Distributing executable programs and other files to users of the Windows operating system is always a little fishy because they cannot really trust them, due to all the Spam and malware that is freely being distributed around the world. In a relatively closed environment signed and/or encrypted mail can be used, but that is difficult when sending to previously unknown parties or when offering the files as downloads.

Microsoft's Authenticode tools make signing code using a digital certificate quite easy. Ideally, you'd sign the code with a certificate which is automatically trusted by the receiving party (i.e. a certificate which has been issued by one of the trust centres already known to Windows), but even if you use your own Certification Authority (and inform the concerned parties about it), users benefit from the additional security.

We run a CA based on OpenSSL and issue our own certificates. After installing certificate with Enhanced Key Usage of Code Signing (1.3.6.1.5.5.7.3.3) into your Windows certificate store, you can sign and timestamp an executable with

signcode -s my -cn "Certificate Common Name" 
     -t "http://timestamp.verisign.com/scripts/timestamp.dll" prog.exe

More information about signcode can be found in the documentation on Signing and Checking Code with Authenticode at Microsoft.

Comments

blog comments powered by Disqus