In modern technology everyone know about the buzz words like malware, spyware, malicious code from cyber crime perspective. These are the terms used to refer the threats to digital data which are spreaded and used across all electronic gadgets. From a survey hackers attack every 39 seconds and it keep on increasing year on year.
How can we trust a software before download and use it?
Yes, there is a process in place called Code Sign Certificate.
Why this Code Sign Certificate?
This certificate keep us and our devices safe from potentially harmful applications and we can't imagine without this in today.
What is Code Sign Certificate?
In a nutshell, the code sign certificate is a small file of verifiable data that contains specific identifying credentials. Those credentials use a certificate-based digital signature to sign programs, code, and software. It's how developers, web programmers, or the average user can be assured that the code or program they're about to implement or install is legitimate and hasn't been tampered with.
These certificates were created as a means to foster trust in the software and to validate that it hasn't been altered or corrupted. This is especially helpful when it comes to trusting updates, as well. If an update is signed with the same key as the source application, then you know it can be trusted, since it could have only come from one place — the developer.
How a Code Signing Certificate Works
In order to provide that proof of identification or authenticity, code signing certificate uses something called public-key infrastructure, or PKI.
Its a two-part system consisting of a public key and a private key. The private key is used to sign the data and is never sent to the certificate provider. The public key is used to confirm the signature and that it is submitted to the provider with the certificate request.
Keys are actually just a very long alpha-numeric string. They're related mathematically, but, because they are neither identical or even similar, both keys have to be used at the respective points in order to encrypt or decrypt information.
Advantages of Code Signing
Code signing is supported on all major operating systems (Microsoft Windows, Apple OS X, Linux, etc) as well as all web browsers.
The source of your software is authenticated and verified before downloading. And, the contents can't be maliciously modified.
Code signing has advanced into the realm of mobile apps as well, and when we stop to consider just how much information is passed back and forth by way of our handheld devices, it's pretty clear that code signing is more important now than ever before.
Where to Find a Code Signing Certificate?
We have two options available to purchase a code signing certificate, 1) Certificate Authority, 2) Certificate re-seller
Below are popular CAs & re-seller
https://www.comodo.com/
https://codesigning.ksoftware.net/ (comodo's partner)
https://www.thawte.com/
Note: These certificate authorities give very good prices to their re-sellers as a way to encourage re-sellers to sell the Code Signing SSL Certificates on behalf of the certificate authorities
Which provider is best?
If you obtain code signing certificate from well known (accepted) public certification authority like Verisign, Globalsign, Thawte, their certificate chain is distributed with the most popular browsers (and OSs), so the users will trust your signing certificate by default.
But if you buy one from unknown certification authority, you'll face the problem of distributing the CA's certificate chain along with your certificate, which is obviously unacceptable in the case of code signing certificates.
In my opinion Thawte is a good choice (I think that they're owned by Verisign).
If you can afford it the best choice no doubt is Verisign, because they're the most honored name in this field.
Steps to sign a application?
Step 1: Buy the code sign certificate from one of the authority
Step 2: Use one of the signing tool to sign your application
Step 3: Can use the signing tool inside a MSI package manager. Example, You can use SignTool.exe in Inno Setup manager
How can I sign once got the certificate?
There are many signing tools available in the market and can choose the best one among it.
signtool - (Microsoft)
zxp-sign-cmd - (JS wrapper for Adobe's extension signer)
Note: No Signature signed for an application means then OS & browser treats it as unknown publisher and doesn't trust
How to install SignTool.exe for Windows 10?
We need to install the Windows 10 SDK.
- Visual Studio 2015 Update 1 contains it already, but it is not installed by default. You should go to Control Panel -> Programs and Features, find Microsoft Visual Studio 2015 and select "Change". Visual Studio 2015 setup will start. Select "Modify".
In Visual Studio components list find "Universal Windows App Development Tools", open the list of sub-items and select "Windows 10 SDK (10.0.10240)".
Windows 10 SDK in VS 2015 Update 1 Setup
- Of cause you can install Windows 10 SDK directly from Microsoft: https://go.microsoft.com/fwlink/?LinkID=698771
How to Verify?
When the installation finishes you will find the SignTool.exe in the folders:
- x86 -> c:\Program Files (x86)\Windows Kits\10\bin\x86
- x64 -> c:\Program Files (x86)\Windows Kits\10\bin\x64\
Steps to signing installers (MSI) with Inno Setup?
Configure Sign Tools
Select Configure Sign Tools... from the Tools menu.
Add A Tool
Name the Tool
Give the tool a name. This is the name you will use when referring to the tool in your installer scripts. I named mine signtool because I'm using signtool.exe.
Assign the Command Line Parameters
Paste in the text you use to sign your executables from the command line. Replace the name of the file to sign with $f. Inno Setup will replace the $f variable with the file that is being signed.
Example:
"C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2\Bin\signtool.exe" sign /f "C:\MY_CODE_SIGNING.PFX" /t http://timestamp.comodoca.com/authenticode /p MY_PASSWORD $f
After clicking OK you are done configuring the sign tool.
Update Your [Setup] Section
Add the following script to your [Setup] section to use the sign tool you just configured. This assumes you named your tool signtool.
SignTool=signtool
The Result
Now when you build your installers they will be signed.
Source: http://tekkieshaper.com/index.php/digital-security
Comments
its really really fastidious post on building up new blog.
I've loaded your blog in 3 different internet browsers and I must say this blog loads a lot faster then most.
Can you recommend a good web hosting provider at a fair price?
Thanks a lot, I appreciate it!
I have joined your rss feed and stay up for searching for more of your wonderful post.
Additionally, I've shared your website in my social networks