code signing certs

[idle]

Code signing certs, what a scam. It's like having the privilege of paying someone to steal your Identity.
I will likely have to find a local provider in NZ as the US lot are a bit Forest Gump to comprehend that we don't have addresses printed on any government issued ID's, not even passports and also not withstanding the fact I live on an island with limited services it's a major inconvenience for me to jump through the hoops, to fill out forms just to get it signed by a notoriety who then has to provide valid ID and all to appease some bottom feeding corporate scum bags who are really just running interference to keep the little guys down and out of the large companies swill troughs. It would be simpler if I was incorporated.
So self signed it is while I rest my middle finger.

Thought suggestions comments welcome

[jacdelad]

viewtopic.php?p=431713&hilit=cert#p431713

[idle]

Thanks, I did come across that the other day.

I could think of a way to eliminate it, just write an application that deletes the ADS off the file! or copy it onto a FAT drive and back again. ADS isn't such a risk now at least as far as im aware but it s still dangerous and ripe for abuse

I will just self sign a cert for now and use sha3 on website

What are people currently doing here getting there applications on windows. code certs are expensive .

[jacdelad]

Please excuse my ignorant question, but why certify it at all? I've always used my software without certifications, at home, at work or by others as downloads on certain sites.
This sounds like throwing money out of the window...with extra steps.

[idle]

Please excuse my ignorant question, but why certify it at all? I've always used my software without certifications, at home, at work or by others as downloads on certain sites.
This sounds like throwing money out of the window...with extra steps.

yes maybe people just ignore it and run it anyway, so I may as well just self sign it and worry about it later if at all.
I'm just curious to know how many people here have gone down that path.

[jacdelad]

Please excuse my ignorant question, but why certify it at all? I've always used my software without certifications, at home, at work or by others as downloads on certain sites.
This sounds like throwing money out of the window...with extra steps.

yes maybe people just ignore it and run it anyway, so I may as well just self sign it and worry about it later if at all.
I'm just curious to know how many people here have gone down that path.

Yeah, but I mean, I never encountered this certain message by Windows (blablabla, not certified, want to run it anyway? blablabla). Just put it on the PC and go. So I don't see a hurdle at all.

[BarryG]

People say signing your exes helps prevent false-positives with anti-virus companies, but then I've seen lots of posts by developers and companies on StackOverflow who said they sign their exes but still get false-positives anyway. So, to me, there's really no point.

Signing just proves who released the exe; it doesn't actually prove the exe is safe. And some malware authors have signed their exes in the past to make them appear safe before delivering their virus payload, so... yeah, waste of money, IMO.

[idle]

Thanks Barry,
yes it does look like it an endless scam

if you look at an exe you've downloaded it will have a ZONE identifyer stream on it like

92
:Zone.Identifier:$DATA

Code: Select all

path.s = OpenFileRequester("ADS",GetUserDirectory(#PB_Directory_Downloads),"*.*",1)

Structure WIN32_FIND_STREAM_DATA
  StreamSize.i;
  cStreamName.s{#MAX_PATH+36} 
EndStructure  

Prototype.i FindFirstStreamW(filename.s,infolevel,*out,flags.l)
Prototype.i FindNextStreamW(hFindStream.l,*out) 

Global FindFirstStream.FindFirstStreamW
Global FindNextStream.FindNextStreamW 
Global handle 
Global NewList sinfo.WIN32_FIND_STREAM_DATA()

lib = OpenLibrary(-1,"Kernel32.dll") 

If lib 
  FindFirstStream.FindFirstStreamW = GetFunction(lib,"FindFirstStreamW") 
  FindNextStream.FindNextStreamW = GetFunction(lib,"FindNextStreamW") 
  CloseLibrary(lib)  
  If path <> "" 
    AddElement(sinfo())
    handle  = FindFirstStream(path,0,@sinfo(),0)  
    If handle > 0
      While FindNextStream(Handle,@sinfo()) > 0  
        AddElement(sinfo())  
      Wend    
    EndIf 
    ForEach sinfo()
      If sinfo()\StreamSize 
        Debug sinfo()\StreamSize 
        Debug sinfo()\cStreamName 
      EndIf   
    Next   
  EndIf 
EndIf

[Bitblazer]

Software signing is a bit like other believe based systems, imho.

