Rip off attempt???
-
We are not even a software house, just do a bit to interface to hardware. It looks like the Dreamspark thing is for students? :~
glennPattonWork wrote:
It looks like the Dreamspark thing is for students?
Something else Spark or Dream something. You might be able to get a software cert somewhere else though (you dont have to go via MS, but you still use signtool). Personally, I would not be bothered to even sign an installer. Heck I abandoned the installer all together and used created a ZIP file ;p
-
glennPattonWork wrote:
It looks like the Dreamspark thing is for students?
Something else Spark or Dream something. You might be able to get a software cert somewhere else though (you dont have to go via MS, but you still use signtool). Personally, I would not be bothered to even sign an installer. Heck I abandoned the installer all together and used created a ZIP file ;p
But the client wants an MSI 'done properly' to avoid any problems :|
-
But the client wants an MSI 'done properly' to avoid any problems :|
A valid cert from anywhere will be proper. As long as it can validate with the CA root, it is exactly the same.
-
A valid cert from anywhere will be proper. As long as it can validate with the CA root, it is exactly the same.
Hang on I might have found something on Intel.....
-
Hang on I might have found something on Intel.....
Comodo? Prepare to jump through hoops.
I was brought up to respect my elders. I don't respect many people nowadays.
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier -
Comodo? Prepare to jump through hoops.
I was brought up to respect my elders. I don't respect many people nowadays.
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easierJust read it all the comments at the bottom basically say that. I mean that is the last thing I think in this project...(I hope!)
-
Hang on I might have found something on Intel.....
-
Comodo? Prepare to jump through hoops.
I was brought up to respect my elders. I don't respect many people nowadays.
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier -
I went with GlobalSign, ~100ukp, so much more painless experience than Comondo or whatever they were called).
Dave Find Me On: Web|Facebook|Twitter|LinkedIn
Folding Stats: Team CodeProject
It's just that it seems a bit off you or the company buy VS2008 use it on XP for years no problem have to upgrade to Win7 (due to dead PC) find this!:mad:
-
Hi All, I have created an installer for my application when its run it comes up with Publisher Unknown. Digging around on MSDN it appears to use a command SignTool, which I tried in a Console/Dos Window it comes back as "'signtool' is not recognized as an internal or external command, operable program or batch file. Or you have typed rubbish. Stack Overflow you need a code signing certificate which is available for $179 a year or $499. Is this right so do I send my flaming box of dog do to MicroSharft now or what? Glenn
I think the situaton with Apple phones is even worse.
-
It's just that it seems a bit off you or the company buy VS2008 use it on XP for years no problem have to upgrade to Win7 (due to dead PC) find this!:mad:
-
Hi All, I have created an installer for my application when its run it comes up with Publisher Unknown. Digging around on MSDN it appears to use a command SignTool, which I tried in a Console/Dos Window it comes back as "'signtool' is not recognized as an internal or external command, operable program or batch file. Or you have typed rubbish. Stack Overflow you need a code signing certificate which is available for $179 a year or $499. Is this right so do I send my flaming box of dog do to MicroSharft now or what? Glenn
Did you not try doing a
cd
to the EXE's directory and then running it again?
.-. |o,o| ,| \_\\=/\_ .-""-. ||/\_/\_\\\_\\ /\[\] \_ \_\\ |\_/|(\_)|\\\\ \_|\_o\_LII|\_ \\.\_./// / | ==== | \\ |\\\_/|"\` |\_| ==== |\_| |\_|\_| ||" || || |-|-| ||LI o || |\_|\_| ||'----'|| /\_/ \\\_\\ /\_\_| |\_\_\\ -
Hi All, I have created an installer for my application when its run it comes up with Publisher Unknown. Digging around on MSDN it appears to use a command SignTool, which I tried in a Console/Dos Window it comes back as "'signtool' is not recognized as an internal or external command, operable program or batch file. Or you have typed rubbish. Stack Overflow you need a code signing certificate which is available for $179 a year or $499. Is this right so do I send my flaming box of dog do to MicroSharft now or what? Glenn
signtool is part of the platform SDK. You can use it to "self-sign" your executables, mainly to test the signing process (and dependent processes). You usually pay for a certificate needed to sign the executable. When you sign your binaries, your customers know they got exactly the executable you signed. It does not make a guarantee about the quality or validity of your work. Tampering with the executable voids the signature. For unsigned executables, "trust rating" (which determines whether your users are warned about it being "potentially unsafe") is accumulated only for that one binary. for a signed executable, trust rating is accumulated over all binaries from the same publisher (i.e. you). In addition, your customers can schoose to "always trust" your files. Group policy allows various restrictions based on the signature status of binaries - the most common is requiring device drivers to be signed.
It's not exactly wrong to call the verification process a moneymaking scheme. It usually consists of you faxing personal and business details to the Certificate Authority (CA), and they calling you back for a check of those facts. The only other job they have is to keep their root certificates safe. The process is usually described as "chain of trust", though it's more a chain of finger pointing. Microsoft issues root certificate to CA's and preinstalls those (the public key, to be specific) with windows. This is the only place where actual trust happens: Microsoft trusts the CA's that they keep their private keys safe, and don't let you register a company name like "Mircosoft" or "This Is Google, Dude, Trust Me" that might mislead end users of your identity. CA's use their certificate to issue a certificate to you. You use the certificate to sign the executable. This could actually go on much deeper. The reverse is the fingerpointing: - "This exe is what glennPattonWork created if this certificate is valid" - "This certificate is valid if it's not expired, wasn't revoked, and the certificate it was created with is valid" - "This certificate is a root certificate, so Microsoft trusts those guys". Certificates can be limited in purpose, usually those allowing you to sign a kernel driver are more expensive and require more effort.
-
But the client wants an MSI 'done properly' to avoid any problems :|
Then renegotiate the contract to add a line item to buy a Security Theater Certificate for the installer. :rolleyes:
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
But the client wants an MSI 'done properly' to avoid any problems :|
-
glennPattonWork wrote:
But the client wants an MSI 'done properly' to avoid any problems
Then it is a commercial venture and someone should just pay for it.
Yeah, but they won't pay :rolleyes:
-
Did you not try doing a
cd
to the EXE's directory and then running it again?
.-. |o,o| ,| \_\\=/\_ .-""-. ||/\_/\_\\\_\\ /\[\] \_ \_\\ |\_/|(\_)|\\\\ \_|\_o\_LII|\_ \\.\_./// / | ==== | \\ |\\\_/|"\` |\_| ==== |\_| |\_|\_| ||" || || |-|-| ||LI o || |\_|\_| ||'----'|| /\_/ \\\_\\ /\_\_| |\_\_\\Sadly yes! :sigh:
-
signtool is part of the platform SDK. You can use it to "self-sign" your executables, mainly to test the signing process (and dependent processes). You usually pay for a certificate needed to sign the executable. When you sign your binaries, your customers know they got exactly the executable you signed. It does not make a guarantee about the quality or validity of your work. Tampering with the executable voids the signature. For unsigned executables, "trust rating" (which determines whether your users are warned about it being "potentially unsafe") is accumulated only for that one binary. for a signed executable, trust rating is accumulated over all binaries from the same publisher (i.e. you). In addition, your customers can schoose to "always trust" your files. Group policy allows various restrictions based on the signature status of binaries - the most common is requiring device drivers to be signed.
It's not exactly wrong to call the verification process a moneymaking scheme. It usually consists of you faxing personal and business details to the Certificate Authority (CA), and they calling you back for a check of those facts. The only other job they have is to keep their root certificates safe. The process is usually described as "chain of trust", though it's more a chain of finger pointing. Microsoft issues root certificate to CA's and preinstalls those (the public key, to be specific) with windows. This is the only place where actual trust happens: Microsoft trusts the CA's that they keep their private keys safe, and don't let you register a company name like "Mircosoft" or "This Is Google, Dude, Trust Me" that might mislead end users of your identity. CA's use their certificate to issue a certificate to you. You use the certificate to sign the executable. This could actually go on much deeper. The reverse is the fingerpointing: - "This exe is what glennPattonWork created if this certificate is valid" - "This certificate is valid if it's not expired, wasn't revoked, and the certificate it was created with is valid" - "This certificate is a root certificate, so Microsoft trusts those guys". Certificates can be limited in purpose, usually those allowing you to sign a kernel driver are more expensive and require more effort.
Kinda what I was thinking, but from the look of it Microsoft trusts you if you give them money, so an evil person could cought up the money and write malware, get caught certificate revoked but does this send a Certificate revoked message to everyone who has it installed (like those certificate expired things that land occasionally on my machines)..........
-
Kinda what I was thinking, but from the look of it Microsoft trusts you if you give them money, so an evil person could cought up the money and write malware, get caught certificate revoked but does this send a Certificate revoked message to everyone who has it installed (like those certificate expired things that land occasionally on my machines)..........
You can make your own certificates and sign your own code, then install your certificate in the trusted root on the machine. The user will see a 'do you want to install this certificate from xxx' so they know it is from you. I do this a lot in the kernel for test code, and there is a doc KMCS_walkthrough.doc that explains the process. And yes, et the SDK, it is free and has all the tools you need.
============================== Nothing to say.
-
Kinda what I was thinking, but from the look of it Microsoft trusts you if you give them money, so an evil person could cought up the money and write malware, get caught certificate revoked but does this send a Certificate revoked message to everyone who has it installed (like those certificate expired things that land occasionally on my machines)..........
As I said: there's actually not much trust involved, just identity. The signature merely guarantees the file is the same file someone calling himself "NotTheRussianMafia!" uploaded to tot4llyvirusfreew4rez.com. As I understand, revocation is tested when the certificate is verified, and likely a revocation list is also included in windows updates. So yes, if you are not online and not patching windows, the revocation will not reach you. maybe more[^]