PDA

View Full Version : Code signing again.....



NewsArchive
03-24-2005, 10:45 AM
[Tuesday, March 22, 2005 5:31 PM]

Before I install 25MB of junk to get one small utility, I thought I would
ask here.

I have purchased a Comodo CSC, included the info in SB5 and all went well
during the build of my SB5 install, or so it would appear. As a quick test I
uploaded my install to my server and attempted a download. I still get the
Security warning from my browser.

I am clueless where to begin looking and any help will be greatly
appreciated.

Lee

NewsArchive
03-24-2005, 10:45 AM
[Tuesday, March 22, 2005 5:34 PM]

Lee,

Could you please upload a screenshot? If you see your company name in the
"warning" then everything is OK.

Friedrich

--
Friedrich Linder
CEO, Lindersoft
www.lindersoft.com
1.954.252.3910

NewsArchive
03-24-2005, 10:45 AM
[Tuesday, March 22, 2005 6:53 PM]

Friedrich,

I know you are working hard on your docs, so I would like to ask if you
could work a little harder <g>. Let me explain.

At the moment, all my install projects deal with installing source code and
docs for them. I don't have any projects coming that deal with installing
programs (mainly because I build them on client sites or security
certificates are not applicable).

But I can envision a time where I want to do something like this. I think
it is a mark of good quality where a vendor signs the install. I think what
Lee is asking about (correct me if I am wrong) is a step-by-step method of
installing this. I get the impression this is the first time he's done so.

Coming full circle, perhaps your docs would explain how to install a given
certificate (or even in general terms if the various vendors are too varied)
as part of a SB5 project? Do patches or web updates need certificates too?

The viewpoint of this doc section should be from someone who has never done
this before. Why sign it? What are the advantages? What's the purpose?
What could happen if you don't?

Hope that makes sense.
--
Russ Eggen
www.radfusion.com

NewsArchive
03-24-2005, 10:46 AM
[Tuesday, March 22, 2005 7:24 PM]

On 22 Mar 2005 12:53:10 -0500, Russell B. Eggen wrote:

> The viewpoint of this doc section should be from someone who has never done
> this before.

Absolutely.

Now, imagine the same type of approach in the CW docs, say for template
writing, or multi-dll class writing. Holy cow, Im off topic:)

--

Mark

NewsArchive
03-24-2005, 10:46 AM
[Tuesday, March 22, 2005 8:37 PM]

There are tutorials that explain those concepts <bg>

--
Russ Eggen
www.radfusion.com

NewsArchive
03-24-2005, 10:46 AM
[Tuesday, March 22, 2005 8:49 PM]

On 22 Mar 2005 14:37:56 -0500, Russell B. Eggen wrote:

> There are tutorials that explain those concepts <bg>

Certainly, but not in the terms you described, ie: "someone who has never
done this before".

Ive walked that path, somewhat stumbling along, as you know. Your book
helps a lot, but as we saw here in the NG some months ago, even it didnt
get me there.

IMO, there isnt one document or combination of SV/3rd party documents
anywhere that describes in detail each of the steps that is necessary for
Joe Newbie to take in order to write a class from scratch and successfully
link it into both a single exe and multi-dll app, with hand code and
(preferably) with a template.

And yes, I have asked for this in the suggestions or documentation NG, I
dont recall which:)
--

Mark

NewsArchive
03-24-2005, 10:47 AM
[Tuesday, March 22, 2005 9:05 PM]

That's a tall order. There has to be some level of assumption here in that
regard and everyone is different. If I could do that so you would get it
easily all the way up the line, there are others that would tell me that it
would have made more sense if I said <whatever>. Have to appeal the most
generalized. Students are not absolved of all work <bg>.

I'm even going over my educational materials and filling in sections with
words to the effect of "The goal of this section is to get the reader able
to produce <product>. This is an important concept because <reason why
anyone would want to do this>"

If you give a student a purpose and goal, then their curiosity about how
that is done is the energy to propel them through the lesson. If there is
no goal or purpose why a topic is valuable, or what benefits it provides,
then a student is going to struggle at best.

