PDA

View Full Version : OT: Code signing



NewsArchive
03-13-2013, 01:27 AM
Hi Friedrich,

I have been installing and testing all sorts of programs in the past few
weeks and one thing has caught my attention:

A LOT of installers are NOT codesigned and not even manifested! BTW none of
those were created with SB as far as I can tell and one (new) looked
suspiciously like the old Wise installer. So I got curious about why the
heck big software companies don't code sign their installs. I'm a very
small fish in that pond and all MY installs are codesigned;)

Any idea why this is so?

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com - www.altawebworks.com
Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
03-13-2013, 01:28 AM
> Hi Friedrich,
>
> I have been installing and testing all sorts of programs in the past few
> weeks and one thing has caught my attention:
>
> A LOT of installers are NOT codesigned and not even manifested! BTW none of
> those were created with SB as far as I can tell and one (new) looked
> suspiciously like the old Wise installer. So I got curious about why the
> heck big software companies don't code sign their installs. I'm a very
> small fish in that pond and all MY installs are codesigned;)
>
> Any idea why this is so?

Obviously your smarter than they are!

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
03-13-2013, 01:29 AM
Hi Charles,

>> heck big software companies don't code sign their installs. I'm a very
>> small fish in that pond and all MY installs are codesigned;)
>>
>> Any idea why this is so?
>
> Obviously your smarter than they are!

Of course<g>

Well, the thing is if _I_ can do it, there is not much excuse for companies
that have millions or tens of millions of dollars in annual revenue not to
do it. Even if they go with the expensive options on the code sign
certificate market. Just doesn't make sense to me to install software that
sells for hundreds and you get "Unknown publisher" In this day and age that
just doesn't look professional.

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com - www.altawebworks.com
Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
03-13-2013, 01:29 AM
>> Obviously your smarter than they are!
>
> Of course<g>
>
> Well, the thing is if _I_ can do it, there is not much excuse for companies
> that have millions or tens of millions of dollars in annual revenue not to
> do it. Even if they go with the expensive options on the code sign
> certificate market. Just doesn't make sense to me to install software that
> sells for hundreds and you get "Unknown publisher" In this day and age that
> just doesn't look professional.

I agree 100%.

When I see that I shake my head just as I do when I see some developer
wailing and moaning because tighter security in Windows Vista onward has
started to force them to place their files and data where Microsoft
instructed them to place it what ... 25 year ago?

It is just not that hard to play by the rules and there really is no excuse
for it (especially in this day and age).

The funny thing is that everyone decries Microsoft for it, but if they were
developing for Unix/Linux they would have had to have been playing by the
rules that promote system security all along.

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
03-13-2013, 01:31 AM
Hi Arnor

>So I got curious about why the
>heck big software companies don't code sign their installs.

I think that some "big software companies" are not really what they say.

Take Avanquest for example. I think they operate mainly as selling agents for small
individual or small software companies and they are the ones who are not signing their
installers.

If it comes from Avanquest, I try and take another path. Years ago I used "PowerDesk
Pro" from them. I found a bug, and reported it about 10 times to 10 different areas.
It never got resolved.

So, my take is some "big SW" companies don't code-sign because they don't really want
to be responsible for someone else's work.

I use Avanquest here only as an example. There are others.....

JohnG

NewsArchive
03-13-2013, 01:32 AM
> I think that some "big software companies" are not really what they say.

But it is the Internet!

You know they can't put anything on the Internet that is not true<g>.

(where did you hear that?)

(on the Internet of course!)

:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
03-13-2013, 01:54 AM
Yep, I know many people who believe the internet and what they read in the Sunday
newspaper!

John

NewsArchive
03-13-2013, 02:28 AM
Arnor,

in addition to what John and Charles said, my experience over the past decade
ist that big companies are more busy with themself rather than focussing on
their products.

They think in "Cost Center", not in "Opportunities" or even in "what the
enduser wants / needs".

The bigger, the ponderous.

