View Full Version : code signing 3rd party dlls and exes
NewsArchive
02-05-2015, 02:57 AM
I remember the discussion but don't remember the answer... we should
code sign all the 3rd party dlls (that aren't already signed), right?
I have all my 3rd party stuff (and SV dlls) located in a folder called
common dlls. Hopefully I can just make one command to sign them all.
Thanks,
--
Ray Rippey
VMT Software
NewsArchive
02-05-2015, 02:57 AM
Hi Ray,
> I remember the discussion but don't remember the answer... we should code
> sign all the 3rd party dlls (that aren't already signed), right?
What makes you think there was an _answer_ <vbg>
If you haven't still got the Clarion8 newsgroup then you can find it
here
http://clarion-software.com/index.php?group=13&id=42290
Most authorative sounding answers (contradictory) were from Michael
Summons
Quote
I got interested in this thread so I went and asked the Intellectual
Property Lawyer I lecture with for their opinion.
There were a couple of premesis in their reply:
1. You have permission to redistribute these 3rd party files
2. You are using them as part of your application
3. (Optional but desireable) You have permission from the 3rd Party to
sign their files
Basically the code signing identifies you (or your company) as a
legitimate supplier. That is the code signing authority has checked
that you exist and are registered as a business.
When you code sign (or authenticate as Microsoft puts it) you are
guaranteeing that the EXE's DLL's etc that you have supplied have
indeed
been supplied by you and that the have not been changed since they
were
signed. It in no way implies IP ownership!
If you code sign any files which are a 3rd parties then you are
saying:
"I have permission to redistribute these files as part of my
application
and I'm attaching my certificate to them to ensure that they have not
been tampered with and that they form part of my application."
This also means that you take responsiblity for their operation on the
end users machine.
Code signing in no way claims ownership of code and should not be
confused with intellectual property.
EndQuote
and (from the opposing camp as it were :-) ) Friedrich had this...
Quote
[In response to the thread, not to this specific mesage]
You'll find this in quite a few software license agreements:
"You may not modify the SOFTWARE or disable any licensing or control
features of the SOFTWARE."
When you code-sign a file then you change its binary contents ("you
modify
the SOFTWARE"). So it's very well possible that you'll take over
responsibility.
The following is from one of our non-Clarion customers (I'll cut a
long
story short here). He had to guarantee that his software product did
not
"phone-home", did not contain a virus and that all application files
(.exe,
..dll, .ocx) were code-signed. Sometimes, Windows connects to a server
to
check or update the certificate revocation list (CRL) for code-signed
files.
This was not considered to be a "phone-home" action.
Okay, it turned out that two components where not code signed and the
vendor
went out of business two years ago. So he code-sign the two files on
his
own.
The problem was that code-signing the files (silently) "activated"
some kind
of license protection mechanism. On February 29, 2012 (three months
after
the initial installation date), the license protection algorithm
decided to
"phone home" and sent some machine specific information to a server
(and
this server was still active). Ouch!
So my advice is to check this with the vendor first. And if the vendor
went
out of business, do not code-sign the file(s).
EndQuote
Graham
NewsArchive
02-05-2015, 02:58 AM
Thanks for the info... my only reason for code signing is so these
anti-virus programs will quit deleting dll's... not that that will
happen, but I'm hoping it will.
I notice that sv dlls are signed now.. that's good. Personally I think
if a programmer makes a dll to be distributed, they should sign it, or
not worry about it if the distributor (me) signs it.
And whether or not I sign a dll, my customer expects me to guarantee no
viruses... so I'm guaranteeing anyway. I'm only talking about clarion
3rd party dll's so far.
anywho.... I'll keep it in mind.
Thanks for the 'answer' <g>,
Ray
NewsArchive
02-05-2015, 02:59 AM
I changed my RED file to ensure that all needed DLLs are copied to a
folder (where my fresh EXE and my DLLs are). I always sign my own
stuff, but never signed any 3rd party DLLs (felt a bit like stealing to
put my name on it <g>).
I use SB's static scan of the EXE and it builds me a nice list of DLLs I
need. But I don't sign anything I did not make.
--
Russ Eggen
RADFusion International, LLC
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.