And if a student never gives feedback or specifics as to what is wrong with
the materials, not much chance of them ever evolving, let alone improving.
I can think of one certain individual who is famous (or infamous) for that
<bg>. It is not you, Mark. ;-)
--
Russ Eggen
www.radfusion.com

NewsArchive
03-24-2005, 10:47 AM
[Tuesday, March 22, 2005 9:27 PM]

On 22 Mar 2005 15:05:45 -0500, Russell B. Eggen wrote:

> That's a tall order.

No argument there.

Look back over the threads both here and in the kitchen at all the
responses I got that said something to the effect of "oh, well you just
have to know that", or "So and so said 'do this' and it worked, so I moved
on", or similar, as it related to things like what template code tells the
main exe to define/find the exported class/method and ditto for the main
dll.

IMO, there were far too many "black magic" responses for me to accept that
this is properly documented. As you know, I had to get example code from a
number of different people, rather than consulting the CW docs.

When I asked those people (whom I am in debt to, pass the TDog) where they
found out what they needed to write that code, the replies were often in
that black magic zone.

I actually had hoped to write a cmag article to expose the magic that I had
squeezed out of the docs and those helpful folks. Instead, I ended up with
a pile of tempate code that Im not sure anyone can explain<g>. At least it
works, but the newbie might not have/take the time to harass just the right
people to get those answers, or may not know who to harass. I just got
lucky<g>

--

Mark

NewsArchive
03-24-2005, 10:48 AM
[Tuesday, March 22, 2005 9:59 PM]

Please promise me if you get material like that from me, you will grab me by
the scruff of the neck and not let go until you understand the data (meaning
you can apply the theory in practice). Same goes for anyone else.

I would want those teaching me things to extend the same courtesy to me as a
student. Thus, the point of my suggestion on this thread (to get it back on
topic <g>).

I'm just one of the few that is fearless to ask stupid questions <vbg>.
--
Russ Eggen
www.radfusion.com

NewsArchive
03-24-2005, 10:48 AM
[Tuesday, March 22, 2005 10:07 PM]

On 22 Mar 2005 15:59:36 -0500, Russell B. Eggen wrote:

> Please promise me if you get material like that from me, you will grab me by
> the scruff of the neck and not let go until you understand the data (meaning
> you can apply the theory in practice). Same goes for anyone else.
>
> I would want those teaching me things to extend the same courtesy to me as a
> student. Thus, the point of my suggestion on this thread (to get it back on
> topic <g>).
>
> I'm just one of the few that is fearless to ask stupid questions <vbg>.

Sorry, I should have stated that. The black magic material didnt come from
you, but I should also say that I was darned glad to get it and to this day
I appreciate it and the efforts of those who helped me deal with it.

Ill remember that scruff opportunity<seg>
--

Mark

NewsArchive
03-24-2005, 10:49 AM
[Thursday, March 24, 2005 3:26 AM]

HEAR, HEAR!!!!!

Ben Morehouse

NewsArchive
03-24-2005, 10:50 AM
[Tuesday, March 22, 2005 8:01 PM]

Russell B. Eggen wrote:
> Friedrich,
>
> I know you are working hard on your docs, so I would like to ask if
> you could work a little harder <g>. Let me explain.
>
> At the moment, all my install projects deal with installing source
> code and docs for them. I don't have any projects coming that deal
> with installing programs (mainly because I build them on client sites
> or security certificates are not applicable).

If you are creating an install it is still going to be an EXE file and
having it signed should suggest "Peace Of Mind" for the recipient of the
download. I know it would ease my mind to know it is what I expect from you
and not altered in any way.


>
> But I can envision a time where I want to do something like this. I
> think it is a mark of good quality where a vendor signs the install.
> I think what Lee is asking about (correct me if I am wrong) is a
> step-by-step method of installing this. I get the impression this is
> the first time he's done so.

Actually Russ, at first look, it doesn't seem too dificult to set up the
code signing within SB5. It seems to be pretty straight forward and of
course Friedrich, as always, has taken most of the pain out of the process.
As I said in an earlier post, it seemed like everything went well. I was
asked for my certficate password during the build, it was accepted and the
install created.

Being a *complete* novice at all this, I just don't know where to turn for
answers. Did the certificate fail? Did the code sign fail within SB5? Is
there something wrong with my browser setup ( IE 6 )?

