f



Digital signature for my VB6 app?

Hi,

I am an amateur software developer. I distribute educational freeware
from my website at www.dcproof.com. I have some questions about
digital signatures:

Do I really need one for my setup.exe download? Would many potential
users be put off by the warning message about the lack of a signature?

If so, is there a cheap way to get a digital signature for my
setup.exe download? VeriSign charges $895 US for one year! Are there
cheaper alternatives to a digital signature that would reassure
potential users?

Dan

0
dc9695 (2)
2/1/2007 9:44:06 PM
comp.lang.basic.visual.misc 10153 articles. 0 followers. Post Follow

8 Replies
622 Views

Similar Articles

[PageSpeed] 10

> I am an amateur software developer. I distribute educational freeware
> from my website at www.dcproof.com. I have some questions about
> digital signatures:
>
> Do I really need one for my setup.exe download? Would many potential
> users be put off by the warning message about the lack of a signature?
>

    I think it's just a matter of preference and audience.
In Windows pre-Vista the warnings only happen when
people are using IE to download in WinXP with SP2.
I used to show an informational note to those people,
but I don't bother now. About half my visitors are using
Firefox and I figure that any IE users who haven't turned
off the warnings are used to them.

  In Vista I think there are also warnings about installing
unsigned software. Again, people should get used to
frivolous warnings pretty quickly in Vista. But you have to
decide about that for yourself.


0
mayayana1a (27)
2/2/2007 3:12:10 AM
"mayayana" <mayayana1a@mindspring.com> wrote in message 
news:e_xwh.19768$w91.18842@newsread1.news.pas.earthlink.net...
>> I am an amateur software developer. I distribute educational freeware
>> from my website at www.dcproof.com. I have some questions about
>> digital signatures:
>>
>> Do I really need one for my setup.exe download? Would many potential
>> users be put off by the warning message about the lack of a signature?
>>
>
>    I think it's just a matter of preference and audience.
> In Windows pre-Vista the warnings only happen when
> people are using IE to download in WinXP with SP2.
> I used to show an informational note to those people,
> but I don't bother now. About half my visitors are using
> Firefox and I figure that any IE users who haven't turned
> off the warnings are used to them.
>
>  In Vista I think there are also warnings about installing
> unsigned software. Again, people should get used to
> frivolous warnings pretty quickly in Vista. But you have to
> decide about that for yourself.
>
>

You can actually sign a setup program with a private digital signature. I just 
signed a copy of dcsetup.exe, after downloading it. The tools are in the MS SDK 
(which is now heavily .Net oriented, of course).

The catch is that now you have a valid signature, but the signature can't be 
verified against a certified publisher, unless you pony up to Versign or the 
like. So instead of "Warning, unsigned...", now you get "Warning, publisher not 
verified".

It is not a complete waste, since you can enter in some data to make it look 
good (though I just left the default publisher name of Joe's Software Emporium). 
And it does mean that the file downloaded matches the file that was signed. But 
the user still gets a warning, so there is probably not much point.



0
mynamehere (1583)
2/2/2007 4:00:48 AM
> >
> You can actually sign a setup program with a private digital signature. I
just
> signed a copy of dcsetup.exe, after downloading it. The tools are in the
MS SDK
> (which is now heavily .Net oriented, of course).
>
   That's interesting. What SDK do you mean?
Something connected with VS.Net? Or with
Windows Installer? It's just some kind of software
program that composes and inserts a digital
signature for anyone?




0
mayayana1a (27)
2/2/2007 4:43:50 AM
"mayayana" <mayayana1a@mindspring.com> wrote in message 
news:akzwh.19801$w91.18040@newsread1.news.pas.earthlink.net...
>> >
>> You can actually sign a setup program with a private digital signature. I
> just
>> signed a copy of dcsetup.exe, after downloading it. The tools are in the
> MS SDK
>> (which is now heavily .Net oriented, of course).
>>
>   That's interesting. What SDK do you mean?
> Something connected with VS.Net? Or with
> Windows Installer? It's just some kind of software
> program that composes and inserts a digital
> signature for anyone?
>

Um, either the platform SDK, or the .Net Framework SDK will have the tools 
(makecert.exe and signcode.exe or signtool.exe). Available here:

Platform: http://go.microsoft.com/fwlink/?linkid=62495&clcid=0x409
Framework: http://go.microsoft.com/fwlink/?linkid=62498&clcid=0x409

The MSDN pages are always saying "create a certificate for test purposes only", 
etc., but my impression is that the homemade ones are just as good, except for 
the "publisher can't be verified" message. That message seems to me no more 
serious than the "certificate has expired" message you sometimes see, which I 
guess occurs when someone paid for a year of Verisign, then let it expire 
because seriously, who has time to care...

There is other stuff on MSDN too. I haven't spend a large amount of time on 
this, so bear in mind that I don't really know what I'm talking about :)


0
mynamehere (1583)
2/2/2007 6:33:45 AM
> The MSDN pages are always saying "create a certificate for test purposes
only",
> etc., but my impression is that the homemade ones are just as good, except
for
> the "publisher can't be verified" message. That message seems to me no
more
> serious than the "certificate has expired" message you sometimes see,
which I
> guess occurs when someone paid for a year of Verisign, then let it expire
> because seriously, who has time to care...
>
> There is other stuff on MSDN too. I haven't spend a large amount of time
on
> this, so bear in mind that I don't really know what I'm talking about :)
>
   I did some looking last night and found a download
with codesign.exe and other EXEs for various purposes.

