Page 1 of 1
code signing certs
Posted: Fri Sep 16, 2022 2:42 am
by idle
Code signing certs, what a scam. It's like having the privilege of paying someone to steal your Identity.
I will likely have to find a local provider in NZ as the US lot are a bit Forest Gump to comprehend that we don't have addresses printed on any government issued ID's, not even passports and also not withstanding the fact I live on an island with limited services it's a major inconvenience for me to jump through the hoops, to fill out forms just to get it signed by a notoriety who then has to provide valid ID and all to appease some bottom feeding corporate scum bags who are really just running interference to keep the little guys down and out of the large companies swill troughs. It would be simpler if I was incorporated.
So self signed it is while I rest my middle finger.
Thought suggestions comments welcome
Re: code signing certs
Posted: Fri Sep 16, 2022 3:02 am
by jacdelad
Re: code signing certs
Posted: Fri Sep 16, 2022 3:48 am
by idle
Thanks, I did come across that the other day.
I could think of a way to eliminate it, just write an application that deletes the ADS off the file! or copy it onto a FAT drive and back again. ADS isn't such a risk now at least as far as im aware but it s still dangerous and ripe for abuse
I will just self sign a cert for now and use sha3 on website
What are people currently doing here getting there applications on windows. code certs are expensive .
Re: code signing certs
Posted: Fri Sep 16, 2022 4:06 am
by jacdelad
Please excuse my ignorant question, but why certify it at all? I've always used my software without certifications, at home, at work or by others as downloads on certain sites.
This sounds like throwing money out of the window...with extra steps.
Re: code signing certs
Posted: Fri Sep 16, 2022 4:14 am
by idle
jacdelad wrote: Fri Sep 16, 2022 4:06 am
Please excuse my ignorant question, but why certify it at all? I've always used my software without certifications, at home, at work or by others as downloads on certain sites.
This sounds like throwing money out of the window...with extra steps.
yes maybe people just ignore it and run it anyway, so I may as well just self sign it and worry about it later if at all.
I'm just curious to know how many people here have gone down that path.
Re: code signing certs
Posted: Fri Sep 16, 2022 4:20 am
by jacdelad
idle wrote: Fri Sep 16, 2022 4:14 am
jacdelad wrote: Fri Sep 16, 2022 4:06 am
Please excuse my ignorant question, but why certify it at all? I've always used my software without certifications, at home, at work or by others as downloads on certain sites.
This sounds like throwing money out of the window...with extra steps.
yes maybe people just ignore it and run it anyway, so I may as well just self sign it and worry about it later if at all.
I'm just curious to know how many people here have gone down that path.
Yeah, but I mean, I never encountered this certain message by Windows (blablabla, not certified, want to run it anyway? blablabla). Just put it on the PC and go. So I don't see a hurdle at all.
Re: code signing certs
Posted: Fri Sep 16, 2022 4:20 am
by BarryG
People say signing your exes helps prevent false-positives with anti-virus companies, but then I've seen lots of posts by developers and companies on StackOverflow who said they sign their exes but still get false-positives anyway. So, to me, there's really no point.
Signing just proves who released the exe; it doesn't actually prove the exe is safe. And some malware authors have signed their exes in the past to make them appear safe before delivering their virus payload, so... yeah, waste of money, IMO.
Re: code signing certs
Posted: Fri Sep 16, 2022 4:37 am
by idle
Thanks Barry,
yes it does look like it an endless scam
if you look at an exe you've downloaded it will have a ZONE identifyer stream on it like
92
:Zone.Identifier:$DATA
Code: Select all
path.s = OpenFileRequester("ADS",GetUserDirectory(#PB_Directory_Downloads),"*.*",1)
Structure WIN32_FIND_STREAM_DATA
StreamSize.i;
cStreamName.s{#MAX_PATH+36}
EndStructure
Prototype.i FindFirstStreamW(filename.s,infolevel,*out,flags.l)
Prototype.i FindNextStreamW(hFindStream.l,*out)
Global FindFirstStream.FindFirstStreamW
Global FindNextStream.FindNextStreamW
Global handle
Global NewList sinfo.WIN32_FIND_STREAM_DATA()
lib = OpenLibrary(-1,"Kernel32.dll")
If lib
FindFirstStream.FindFirstStreamW = GetFunction(lib,"FindFirstStreamW")
FindNextStream.FindNextStreamW = GetFunction(lib,"FindNextStreamW")
CloseLibrary(lib)
If path <> ""
AddElement(sinfo())
handle = FindFirstStream(path,0,@sinfo(),0)
If handle > 0
While FindNextStream(Handle,@sinfo()) > 0
AddElement(sinfo())
Wend
EndIf
ForEach sinfo()
If sinfo()\StreamSize
Debug sinfo()\StreamSize
Debug sinfo()\cStreamName
EndIf
Next
EndIf
EndIf
Re: code signing certs
Posted: Fri Sep 16, 2022 6:34 am
by Bitblazer
Software signing is a bit like other believe based systems, imho.