Just my experience
Wolfgang

NewsArchive
03-13-2013, 02:29 AM
Hi Arnór,

> I have been installing and testing all sorts of programs in the
> past few weeks and one thing has caught my attention:
>
> A LOT of installers are NOT codesigned and not even manifested!
> BTW none of those were created with SB as far as I can tell and
> one (new) looked suspiciously like the old Wise installer. So
> I got curious about why the heck big software companies don't
> code sign their installs. I'm a very small fish in that pond
> and all MY installs are codesigned;)
>
> Any idea why this is so?

Yes, I know why this is so <g>. Because they have *ABSOLUTELY* no clue what
they are doing and they do not care about their customers at all.

First of all, a non-manifested setup program is really a very bad thing.
>95% of all setups default to the "Program Files" folder tree and write to
the HKEY_LOCAL_MACHINE registry. For example, files have to be installed to
a sub-folder under "Program Files" and the System folder, OCX files have to
be registered, uninstall entries to be created, file extensions to be made,
services to be installed and started, etc. The setup application requires
administrative access to the system to write to the protected Windows areas.
But a non-manifested "legacy" application can't request those privileges.
As a result, the write actions do not fail because file system / registry
"virtualization" kicks in, and the hell breaks loose. After that, you'll
find all the "per-machine" write actions in the "per-user" VirtualStore.

And the best is, the software vendor does not have control over this process
because many other factors come into play. For example, if the setup
program is non-manifested and its filename includes keywords like "install,"
"setup," "update," etc. (setup_mycoolapp_v200.exe) and the "User Account
Control: Detect application installations..." is enabled then Windows
"Installer Detection" kicks in and automatically elevates the setup. BTW,
uninstall might not work because it also needs administrator execution level
privileges. Or what if the customer renames "setup_mycoolapp_v200.exe" to
"mycoolapp_v200.exe"? Yes, the legacy mode installer detection does not
elevate the very same install any longer.

The code-signature is another story. It's the first thing that a
"protection software" checks. If an application file is not code-signed
then it is a very good candidate for a false-positive trigger. The more
customers you have the more likely is a false-positive in this case. A
code-signed setup can definitely reduce security warnings and
false-positives. And if the "User Account Control: Only elevate executables
that are signed and validated" security policy is enabled then it's not even
possible to do a machine-wide install at all without a proper
code-signature. A digital signatures contain proof of content integrity so
that your application cannot be altered and distributed with unapproved
changes. If the code-signature is invalid, users experience a security
warning; this can protect you and your customers.

In short, a non-manifested and not code-signed setup is the perfect
candidate for a support nightmare.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
03-13-2013, 07:59 AM
"The problem with the internet is that you never know which quotes are
real." - Thomas Jefferson

--

Russ Eggen
RADFusion International, LLC

NewsArchive
03-13-2013, 10:39 AM
Hi John,

> I think that some "big software companies" are not really what they say.
>
> Take Avanquest for example. I think they operate mainly as selling agents for small
> individual or small software companies and they are the ones who are not signing their
> installers.

In this case it doesn't really apply - to my knowledge. Yesterday I was
trying out 3 software packages. All are from companies that produce and
sell just one product and have sold it for years. One was not code signed,
one was not code signed and not manifested, the third one was both. Those
are all US companies.

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com - www.altawebworks.com
Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
03-13-2013, 11:46 AM
Hi Friedrich,

> In short, a non-manifested and not code-signed setup is the perfect
> candidate for a support nightmare.

Thanks for your insights! Very interesting! I plan on reporting those
issues to the vendors - then at least they can't claim ignorance - not to me
anyway<g>

Best regards,

--
Arnór Baldvinsson - Icetips Alta LLC
Port Angeles, Washington
www.icetips.com - www.buildautomator.com - www.altawebworks.com
Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
03-13-2013, 11:47 AM
Hi Arnór,

>> In short, a non-manifested and not code-signed setup is the perfect
>> candidate for a support nightmare.
>
> Thanks for your insights! Very interesting! I plan on reporting
> those issues to the vendors - then at least they can't claim
> ignorance - not to me anyway<g>

<G> ;-)

Friedrich

NewsArchive
03-14-2013, 01:15 AM
G'day Arnor

Understood. They should be codesigned at least...
If when you bring this to those companies attention, and you get a response, then I
guess it will be that they are just ignorant of the implications.

Hopefully you can enlighten them and have them brought up-to-date. Oh, and tell them
about SetupBuilder <G>

John