PDA

View Full Version : Code Sign and Trusted Root Certification Authorities



NewsArchive
10-24-2010, 07:22 AM
Hey Friedrich,

I'm making my own certificates with a Clarion Handy Tools utility. Is there
a way to use Setup Builder to add the certificate to the Trusted Root
Certification Authorities list?

Thanks,
Don

NewsArchive
10-24-2010, 07:22 AM
On your own computer or on the computers of your customers?

Jane Fleming

NewsArchive
10-24-2010, 07:23 AM
I guess I should have mentioned that...:-)

On the customer's computer.

Thanks!
Don

NewsArchive
10-24-2010, 07:25 AM
Hi Don,

> I'm making my own certificates with a Clarion Handy Tools utility. Is
> there a way to use Setup Builder to add the certificate to the Trusted
> Root Certification Authorities list?

I also watched Gus' video. NO! Windows and any other operating system do
not allow this. In fact, such a self-made certificate is completely
(COMPLETELY!!!) useless if you distribute your software to a wider public.
Yes, you can use it in-house and/or if you have only a few customers, no
problem. In such a case, you can instruct the users to add your certificate
to the Trusted Root Certification Authorities list. But if you have to
install to hundreds or even thousands of machines, such a self-made
certificate DOS NOT make any sense at all!

Anybody can create his own digital signature, but (by default) Windows only
"trusts" signatures that have been created by certain third parties
(Microsoft root certificate program members). For example, Comodo,
VeriSign, or Thawte.

If you send me one of your application files that is code-signed with your
own self-generated file, it will still report "Unknown User yada". That
means it is still treated as an "unsigned file" and Windows still displays
scary looking warnings when customers download or run it. And if the
UAC-aware operating system (Vista, Windows Server 2008, Windows 7, Windows
Server 2008 R2) has the "User Account Control: Only elevate executables that
are signed and validated" security policy enabled (quite a few companies are
doing this today), then your install can't be used at all.

So it makes a lot of sense to digitally sign your software with a trusted
(Microsoft root certificate program member) certificate if you are
distributing it.

My advice is: DO NOT use a "self-made" certificate if you distribute your
software to the public. This will definitely result in a support nightmare!

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
10-25-2010, 12:44 AM
> My advice is: DO NOT use a "self-made" certificate if you distribute your
> software to the public. This will definitely result in a support nightmare!

Not to mention that the DEVELOPER's support costs will FAR outweigh the
cost of buying a REAL certificate.

PLUS all the lost sales from anyone who downloads a copy of your app to try
out and decides to pass on even looking at it based on the scary warning.

Developers should just buy the three year certificate via the Lindersoft
deal and be done with it.

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - "Get ProPath, make your Clarion programs ready
for Windows 7 and Vista!"
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.clarionproseries.com - "Serious tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
10-25-2010, 12:44 AM
Thanks for the information. When I'm ready I'll use the Comodo deal.

Don.

NewsArchive
10-25-2010, 12:45 AM
Don,

>
> Thanks for the information. When I'm ready I'll use the Comodo deal.
>

And if you don't want to create your own certificate, Ascertia generates
FREE code-signing certificates for you. You can even use a fake name and
email address to get access.

http://www.ascertia.com/OnlineCA/default.aspx

Then download and install their Root CA Certificate and you can test the
code-signing process:

http://www.ascertia.com/OnlineCA/CAcert.aspx

IMPORTANT: Uninstall the Ascertia Root CA Certificate after you have
finished your tests!

The attached screenshot shows a code-signing certificate I created and
received for "Microssoft" (note the extra "s"). If somebody installed the
Ascertia Root CA Certificate and timestamped an application code-signed with
this fake certificate then Windows would display "Microssoft" as "trusted"
vendor. VERY BAD! In fact, you can even create such a certificate for
"Microsoft" if you want.

So my advice is to NEVER EVER install such Root CA Certificate to the
Trusted Root Certification Authorities list.

WebTrust companies (Comodo, VeriSign, etc.) do an intensive identity
verification before they issue a trusted code-signing certificate (which
works on all Windows machines without having to install a Root Certificate).

And DO NOT buy anything from Ascertia because they are not a Microsoft root
certificate program member. The Ascertia Root Certificate Authority is not
pre-initialized and so it's completely worthless.

All this demonstrates how useless a certificate is that is not from a
Microsoft root certificate program member (if you have to deploy your apps
to a wider public). I say this because eight developers e-mailed me with a
similar question after watching Gus' video.

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows 7 installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
10-25-2010, 12:46 AM
Thank you for the detailed information.

Don

NewsArchive
10-25-2010, 12:47 AM
I'm coming back as a Certificate provider. Guaranteed income for life and it
just keeps growing. What a great business model! Sounds like a monopoly to
me.
Nev