How many of your potential customers believe in it and wont use your product if you don't sign your software?

Will the cost of buying a signature from a respected authority be worth it because your biggest customers have a policy of only running software signed from a major signing authority?

Ask a trusted employee in some of your biggest customer companies how their policy about (un-)signed software is. The local law situation of your customers region might affect it.

[idle]

Software signing is a bit like other believe based systems, imho.

How many of your potential customers believe in it and wont use your product if you don't follow it?

Will the cost of buying a signature from a respected authority be worth it because your biggest customers have a policy of only running software signed with from a major signing authority?

Ask a trusted employee in some of your biggest customer companies how their policy about (un-)signed software is. The local law situation of your customers region might affect it.

thanks, probably none. It's not like my customers will be government or even corporates who may demand such because it's in parentheses "important"! for no reason

[Little John]

Hello idle,
thanks for the code!

When using EnableExplicit, there is a syntax error at line 23:

Code: Select all

handle  = FindFirstStream(path,0,@sinfo,0)

So I replaced @sinfo with @sinfo(). But then I get a runtime error on this line (with PB 6.00 LTS on Windows 11):

The list doesn't have a current element.

[idle]

Well caught, fixed it thanks

[Little John]

Thank you!

[idle]

This is a bit more info and quite informative too

Code: Select all

EnableExplicit 

Global path.s = OpenFileRequester("ADS",GetUserDirectory(#PB_Directory_Downloads),"*.*",1)

Structure WIN32_FIND_STREAM_DATA
  StreamSize.q;
  cStreamName.s{#MAX_PATH+36} 
EndStructure  

Prototype.i FindFirstStreamW(filename.s,infolevel,*out,flags.l)
Prototype.i FindNextStreamW(hFindStream.l,*out) 
Global FindFirstStream.FindFirstStreamW
Global FindNextStream.FindNextStreamW 

Procedure.s ReadADS(file.s) 
  Protected handle,out.s,lib,*mem ,fn 
  Protected NewList sinfo.WIN32_FIND_STREAM_DATA()
  lib = OpenLibrary(-1,"Kernel32.dll") 
  
  If lib 
    FindFirstStream.FindFirstStreamW = GetFunction(lib,"FindFirstStreamW") 
    FindNextStream.FindNextStreamW = GetFunction(lib,"FindNextStreamW") 
    If path <> "" 
      AddElement(sinfo())
      handle  = FindFirstStream(path,0,@sinfo(),0)  
      If handle > 0
        While FindNextStream(Handle,@sinfo()) > 0  
          AddElement(sinfo())  
        Wend    
      EndIf 
      ForEach sinfo()
        If sinfo()\StreamSize 
          *mem = AllocateMemory(sinfo()\StreamSize) 
          out.s = PeekS(@sinfo()\cStreamName,-1) 
          fn = OpenFile(-1,path+out) 
          If fn 
            ReadData(fn,*mem,sinfo()\StreamSize) 
            out + PeekS(*mem,sinfo()\StreamSize,#PB_Ascii) + #CRLF$
            CloseFile(fn) 
          EndIf
          FreeMemory(*mem) 
        EndIf   
      Next   
    EndIf
    CloseLibrary(lib)  
  EndIf
  
  ProcedureReturn out 
  
EndProcedure 

Debug ReadADS(path) 

And back on topic you can easily create and sign your exes with powershell

Code: Select all

;In power shell as admin 

$cert = New-SelfSignedCertificate -Subject "Your name & Domain.com” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My

certmgr.msc 

;Move cert from Intermediate to Trusted root, then you can sign your exe with 

Set-AuthenticodeSignature -FilePath C:\path\to\uberprogram.exe -Certificate $cert