How many of your potential customers believe in it and wont use your product if you don't sign your software?
Will the cost of buying a signature from a respected authority be worth it because your biggest customers have a policy of only running software signed from a major signing authority?
Ask a trusted employee in some of your biggest customer companies how their policy about (un-)signed software is. The local law situation of your customers region might affect it.
Re: code signing certs
Posted: Fri Sep 16, 2022 6:51 am
by idle
Bitblazer wrote: Fri Sep 16, 2022 6:34 am
Software signing is a bit like other believe based systems, imho.
How many of your potential customers believe in it and wont use your product if you don't follow it?
Will the cost of buying a signature from a respected authority be worth it because your biggest customers have a policy of only running software signed with from a major signing authority?
Ask a trusted employee in some of your biggest customer companies how their policy about (un-)signed software is. The local law situation of your customers region might affect it.
thanks, probably none. It's not like my customers will be government or even corporates who may demand such because it's in parentheses "important"! for no reason
Re: code signing certs
Posted: Fri Sep 16, 2022 7:20 am
by Little John
Hello idle,
thanks for the code!
When using EnableExplicit, there is a syntax error at line 23:
Code: Select all
handle = FindFirstStream(path,0,@sinfo,0)
So I replaced
@sinfo with
@sinfo(). But then I get a runtime error on this line (with PB 6.00 LTS on Windows 11):
The list doesn't have a current element.
Re: code signing certs
Posted: Fri Sep 16, 2022 7:39 am
by idle
Well caught, fixed it thanks
Re: code signing certs
Posted: Fri Sep 16, 2022 9:51 am
by Little John
Thank you!
Re: code signing certs
Posted: Fri Sep 16, 2022 11:30 pm
by idle
This is a bit more info and quite informative too
Code: Select all
EnableExplicit
Global path.s = OpenFileRequester("ADS",GetUserDirectory(#PB_Directory_Downloads),"*.*",1)
Structure WIN32_FIND_STREAM_DATA
StreamSize.q;
cStreamName.s{#MAX_PATH+36}
EndStructure
Prototype.i FindFirstStreamW(filename.s,infolevel,*out,flags.l)
Prototype.i FindNextStreamW(hFindStream.l,*out)
Global FindFirstStream.FindFirstStreamW
Global FindNextStream.FindNextStreamW
Procedure.s ReadADS(file.s)
Protected handle,out.s,lib,*mem ,fn
Protected NewList sinfo.WIN32_FIND_STREAM_DATA()
lib = OpenLibrary(-1,"Kernel32.dll")
If lib
FindFirstStream.FindFirstStreamW = GetFunction(lib,"FindFirstStreamW")
FindNextStream.FindNextStreamW = GetFunction(lib,"FindNextStreamW")
If path <> ""
AddElement(sinfo())
handle = FindFirstStream(path,0,@sinfo(),0)
If handle > 0
While FindNextStream(Handle,@sinfo()) > 0
AddElement(sinfo())
Wend
EndIf
ForEach sinfo()
If sinfo()\StreamSize
*mem = AllocateMemory(sinfo()\StreamSize)
out.s = PeekS(@sinfo()\cStreamName,-1)
fn = OpenFile(-1,path+out)
If fn
ReadData(fn,*mem,sinfo()\StreamSize)
out + PeekS(*mem,sinfo()\StreamSize,#PB_Ascii) + #CRLF$
CloseFile(fn)
EndIf
FreeMemory(*mem)
EndIf
Next
EndIf
CloseLibrary(lib)
EndIf
ProcedureReturn out
EndProcedure
Debug ReadADS(path)
And back on topic you can easily create and sign your exes with powershell
Code: Select all
;In power shell as admin
$cert = New-SelfSignedCertificate -Subject "Your name & Domain.com” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My
certmgr.msc
;Move cert from Intermediate to Trusted root, then you can sign your exe with
Set-AuthenticodeSignature -FilePath C:\path\to\uberprogram.exe -Certificate $cert