Digital signature of software

Asked

Viewed 3,149 times

8

I use the Antivirus Kaspersky and for it to allow my software, written in Delphi, run I needed to mark it as reliable software.

The reason that the Kaspersky was that the software is unreliable because it is not digitally signed.

Watching the link that @epx passed by, I was able to verify that it is necessary to use certificates to make the digital signature:

Before you can get Started, you’ll need a code-Signing Certificate and Associated private key.

Right after it says I can generate a key in my infrastructure:

You can generate your Proper code-Signing Certificate using your Internal Windows public key Infrastructure (PKI) or you can buy one from a Mercial Certification Authority (CA) such as Verisign.

So I’d like to know:

1- O que é assinatura digital de software?     
2- Preciso realmente dela para fornecer software e não ter o mesmo tipo de problema com o Kaspersky e outros antivirus?  
3- Como assino meu software digitalmente? 
4- Como gerar esse certificado em minha infraestrutura? 
5- Ela seria aceita pelo *Kaspersky*, por exemplo?
  • 2

    It seems that the easiest way to sign an internal program is to use a program called signtool that comes in the SDK. NET: http://windowsitpro.com/security/q-whats-easiest-way-digitally-sign-internally-developed-applications-executable

  • 2

    The part of the question "Do I really need it?" is hard to answer without knowing what you want... You need to know what you want to achieve.

  • I’ve really put the question very broadly and it’s not at all cool, I’ll adjust it. Now, will removing the Delphi tag not leave the question too out of Sopt’s context? By the way, it includes the tag [Delphi] because I wrote the system in [Delphi] and also this is a "language" very targeted by programs Antivirus, so I thought with this tag, someone used to dealing with this kind of problem could give a help.

  • I believe that everything has become more understandable now. I will read your answer and the links.

1 answer

4


You actually created several questions that might be best explored if they were separate. But I’ll try to answer anyway.

Roughly, digital signature It would be like firm recognition and notarization of documents at the registry office, only for digital files. It confirms who issued the file and that this file was not altered after it came out of the hands of the creator.
Code signing or executables for Windows is called by Microsoft Authenticode.

Some articles from Microsoft on the subject:
Introduction to code signing
Authenticode in the MSDN
Explanation about Authenticode in the blog
Creating, viewing and managing certificates

To sign digitally you need a certificate. You can generate a certificate for yourself using openssl or the Makecert. But as you are not recognized by other companies as someone who issues trustworthy certificates, not everyone will give your software full confidence. It’s up to you to check whether the signature generated by you will solve your problem or not.

Below is a list of some certificate sellers that are generally considered reliable:

http://www.verisign.com
http://www.thawte.com
http://www.globalsign.net
http://www.geotrust.com

A cheaper alternative is to get the COMODO certificate via the Tucows website: https://author.tucows.com/article.php?sid=&account_id=&id=2536

  • 1

    When you say I can generate my certificate and see if it will solve my problem, I already think that this issue of generating certificates myself would be more viable for internal applications. Already for applications that will be distributed to the public and will run outside my environment, even if it solved the problem at the time, in the future I would probably be pressured to have a certificate of a recognized certification entity. Therefore, if I really had to distribute the signed software it would be good to already get one and a certification entity.

  • 3

    @Tiago is more or less there. The problem is that the certificates are usually expensive and depending on the certifier, much expensive.

  • 1

    A fragment of his answer, e que esse arquivo não foi alterado depois que saiu das mãos do criador. Is this valid for software that was signed as well? Because this I believe would help a lot in the fight against infectious viruses, is not even?

  • Exactly that.

  • sorry I didn’t understand your last statement. Actually the integrity check serves software too?

  • 2

    @Tiago, now I’m the one who got confused. The goal of digital signature is integrity check. It is for both files and executables. I added in the reply another article from Microsoft that gives an introduction on the subject.

  • 1

    sorry, I just wanted to suck you a little more information :) And that’s what I wanted to know in this question asked here by the comments. And thank you!

  • @James nothing. You think you could change something in the answer to make it clearer?

  • No, it’s great! Great links! Very enlightening.. Grateful!

Show 4 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.