forum.vdsworld.com

[PGWARE]

The dll's vdsipp, vdsobj, vdspopup have all been updated. No changes to the code were made. Rather the setup installation files have all been signed with a MS Authenticode Security Certificate. New version of IE coming out with XP SP 2 will somewhat require files to be signed by a digital cert, thus the files/dll's have been updated.


You can download the new dll's if you choose however again no changes to the actual dll code were made in this update.

[FreezingFire]

What do you mean about IE requiring a security certificate for downloads?
Does this mean my files will need to be signed or something?

[PGWARE]

It doesn't really require it (atleast not yet). But it will warn you that the file is not signed and recommends not to install the software. This gives the impression to people who are not too familiar with computers that there must be something wrong with that specific file.

Previous versions of IE did this too but only when you clicked 'RUN' instead of saving the file from IE. Now when you RUN or SAVE an exe, dll, cab and several other files from IE it will warn the file was not signed by a certificate and the identity of the file creator is unknown. Zip files are not affected.

Again it's not such a big change, but the inclusion of warning the file is not signed when SAVED and executed is what made me go out and get a certificate.

[SnarlingSheep]

Just another stupid way to annoy the honest people.
Not-so-geeky people click yes to everything without reading anyway

[SnarlingSheep]

Also note that this security warning only shows when the user downloads and attempts to run an EXE. Putting your installation packages in a zip file cures this and is much easier than paying for a certificate from MS.

[PGWARE]

exe, dll, cab and several other file types trigger the warning. Yes putting it in a zip solves the issue but for most computer users they have absolutely no idea how to operate zip files; thus self extracting files are much easier for them.


You actually do not buy the Authenticode code signing certs from Microsoft, you're purchasing them from either Verisign, Thawte or GTE.

[jules]

How much did it cost you?

I'm really unhappy about having to do this because:

a) I imagine it's not cheap, and I only make $200 - $300 a month in sales.

b) it's like giving in to Microsoft blackmail.

[Skit3000]

How does Microsoft (or Verisign, Thawte or GTE) verify if there isn't any malicious code inside signed programs? I guess they don't debug every petition by hand...

[jules]

They don't. The certificate is just like a signature. It says that the file has been signed by PGWare, or whoever. You still have to decide whether PGWare is to be trusted. However, the certificate issuing authority does carry out checks to verify that you are who you say you are. As I have a legally constituted business, I could probably get a code signing certificate (if I could afford one.) A guy writing software in his back bedroom (who could be writing viruses for all Verisign knows) probably couldn't.

I personally think this is very unfair, as it could force a lot of freeware, hobbyists and shareware developers out of the market. I've started a soapbox thread at http://www.pcadvisor.co.uk/index.cfm?go=discuss.thread&threadid=157520&forumid=16 about this: log on and have your say if you feel the same way about it as I do.

[Skit3000]

What if somebody "steals" your certificate and uses it for his/her own programs, or isn't that possible?

[arcray]

And how does one sign VDS5.02 generated EXE's, or install packages generated by Inno Setup?

[vdsalchemist]

[jules]

Yes. In principle, it's the same kind of process as using PGP signing for documents and emails. You have a private key and a public key. For someone to be able to forge your signature, they'd have to steal your private key. They couldn't get it from a file that you've signed.

Now. Microsoft could have used an open system like PGP, which would have allowed anyone to create digital signatures for software. Instead, they chose a system that is only accessible to corporates (and Prakash ).

I don't know how the signature is applied to an EXE, or how it's stored. I looked at a signed file using a resource explorer tool, and I couldn't see where it was.

[PGWARE]

Buying the code signing certs from Thawte will cost you $200 per year. Renewals cost ~ $153 US. Verisign charges $400 per year. Obviously I went with Thawte. The certs are the same, as all CA's have their root certs for codesigning enabled, this really isn't the case with SSL (https:// certificates) so you have to pick wisely when buying ssl cert.