Perhaps Friedrich can figure out a way to test it within SB5 after the
install is created???? Uploading large files to the server to test the
download multiple times is time consuming and consumes a lot of bandwith.

In IE, if I click on Tools > Internet Options > Content > Certificates, I
see my certificate listed under the "Personal" tab. I really don't know what
that means to me so I just thought I woulf throw that out.

BOTTOM LINE: After createing a code signed install within SB5 I still
receive the warning when attempting to download.

You are absolutely correct though, and I know it is forth coming,
documentation would be a great help.

>
> Coming full circle, perhaps your docs would explain how to install a
> given certificate (or even in general terms if the various vendors
> are too varied) as part of a SB5 project? Do patches or web updates
> need certificates too?
>
> The viewpoint of this doc section should be from someone who has
> never done this before. Why sign it? What are the advantages?
> What's the purpose? What could happen if you don't?


Excellent thoughts Russ.


>
> Hope that makes sense.

It sure did to me....<g>

NewsArchive
03-24-2005, 10:51 AM
[Wednesday, March 23, 2005 2:16 PM]

Russ,

:)

Windows XP Service Pack 2 "enhances" the security by tracking files that
have been downloaded from the web and that could potentially harm your
computer by running or installing malicious programs. Windows checks
that those programs have a digital signature attached.

Digital signatures verify the authenticity of software and contain
information about the publisher of the software. If a digital signature
is not found on a piece of software, a "This publisher could not be
verified. Are you sure you want to run this software" dialog box appears.

The text at the bottom of the dialog box indicates that publisher
information could not be found, and the Publisher field is listed as Unknown
Publisher. Even without a digital signature, users are able to click the
Run button to confirm they want to install the software. The installation
will proceed as normal. But IMO, such a "bad" message confuses your
customers. Hmm, the publisher could not be verified? What's the problem
with my software vendor?

BTW, I think this is an interesting reading with regards to code signing:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsmarttag/html/odc_dcss.asp

But the SB5 compiler does all the dirty work. You only have to add your
certificate files and SB5 code signes the setup.exe for you.

Thanks,
Friedrich

Friedrich Linder
CEO, Lindersoft
www.lindersoft.com
1.954.252.3910

NewsArchive
03-24-2005, 10:51 AM
[Wednesday, March 23, 2005 5:01 PM]

Thank you Friedrich. I understand the issues from a user point of view and
some enter into a full stop panic when they see a simple MESSAGE() statement
<bg>

I was just trying to get a better understanding of how to sign my install as
I've never done that before. At the moment my installs are aimed at a
public that know me and even with them it (signing) would certainly make
them more comfortable running it.

--
Russ Eggen
www.radfusion.com

NewsArchive
03-24-2005, 10:51 AM
[Wednesday, March 23, 2005 5:16 PM]

Hi Russ,

<g>

You only need a (Comodo) certificate. They (Comodo) send you a Credentials
File (.spc) and a Private Key File (.pvk) is generated when you buy the
certificate.

You only have to add the .spc and .pvk file in the SB5 "Digital Signature
Tab" (General Information dialog) and the setup compiler will do the dirty
work for you ;-)

Friedrich

NewsArchive
03-24-2005, 10:52 AM
[Tuesday, March 22, 2005 7:37 PM]

Friedrich,

Here is what I see when attempting a download.

Everything appeared to go smoothly and correctly when the install was
created in SB5.

Thanks for looking at it.

Lee

NewsArchive
03-24-2005, 10:52 AM
[Tuesday, March 22, 2005 8:40 PM]

Lee,

That looks proper. The warning is about to run an EXE, signed or not. If
not signed, you would have seen a stronger warning. Try an version where it
is not signed and you will see what I mean.

--
Russ Eggen
www.radfusion.com

NewsArchive
03-24-2005, 11:13 AM
[Tuesday, March 22, 2005 9:19 PM]

Russ,

From everything I've read and seen would suggest otherwise. The whole
purpose of the exercise is to assure the user the exe is safe and a message
to that affect should be displayed identifying the certficate used to sign
the code.

I could be wrong....