   Apparently codesign.exe works on all systems and
the new one, signtool.exe, only comes in the SDK and
only works on NT systems. I'm curious about how all of
this is structured. As you noted, the info. seems to say
that signing "must not" be done without a certificate. But
that makes me wonder about who, if anyone, has the
rights to all this. Presumably it's just an encryption added
to the EXE. So saying "you must not" is like saying you
must not add this or that resource to the resource table
without paying for a license. If the "must not" merely means
"you must not if you want to be part of our game" then
your idea seems like a good one. One only needs to
figure out, apparently, how to compose the extra files
needed for signing (.spc and .pvk).


0
mayayana1a (27)
2/2/2007 2:14:32 PM
"Steve Gerrard" <mynamehere@comcast.net> wrote:

>That message seems to me no more 
>serious than the "certificate has expired" message you sometimes see, which I 
>guess occurs when someone paid for a year of Verisign, then let it expire 
>because seriously, who has time to care...

A signed app never expires. Its your ability to sign apps after the
certificate expires that is the problem.
-mhd
0
not_real (57)
2/2/2007 2:50:22 PM
"mayayana" <mayayana1a@mindspring.com> wrote in message 
news:cHHwh.22475$X72.12354@newsread3.news.pas.earthlink.net...
>
>
>   Apparently codesign.exe works on all systems and
> the new one, signtool.exe, only comes in the SDK and
> only works on NT systems. I'm curious about how all of
> this is structured. As you noted, the info. seems to say
> that signing "must not" be done without a certificate. But
> that makes me wonder about who, if anyone, has the
> rights to all this. Presumably it's just an encryption added
> to the EXE. So saying "you must not" is like saying you
> must not add this or that resource to the resource table
> without paying for a license. If the "must not" merely means
> "you must not if you want to be part of our game" then
> your idea seems like a good one. One only needs to
> figure out, apparently, how to compose the extra files
> needed for signing (.spc and .pvk).
>

I think it is correct that "must not" is just a way of saying "if you don't, you 
will not have a verifiable certificate". There is nothing I have seen to suggest 
that it violates any license or the like.

There is also a tool called makecert.exe, which will make a certificate. I made 
one that says "Steve Gerrard" as the issuer. It is not traceable to any "root 
authority", so no one can be sure that it was really made by me. Basically 
anyone could make one that said the same thing. The file is saved as 
sgerrard.crt.
I can then use signcode, and it will let me select that certificate as a file 
directly, no other .spc needed. It asks for a private key, and there seems to be 
one on the system for JoeCerts, I'm not sure how that got there. If there are 
none on your system, you would have to find a way to make one.

And then it signs the file. I did this on a small VB exe. Clicking properties on 
the file now shows a tab called "Digital Signatures", with one entry listed. It 
says Name of Signer is "Steve Gerrard".
Clicking Details reveals this message: "The certification path terminates with 
the test root, which is not trusted in the current policy settings." (ooh, I'm 
scared). For a user running a setup program, this same observation produces the 
"unknown publisher", "could not verify" messages. If they look at the 
certificate, it will say "Steve Gerrard" on it, but that it can't be verified.

I think that is all they mean when they "for test purposes only, blah, blah". 
Unless someone has set a policy that blocks all untrusted publishers without 
even prompting, it won't matter.



0
mynamehere (1583)
2/4/2007 1:28:56 AM
   Thanks for that information. It's an interesting
situation. I have the makecert. I found this site:

http://www.cryptguard.com/documentation_resources_tools.shtml#download

which has links and downloads. One of the "kits"
has about 8 different tools.

    It'd be interesting if large numbers of "mom and pop"
operators just made up their own certificates. ... We could
look almost as official as spyware. :)


>
> I think it is correct that "must not" is just a way of saying "if you
don't, you
> will not have a verifiable certificate". There is nothing I have seen to
suggest
> that it violates any license or the like.
>
> There is also a tool called makecert.exe, which will make a certificate. I
made
> one that says "Steve Gerrard" as the issuer. It is not traceable to any
"root
> authority", so no one can be sure that it was really made by me. Basically
> anyone could make one that said the same thing. The file is saved as
> sgerrard.crt.
> I can then use signcode, and it will let me select that certificate as a
file
> directly, no other .spc needed. It asks for a private key, and there seems
to be
> one on the system for JoeCerts, I'm not sure how that got there. If there
are
> none on your system, you would have to find a way to make one.
>
> And then it signs the file. I did this on a small VB exe. Clicking
properties on
> the file now shows a tab called "Digital Signatures", with one entry
listed. It
> says Name of Signer is "Steve Gerrard".
> Clicking Details reveals this message: "The certification path terminates
with
> the test root, which is not trusted in the current policy settings." (ooh,
I'm
> scared). For a user running a setup program, this same observation
produces the
> "unknown publisher", "could not verify" messages. If they look at the
> certificate, it will say "Steve Gerrard" on it, but that it can't be
verified.
>
> I think that is all they mean when they "for test purposes only, blah,
blah".
> Unless someone has set a policy that blocks all untrusted publishers
without
> even prompting, it won't matter.
>
>
>


0
mayayana1a (27)
2/4/2007 4:04:56 PM
Reply: