PDA

View Full Version : To code-sign or not to code-sign installations, is that the question?



NewsArchive
06-29-2009, 12:08 AM
Repost from another thread:

Last week, one of our SetupBuilder customers contacted us because they had a
problem.

Background: they have a customer base of about 1,800 large companies.
Unbelievable but true, about 35% of their customers are running Vista or
better -- in other words, 35% of their user base are using an UAC-aware
operating system.

Suddenly and out of the blue, more and more of their installations did not
launch at all on some UAC-aware machines. Uninstall of already installed
applications did also not work on that machines.

It was not caused by SetupBuilder because the access denied happened before
the installation was even started. So they hired our Consulting to find out
what was going on.

The problem, as we suspected, was caused by the missing Authenticode
signature. Our customer "was" not a fan of code-signing certificates and
decided to not code-sign anything. And this missing code-sign signature
resulted in a support nightmare! Why? Well, security is important today
and an increasing number of companies enable the "Only Elevate Executables
that are Signed and Validated" group policy setting (especially after
attending a Microsoft Vista, 2008 or Windows 7 seminar).

When this "Only Elevate Executables that are Signed and Validated" option is
enabled, the group policy setting performs PKI signature checks against any
interactive application that requests elevation of privileges. If an
application is signed by a trusted publisher then the elevation of privilege
request is authorized. If the code is unsigned or is signed by a publisher
who you have not chosen to trust, then the elevation of privilege request is
denied.

We suggested to request a Comodo code-signing certificate (took 1 day) and
then code-sign the installer and uninstaller (took 10 seconds). Problem
solved!

Total cost to solve the problem: $200 for a 3-year Comodo certificate and
$12,000+ of internal support costs.

Using an UAC-aware and Win7-aware installation system (SetupBuilder 6.9 or
7.0) and code-signing is a must have today!

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
06-29-2009, 12:15 AM
I did not know such a feature was around. Good to know.

>Well, security is important today
> and an increasing number of companies enable the "Only Elevate Executables
> that are Signed and Validated" group policy setting (especially after
> attending a Microsoft Vista, 2008 or Windows 7 seminar).

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

NewsArchive
06-29-2009, 12:40 AM
UAC actually has 10 different settings:
http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

IIRC, the "home" versions of Vista don't include the SecPol.msc tool, but
you can still tweak the settings directly in the registry.

The setting to which Friedrich is referring is illustrated in the attached
pic.

Jane

NewsArchive
06-29-2009, 12:41 AM
Thanks. I just don't have time to go through all of the various tweaks and
settings MS makes available, especially now. Appreciate you doing this and
passing it along <g>.

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

NewsArchive
06-29-2009, 12:42 AM
>Using an UAC-aware and Win7-aware installation system (SetupBuilder 6.9 or
>7.0) and code-signing is a must have today!

I avoided code signing for years but after getting a few complaints
from potential customers I decided to go for it.

It didn't produce any noticeable increase in sales but it stopped the
complaints.

Steve

--
Neural Planner Software Ltd www.NPSL1.com

NewsArchive
06-29-2009, 12:42 AM
Hi Friedrich

How do you handle a weekly build of your software and where your clients
have thousands of potential machines that run this software? Do they have
to run some sort of code signing thingie each time they get a new build?
Most of them have disabled the UAC feature for this reason. They also
deploy thousands of changes to their internal programs. Does a so-called
signed and validated argument persists with any version of executables
and/or dlls or do you have to re-sign each time and of these binaries
change?

Cheers
Andre

NewsArchive
06-29-2009, 12:43 AM
The developer runs the code-signing thingy, not the end-user.

For internal programs, you can create your own certification authority
(server to create code-signing certificates) and tell your domain computers
to honor its certificates.

Yes, you have to re-sign each time a binary changes. (Part of what signing
does is to guarantee that a binary hasn't been modified since it's been
signed).

Disabling UAC isn't a panacea. Unsigned downloads will still trigger a
warning (attached pic).
And disabled UAC can be a pain on a network. One of my clients has UAC
disabled on an Active Directory domain. Unfortuantely, Vista still won't
allow printer driver installation without administrator credentials. And
with elevation disabled, that means for each computer the regular user has
to log off and an administrator has to log on to install the driver.

Jane

NewsArchive
06-29-2009, 12:46 AM
Hi Jane

That seems to make the function completely impractical where the development
environment is dynamic and dlls are changing every few minutes in some
cases. And this is probably why most users we have encoutered have turned
off UAC. We have not had one of them complain that it is off. The benefit
of up to date software seems to far exceed whatever benefits they may be
getting by this additional security. The bottom line that is if some action
everytime a binary changes then it is something else that can go wrong which
makes the software unusable for most users. How difficult is it for the
developer to run the code signing thingy and what can go wrong on the
workstation?

Cheers
Andre

NewsArchive
06-29-2009, 12:47 AM
Andre,

I would understand this if you are dealing with one client and everything is
handled internally. I've such a client myself. In such cases code signing
is not really needed (unless their admin turns on the feature to not execute
anything not code signed). I've also commercial products and I've no idea
who will purchase licenses ahead of time and what their IT departments do.
So code signing makes perfect sense there.

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

NewsArchive
06-29-2009, 12:48 AM
Hey Jane,

Quick question...

In Friedrich's example he said that the certificate cost $200. Would I
have to pay that $200 everytime I did a new build?

If so, I would have to make sure that build was a darn good one! :-)
(Should be doing that anyway huh? :-) )

Don

NewsArchive
06-29-2009, 12:49 AM
> Hey Jane,
>
> Quick question...
>
> In Friedrich's example he said that the certificate cost $200. Would I
> have to pay that $200 everytime I did a new build?

Don,

Product Description - Comodo Code Signing Certificate, MFG - Comodo
Internet Link - http://www.lindersoft.com/order_codesigning.htm

That USD $200 purchase (when bought though the above order process) - gives
you a valid Comodo Code Signing Certificate that covers you for three years
- unlimited use - unlimited builds - during the three year timeframe.

Sign as many EXEs, Dlls, PAD files as you need during that three year
timeframe.

David

--
From David Troxell - Product Scope 7.8 - Encourager Software
Product Scope 7 Viewer - NO Registration Fee! Free to Use!
http://www.encouragersoftware.com/
Clarion Third Party Profile Exchange Online
http://encouragersoftware.com/profile/clarlinks.html
http://www.profileexchanges.com/blog/

NewsArchive
06-29-2009, 12:50 AM
Awesome! Thanks David.

Donald Ridley

NewsArchive
06-29-2009, 12:53 AM
Hi Andre,

> How do you handle a weekly build of your software and where your clients
> have thousands of potential machines that run this software? Do they have
> to run some sort of code signing thingie each time they get a new build?

You simply add "#code sign" action to your SB install and it does it
automatically when you build the install. You set it up once in SB and it
takes care of it:)

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com

Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
06-29-2009, 12:54 AM
Hi Arnor

We only use SetupBuilder for initial installs. From then on we simply
update workstations from the latest binaries that lie on the server.
SetupBuilder is not used for that. How do you code sign in this case?

Cheers
Andre

NewsArchive
06-29-2009, 12:54 AM
Personally, for in-house apps that get copied to server folders rather than
being distributed using an installer I include a code-signing batch file in
my Clarion project and also link in the manifest file (pic).

My clarionmag articles (sub required) discuss creating such a code-signing
batch file. http://www.clarionmag.com/cmag/v8/v8n11signing2.html

To use a batch file, you need to convert your certificate to a PFX file. My
webinar article (free) explains that:
http://www.beachbunnysoftware.com/webinar/

Jane

NewsArchive
06-29-2009, 12:55 AM
Hi Andre,

> We only use SetupBuilder for initial installs. From then on we simply
> update workstations from the latest binaries that lie on the server.
> SetupBuilder is not used for that. How do you code sign in this case?

Create a script that code signes your binaries. Then just run the script
and all your binaries are signed. Check the "Skip if already code signed"
and it'll save some time.

I have several scripts that I run to code sign my in-house exes so that they
don't pop a warning on vista:) Only takes a few minutes and you're done.

The code signing is done locally, so it has _nothing_ to do with your
deployment. Our Build Autamator (www.buildautomator.com) would be a perfect
tool to keep track of this - create the projects in SB that you need to code
sign your programs and then use a BA project to run the SB scripts:)

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com

Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
06-30-2009, 01:04 AM
Russ

I am not questioning the concept per se, just trying to find out how to get
these binaries onto the workstation and code signed without the user having
to do anything. The minute the user or IT guys have to lift a finger we see
problems and tediousness and a good reason to dump our product.

Cheers
Andre

NewsArchive
06-30-2009, 01:05 AM
Hi Jane

Thanks for that. Making more sense now.

Cheers
Andre

NewsArchive
06-30-2009, 01:05 AM
Hi Arnor

Now you are talking. The code signing can be done off site you say. Seems
I have missed something here. The binaries go with the stamp. Time to get
BA and update out license fee <vbg>.

Cheers
Andre

NewsArchive
06-30-2009, 01:06 AM
Hi André,

> Now you are talking. The code signing can be done off site you say. Seems

Yes, the code signing is done by you on your computer _before_ you actually
build an install. It is done directly on the exe (or dll).

It only takes a few seconds to codesign a bunch of files so I'd just create
a script to codesign each project (if you have multiple projects) in the
development folders on your machine. You could also use bat files to
codesign each app as it is compiled like Jane does.

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com

Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
06-30-2009, 01:07 AM
Indeed.
After Arnor's webinar last Friday, I'm planning to dust off my unused copy
of BA to start playing with it.

Jane

NewsArchive
06-30-2009, 01:07 AM
Hi Andre,

> How do you handle a weekly build of your software and where your clients
> have thousands of potential machines that run this software? Do they have
> to run some sort of code signing thingie each time they get a new build?
> Most of them have disabled the UAC feature for this reason. They also
> deploy thousands of changes to their internal programs. Does a so-called
> signed and validated argument persists with any version of executables
> and/or dlls or do you have to re-sign each time and of these binaries
> change?

What Jane said. The software developer/publisher (YOU) handle code signing.
When you compile a new version of your .exe/.dll/.ocx., etc. then you
code-sign it.

SetupBuilder can handle all this for you. It can also check if a file is
already code-signed.

One of our customers develops and markets a very complex CAD system (70+
..exe and 400+ .dll). To test it in-house, they have a SetupBuilder .sb6
project script that does nothing else but code-signing their binary files.
The cool thing is that a nightly build does all this automatically. When
they come in in the morning, they have a fresh compiled and code-signing
test build (including a ready-to-ship install image).

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
06-30-2009, 01:08 AM
Hi Friedrich

This is exactly what we had hoped. I have been barking up the wrong tree.
Thanks for the info Fredrich. Need to upgrade SetupBuilder.

Cheers
Andre

NewsArchive
06-30-2009, 01:09 AM
Hi Andre,

> This is exactly what we had hoped. I have been barking up the wrong tree.
> Thanks for the info Fredrich. Need to upgrade SetupBuilder.

You are very welcome. I am here to help.

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
06-30-2009, 01:09 AM
Hi Friedrich,

> You are very welcome. I am here to help.

I thought you were supposed to be on vacation! <g>

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com

Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
06-30-2009, 01:09 AM
>
> I thought you were supposed to be on vacation! <g>
>

In about 96 hours, I'll be lying on the beach <g>

Friedrich

NewsArchive
06-30-2009, 01:10 AM
Hi Friedrich,

> In about 96 hours, I'll be lying on the beach <g>

With or without the laptop?<g>

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com

Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
06-30-2009, 01:10 AM
Arnór,

>
> With or without the laptop?<g>
>

<G> Without... ;-)

Friedrich

NewsArchive
07-01-2009, 01:34 AM
You say that like its something new. America's #1 beach is only about 10
minute drive from my home office. <g>

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

NewsArchive
07-01-2009, 01:34 AM
> You say that like its something new. America's #1 beach is only about 10
> minute drive from my home office. <g>

<G> Very cool -- and how I envy you :)

Friedrich

NewsArchive
07-01-2009, 01:34 AM
I'd be more than happy to show it to you. Then we can both see it for the
first time <g>.

--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

NewsArchive
07-01-2009, 01:35 AM
> You say that like its something new. America's #1 beach is only about 10
> minute drive from my home office. <g>

Indeed<g>

I lived across the bay in Tampa for years when I was in my 20's and had the
sailboats (Hobie Cats and monohulls), lean muscular body and awesome tan to
prove it.

Now I can tell by looking that I am older and live somewhere else<g>

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Get ProPath, make your Clarion programs ready
for Windows 7 and Vista!"
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
07-01-2009, 01:36 AM
What's that like? <vbg>

>
> Now I can tell by looking that I am older and live somewhere else<g>
--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm

NewsArchive
07-01-2009, 01:37 AM
> What's that like? <vbg>

Stick around and you may find out<g>

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Get ProPath, make your Clarion programs ready
for Windows 7 and Vista!"
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------