Lee

NewsArchive
03-24-2005, 11:14 AM
[Tuesday, March 22, 2005 9:42 PM]

>Russ,
>
>From everything I've read and seen would suggest otherwise. The whole
>purpose of the exercise is to assure the user the exe is safe and a message
>to that affect should be displayed identifying the certficate used to sign
>the code.

Lee,

Just for fun I downloaded your program from an XP box and compared IE's
behavior with a download from MSDN. As best I can tell, Russ is correct. It
seems MS has removed the display of additional information for signed
downloads from IE's UI. I think that sucks, but I know MS is always correct.

I also had a look at your exe properties on XP. They are just fine. So that
means that IE 6 on XP has a newer root certificate store than IE 6 on 2K,
which I was using earlier. That seems to be confirmed at InstantSSL. Have a
look at the last paragraph at
http://instantssl.com/code-signing/code-signing-faq.html?currency=USD&region=North%20America&country=US

The last bit there is a link to an MS exe to update the root cert store on 2K
and earlier.

That whole thing is not InstantSSL/Comodo's fault, but you need to consider
that using their cert there will be a large number of machines with either
older an OS, or an older IE that will not have newer root certs and will
therefore not see your exe as signed with a valid cert.

FWIW, this is exactly why I stopped signing code. Prior to their acquisition
by Veri$ign, I used Thawte certs on the servers and for code signing. No root
cert issues there. Once they were borged by Veri$ign and their prices became
unreasonable and uncompetitive, I gave up on code signing.

--
Best regards,

Mark

NewsArchive
03-24-2005, 11:14 AM
[Tuesday, March 22, 2005 10:01 PM]

Mark,

I do admit the dialog does appear different, just can't put my finger on it.
Is that what you are seeing?

If I recall correctly, the owner of the cert is usually bold with an icon.
I may be confusing two issues, feel free to straighten me out. ;-)
--
Russ Eggen
www.radfusion.com

NewsArchive
03-24-2005, 11:15 AM
[Tuesday, March 22, 2005 10:18 PM]

>Mark,
>
>I do admit the dialog does appear different, just can't put my finger on it.
>Is that what you are seeing?
>
>If I recall correctly, the owner of the cert is usually bold with an icon.
>I may be confusing two issues, feel free to straighten me out. ;-)

Russ,

On XP I saw exactly what Lee posted, and what I assume you saw. To clarify,
I'm referring to the first dialog IE presents when a download is about to
begin. It's a dialog with no publisher information for a signed download.
Again, I got the same thing when downloading a signed exe from MSDN on XP. So
I drew the conclusion that IE on XP removed the published information.

The behavior to which you refer where the owner is displayed has been the IE
UI for signed downloads for quite a long time, and is how it behaves on 2K.

The screen shots on InstantSSL's site,
http://instantssl.com/code-signing/code-signing-technical.html?currency=USD&region=North%20America&country=US,
show these (now) older dialogs.

Hell, XP has such goofy default behaviors that I have no idea if the absence
of publisher information on a signed download is not my failure to spend
three hours finding some obscure setting to turn off some "simple UI for the
simple minded" option. :{

The really sad thing is that the only real benefit of code signing for the
average end-user is that IE displays a different dialog has apparently been
eliminated in XP. No one can see what I saw in XP and have any clue that the
publisher has made any effort whatsoever to insure some level of integrity of
their downloads. That really bites.

--
Best regards,

Mark

NewsArchive
03-24-2005, 11:15 AM
[Tuesday, March 22, 2005 11:19 PM]

Mark,

You have hit the nail on the head. What good is signing your code if no one
is going to see it?

Oh well, lesson learned, I guess. It could have just easily been $400.00
plus if I had chosen VeriSign to sign the code and end up with the same
results.

I think Arnor and Friedrich are both using Comodo. I may have to send Arnor
an Email asking if he is encountering the same issue if he did indeed buy
the same thing. If Friedrich is listening hopefully he will have some
comments to add to this discussion as I'm pretty certain he uses the Comodo
stuff as well.

The whole idea of not allowing the certificate to be displayed *really
sucks*.

Thanks again for help Mark.

Lee

NewsArchive
03-24-2005, 11:16 AM
[Tuesday, March 22, 2005 11:28 PM]

>Mark,
>
>You have hit the nail on the head. What good is signing your code if no one
>is going to see it?
>
>Oh well, lesson learned, I guess. It could have just easily been $400.00
>plus if I had chosen VeriSign to sign the code and end up with the same
>results.
>
>I think Arnor and Friedrich are both using Comodo. I may have to send Arnor
>an Email asking if he is encountering the same issue if he did indeed buy
>the same thing. If Friedrich is listening hopefully he will have some
>comments to add to this discussion as I'm pretty certain he uses the Comodo
>stuff as well.
>
>The whole idea of not allowing the certificate to be displayed *really
>sucks*.
>
>Thanks again for help Mark.

Lee,

Glad to help, but today I learned from your experience. I hadn't done it
yet, but I was considering code signing again. I thought all this root cert
nonsense was behind us.

I haven't found a good option yet. Veri$ign and Thawte aren't reasonable, and
InstantSSL has its issues. I have been both using and re-selling GeoTrust
certs successfully on the server end for some time. While GeoTrust has a
widely and historically distributed root cert, making them an ideal
reasonabily priced option for servers, their code signing is not the
Authenticode stuff we need.

Oh well...

--
Best regards,

Mark

NewsArchive
03-24-2005, 11:17 AM
[Tuesday, March 22, 2005 7:23 PM]

>Before I install 25MB of junk to get one small utility, I thought I would
>ask here.
>
>I have purchased a Comodo CSC, included the info in SB5 and all went well
>during the build of my SB5 install, or so it would appear. As a quick test I
>uploaded my install to my server and attempted a download. I still get the
>Security warning from my browser.
>
>I am clueless where to begin looking and any help will be greatly
>appreciated.

Lee,

While Friedrich is sleeping, assuming he actually does that, perhaps this
will help.

Signed, or unsigned, IE will always display a dialog titled "Security
Warning". The dialog content is different with a signed download, which is
why Friedrich was asking about your company name. When signed, the dialog
displays the product name and company name, and names the Certificate
Authority (CA).

Have a look at
http://instantssl.com/code-signing/code-signing-technical.html?currency=USD&region=North%20America&country=US
and you'll see an example of each dialog.

Once you actually see this working with your own stuff you will come to trust
the process. You will also come to appreciate that once set up, it's
completely handled by SB. The only time you'll need to fiddle with it is to
set up the parameters for a new project, or change cert files when you renew
your cert.

--
Best regards,

Mark

NewsArchive
03-24-2005, 11:17 AM
[Tuesday, March 22, 2005 8:08 PM]

Hi Mark,

That is exactly what I expected to see. However, that is not the case. I
attached a screen shot of the warning in another reply.

Thanks again for your input and I will take a look at the link you provided.

On another subject, does anyone know if Comodo provides any kind of "Seal Of
Approval" or something along those lines that can be placed on a web site to
assure that downloads are protected and safe? I got lost attempting to
navigate their web site.

Thanks again.

Lee

NewsArchive
03-24-2005, 11:18 AM
[Tuesday, March 22, 2005 8:14 PM]

>Hi Mark,
>
>That is exactly what I expected to see. However, that is not the case. I
>attached a screen shot of the warning in another reply.

FWIW, I took a look at your image. It's definitely not what you see for a
signed binary.

If the download is publically available, I'd be interested to see if I see
the same thing here. The only thing that would create a difference between
what you and anyone else would see is a difference in the root certs
installed on the local machine, but it may be worth a go.

--
Best regards,

Mark

NewsArchive
03-24-2005, 11:18 AM
[Tuesday, March 22, 2005 8:18 PM]

Mark,

I appreciate that. Here is the link.

http://www.cya2day.com/downloads/cya.exe

Lee

NewsArchive
03-24-2005, 11:18 AM
[Tuesday, March 22, 2005 8:49 PM]

>Mark,
>
>I appreciate that. Here is the link.
>
>http://www.cya2day.com/downloads/cya.exe

Lee,

Ok, you're going to love this. The browser dowsn't see it as signed, which
you know. Have a look at the Properties of the exe on your local machine.
Open the Digital Signature dialog and look at Details. Note the message text
on General. Now choose View Certificate to open your cert, then have a look
at the Certification Path tab. If you see the same thing I do, you'll see
that the CS root cert (Trusted Certificate Services) is not trusted. That's
the issue with your code signing.

