to sound smarmy. But isn't the
idea of signing supposed to be to provide some authentication,
accountability and nonrepudiation in terms of who wrote the code? If anyone
can just sign an executable however they want, what's the point of signing?
What would prevent someone from creating a tainted version of an app and
signing it as though it were the original app?
 
P

Pierre Szwarc

You're quite correct, of course. However, once you've installed a signed
app, even if it's not certified, a modified one with a different digital
certificate will be detected.
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"Puppy Breath" <[email protected]> a écrit dans le message de (e-mail address removed)...
| Hmm, pardon my ignorance and I don't mean to sound smarmy. But isn't the
| idea of signing supposed to be to provide some authentication,
| accountability and nonrepudiation in terms of who wrote the code? If
anyone
| can just sign an executable however they want, what's the point of
signing?
| What would prevent someone from creating a tainted version of an app and
| signing it as though it were the original app?
 
P

Puppy Breath

So on the initial installation would the user see something like "Publisher
can't be verified"? And then what would happen on a subsequent attempt to
replace or change it?
 
P

Pierre Szwarc

That's about it. AFAIK, if the digital certificate's signature is different
from the original installation's, you'd get a message to that effect, which
should alert you to possible hanky-panky.
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"Puppy Breath" <[email protected]> a écrit dans le message de (e-mail address removed)...
| So on the initial installation would the user see something like
"Publisher
| can't be verified"? And then what would happen on a subsequent attempt to
| replace or change it?
 
H

Hendrik Schober

Hendrik Schober said:
Hi,

we have the requirement to sign an executable in order
to ba Vista-approved (whatever the official term is).
Consider me a complete newbie in this. I haven't even
sen Vista yet.

How do I start? What do I need to do?
Click to expand...

Thank you everyone for commenting on this.
It seems we'll buy a VeriSign ID and sign
using this.

Schobi

--
(e-mail address removed) is never read
I'm Schobi at suespammers dot org

"The sarcasm is mightier than the sword."
Eric Jarvis
 
J

Josh

All a certificate buys you is that you know "who" the exe came from...there
is a trail. Lots of "ware" has used signing to bypass security even when
they are less than reputable. I don't trust certs anymore...


Josh
 
P

Pierre Szwarc

Which kind of defeats the whole purpose of digital signatures, doesn't it?
;))
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"Josh" <[email protected]> a écrit dans le message de (e-mail address removed)...
[snip]
| I don't trust certs anymore...
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Intellisense blocking our machines 19
fatal error LNK1179 7
VC8 and C4996 3
CG bug in VC7.1? 6
Problem with locales in unloaded DLLs 10
Need a cloning smart pointer 2
Optimization issue with VC7.1 1
Need help with fatal C1509 3

Top