With the cert you can sign as many products as you wish, as long as they are from the company/organization which purchased the code signing cert.

You are not required to renew the certificate, as long as you timestamp the program. You basically connect to a server that does timestamping and it stamps the certificate/program with a hardcoded date. If the certificate expires and there is a valid stamp on it then the certificate does not warn it is expired to the end users downloading your files. But you will need to renew the cert if you want to re-stamp new builds/updates of your files. You can use the freely available versign timestampign service to stamp your code with (instructions to do it are included in microsofts code signing sdk).

Information on how to sign code is at:
http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/signing.asp

You can download the files (signcode.exe) at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=2B742795-D0F0-4A66-B27F-22A95FCD3425&displaylang=en

Probably want to get the x86 executable as it's unlikely most people here are generating alpha executables (64 bit).


You can get more information and purchase the certs from Thawte at:
http://www.thawte.com/codesign/index.html

Look at the Microsoft Authenticode Code Signing Certificate.



As to questions about stealing a cert. It's possible but very very hard to do. Thawte sends you a .pvk file (private key file) and a certificate file. Both files are required to generate the certificate embedded into the exe. The hash of this certificate is unique to each executable and if the exe is modified in anyway the cert is nullified. Also you have the option when purchasing the code signing cert if you want to password protect it. This allows even more security as if anyone does get a hold of the cert and private key then they still need the password to sign with.


Also the process to obtain a cert can take some time. It took me roughly 8 hours to receive it. You cannot as an individual in the US get a code signing cert. You must be a registered business with your state, country and they will require you to fax them documentation proving your business is valid. Then they will check your domain, all certs are tied with a domain - typically business domain so they check the whois records. As long as the REGISTRANT OF RECORD on the domain matches your legal company name EXACTLY then you are fine. For instance my legal company name is PGWARE LLC, thus thta is what had to be listed in teh registrant information for the domain; if I had just PGWARE then Thawte will decline my application.

Finally you have to have a business phone number where they can contact you to verify the purchase. They will attempt to obtain a phone number from you by the use of phone directory service in your city, if you are not listed then they will attempt other means to find a phoone number to contact you at. If they are not able to find any number then you need to fax them a phone bill that shows your company name on it, and your telephone number on it. They will then call you and ask you basic questions on who ordered the certificate and details you entered when ordering - this allows them to confirm you are the person who really is getting the cert. If you have no phone number at all for your business fear not you can send in a notorized letter signed by a notary which states you give permission and authorization to distribute a certificate to your business; then fax it in to them.

As long as you have everything in order and all documents ready to be faxed you can get the cert within a day's time. They do all these checks to make sure you are who you say you are. Also they want ot make it seem like they are actually doing something for that $200 you're sending them.


If any of you guys are interested in doing it and have any problems along the way just message me here or email me and I'll lend some assistance.

[PGWARE]

Julian the cert is signed into the exe by the user of the signcode.exe program. It adds an additional section into the exe header which contains the cert.

When usign the codesign.exe you can pass commandline params to generate the digital certificate within the exe. When you right click on a exe that is signed , click the PROPERTIES and there is a new tab within the properties sheet of the executable entitled DIGITAL CERTIFICATE.

Here is how to sign:


signcode.exe -spc mycert.spc -v mykey.pvk -n "My Program" -i http://www.url.com -$ commercial -t http://timestamp.verisign.com/scripts/timstamp.dll MYPROG.EXE


mycert.spc is the file Thawte/verisign sends to you, it is the certificate. MyKey.pvk is the private key thwate/verisign also sends to you which contains your private key and password (if a password was set). Note you cannot change the password without buying a new cert.

"My Program" is just a friendly name you can give your program and is displayed in the Security box when shown to a user downloading you file. http://www.url.com is the url to your website, this lets a user click on your program name (friendly name) and it takes them to the website. Finally you include the optional timestamp (you should timestamp, so when the certificate expires the file is still signed). Then you pass the filename/path to your exe that needs to be signed.