It's been a while since I delt with this stuff, so I'm a bit rusty. I believe
the issue is that the Comodo root cert is not installed on your machine, or
mine. That is not an issue you can solve by simple installing their root on
your machine. For that to work, everyone on the planet would have to do so.

The core issue here actually belongs to MS. There was a kind of root cert
"war" some time back where startups like InstantSSL/Comodo and others were
not "blessed" by MS and thus their root certs were not included in IE
distros. I thought all this was all worked out some time ago, but like with
everything else, I could be mistaken.

Assuming I have the underlying issue correct, I think your best bet it to
take the whole thing up with InstaltSSL.

--
Best regards,

Mark

NewsArchive
03-24-2005, 11:19 AM
[Tuesday, March 22, 2005 9:04 PM]

Hi Mark,

I really appreciate you taking the time to help me with this.

I followed the steps you outlined below to look at the properties of the exe
on my local machine and everything looks OK to my novice, tired eyes. I have
attached a screen shot of the last tab you mentioned. Is this not what you
see when you look at the properties?

Thanks again.

Lee

NewsArchive
03-24-2005, 11:19 AM
[Tuesday, March 22, 2005 9:09 PM]

Check the "Trused Certiciate Services". It's not trusted here, which is an IE
+ root cert thing.

--
Best regards,

Mark

NewsArchive
03-24-2005, 11:20 AM
[Tuesday, March 22, 2005 9:33 PM]

Hi Mark,

Checking the "Trusted Certificate Services" in IE does not reveal a
certificate for "Comodo" or any variation of it. Does this mean I pissed
away $179.00 getting this thing?

There are others that are using this CSC from Comodo. In fact, it was in
this NG I heard about it. Aren't any of you that purchased it having the
same problems? If not, what am I doing differently than you?

Mark, I really appreciate you taking the time to help me sort this out, but
it looks like I have bumped into a wall.

Thanks again.

Lee

NewsArchive
03-24-2005, 11:22 AM
[Tuesday, March 22, 2005 9:08 PM]

Mark,

Thanks, that is one issue that never occurred to me. May explain the
special note in the install portion of the docs in some products.

--
Russ Eggen
www.radfusion.com

NewsArchive
03-24-2005, 11:23 AM
[Tuesday, March 22, 2005 9:16 PM]

>Mark,
>
>Thanks, that is one issue that never occurred to me. May explain the
>special note in the install portion of the docs in some products.

Best case is that I'm completely wrong and the whole root cert thing was
resolved by MS making nice with everyone. I thought that was the case, but
I'm running IE 6 on 2K and don't have their root cert, or it's not trusted.

The sad thing is that if it were a Veri$ign cert costing much more, it
would never be an issue.

--
Best regards,

Mark

NewsArchive
03-24-2005, 11:23 AM
[Wednesday, March 23, 2005 2:57 PM]

>>Mark,
>>
>>Thanks, that is one issue that never occurred to me. May explain the
>>special note in the install portion of the docs in some products.
>
>
> Best case is that I'm completely wrong and the whole root cert thing was
> resolved by MS making nice with everyone. I thought that was the case, but
> I'm running IE 6 on 2K and don't have their root cert, or it's not trusted.
>
> The sad thing is that if it were a Veri$ign cert costing much more, it
> would never be an issue.

Lee, I downloaded your file and can confirm it is signed and trusted
here. Running XP Pro SP2 and all the latest bug fixes from Microsoft.

However. The sting in the tail here is that you still get a warning
when you try to download it. I don't think there is any way to overcome
that, it's a MS thing.
--
Simon Craythorn
InterVations, Inc

NewsArchive
03-24-2005, 11:24 AM
[Wednesday, March 23, 2005 10:37 AM]

Hi All,

Unfortunately, I am not a Code Signing expert <g>. But as I understand it,
Comodo, Veri$ign, Thawte, Baltimore and Entrust all provide 99% browser
ubiquity and are included in the *base* install of Windows 98SE, ME, 2000
and XP.

Comodo is a member of the Microsoft Root Certificate Program. See:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp

Lee: IMO, Comodo is the right product. We are also using it in SB5.

This is what I see when I download and run your installer (see screenshot)
on all of our XP machines. I get the same "warning" when I download and
run Microsoft installer products.

BTW, this is a Comodo statement:

For Windows XP, everything is automatic, meaning well over 200 Million
customers will automatically have access to all the latest certificates. For
older versions of the Windows operating system it is highly recommended that
the latest root update is installed. Good security policy dictates that
your root certificate store should have the most current root certificate
references from all trusted certification authorities, thereby providing the
widest capability to recognize trusted content. Install the latest Microsoft
root certificate patch here:

http://download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/rootsupd_afc57447f7caadd3253333e35777fcd.exe

Does this help?

Friedrich

Friedrich Linder
CEO, Lindersoft
www.lindersoft.com
1.954.252.3910

NewsArchive
03-24-2005, 11:24 AM
[Wednesday, March 23, 2005 4:48 PM]

Friedrich,

Thank you so much for your input. I guess I expected more from the browser
and was confused by the warning that I saw when I attempted to download the
software. I must confess, with my lack of understanding, I did not actually
download and attempt the install. My BAD.

I too am running Win XP SP2. I guess now I need to download it on a couple
of other OS's and see how the code signing is handled.

I can now confirm that doing the download AND attempting the install, I see
the same as you. In my opinion, the entire process needs a good overhaul as
it sure would be nice if the user were given peace of mind at the time of
download by assuring them the software is valid and signed. It doesn't make
much sense to tell them there is a security risk when it is downloaded only
to prove to them otherwise when they execute it. Oh well, lesson learned.

Thanks for taking the time to explain all this. I feel much better
now....<g>

Lee

NewsArchive
03-24-2005, 11:24 AM
[Wednesday, March 23, 2005 7:12 PM]

>This is what I see when I download and run your installer (see screenshot)
>on all of our XP machines. I get the same "warning" when I download and
>run Microsoft installer products.

Thanks for pointing that out, Friedrich. Looking for some equivalence between
IE's behavior on 2K and XP, I hadn't taken the process that far.

It's better than I thought, and worse than I imagined. You actually have to
get to the point of running it before XP gives any indication it's signed.
For a signed program XP displays a warning. For any unsigned program run from
disk, it just runs it. So you signed and exe and XP "warns" you about
security risks. Drop any unsigned program into XP and run it and it does
nothing more than run it. This is MS's idea of enhanced security? No wonder
it's worried about Linux.

--
Best regards,

Mark

NewsArchive
03-25-2005, 07:44 AM
[Thursday, March 24, 2005 9:51 PM]

Now why did you not say so in the first place?! That makes perfect sense.
<vbg>

BTW - as a side issue, what considerations should one make about the
certificate vendor besides price?
--
Russ Eggen
www.radfusion.com

NewsArchive
03-25-2005, 07:45 AM
[Friday, March 25, 2005 11:22 AM]

Hi Russ,

> Now why did you not say so in the first place?! That makes perfect sense.
> <vbg>

<G> :)

> BTW - as a side issue, what considerations should one make about the
> certificate vendor besides price?

Please make sure their root certificate is included in the base install of
Windows. I would suggest to use Comodo - the only problem I have with
Comodo is, that I asked for a special price for our SB5 customers, but they
never answered to my requests <g>. But other support questions were always
answered within 8 hours.

BTW, please do not use a code signing certificate from Ascertia - if you do
then your clients need to insert Ascertia Root CAs in their IE Keystore.

If you buy a Comodo or Veri$ign certificate, most customers will
automatically have access to all the latest certificates! The code signing
process takes place transparently. There is nothing that the customer has
to install additionally to get it working.

Friedrich

--
Friedrich Linder
CEO, Lindersoft
www.lindersoft.com
1.954.252.3910

NewsArchive
03-28-2005, 08:14 AM
[Friday, March 25, 2005 4:45 PM]

Thanks.

--
Russ Eggen
www.radfusion.com