Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do you create a digital signature?


  • Please log in to reply
15 replies to this topic

#1 razz3333

razz3333

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 27 May 2017 - 10:09 AM

I'm developing a windows application in VB.NET using Visual Studio 2017.  I activated (not sure if this is the proper term) a certificate and now need to have a digital signature (for free, if that's at all possible).  I have no idea how to go about this task.

 

Your help will be greatly appreciated.



BC AdBot (Login to Remove)

 


#2 KingDavidlll

KingDavidlll

  • Malware Study Hall Junior
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 29 May 2017 - 06:24 AM

Hey Razz,

 

It really depends what you need the certificate for.  Do you need to sign your code?  Does it need to be trusted by external third parties who you can't send your public key to, or is it for internal use only? 

 

There are lots of purposes for it and each need a slightly different thing!



#3 GoofProg

GoofProg

  • Banned
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 AM

Posted 29 May 2017 - 01:10 PM

I guess that is why people used to use the gpg system.



#4 razz3333

razz3333
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 29 May 2017 - 05:57 PM

Hey Razz,

 

It really depends what you need the certificate for.  Do you need to sign your code?  Does it need to be trusted by external third parties who you can't send your public key to, or is it for internal use only? 

 

There are lots of purposes for it and each need a slightly different thing!

 

I'm new to this sort of thing so to be honest, I'm not sure what is required.  The windows app I'm developing will be freeware and I'll be hosting the download file on my website, plus on Softpedia and on as many reputable download sites as possible.

 

I had first developed this program in 2008 and this program I'm currently developing is a major upgrade to it.  Since it's first release (2008) I've had about 3000 downloads and I never gave a certificate any thought.  What made me think of a digital signed certificate is the fact that my Zemana AntiMalware put my program in quarantine as soon as I launched it.  The reason it did that is because of not having a digital signature.  I would hate for a user to have the same experience when launching my program (they probably would not be too thrilled).

 

I hope this explanation enables you to know what it is I need.

 

Thank you for your time and effort, it is really appreciated.



#5 KingDavidlll

KingDavidlll

  • Malware Study Hall Junior
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 30 May 2017 - 04:33 AM

All good!  It sounds like you are just going to use the digital signature to sign your program (I wasn't sure from your last post).  What this provides is a guarantee that your program is made by someone who can be verified.  More general information about digital signatures for code signing can be read about here: https://msdn.microsoft.com/en-us/library/ms537361(v=vs.85).aspx

 

There are 2 ways about this.  You can create your own self signed certificate - which will honestly not do much good as it can't be verified.  

 

Or you can pay a certificate authority to sign your certificate, however you will most likely have to pay around ~$150 a year or so and send them identity documents to prove who you are.

More information about getting a certificate can be found here:

https://technet.microsoft.com/en-us/library/cc732597(v=ws.10).aspx

 

I would highly recommend getting a certificate if you are planning on selling/releasing your product on the web.  

 

At the moment I see Microsoft isn't easily providing a list of CAs, you can find a good list here: https://en.wikipedia.org/wiki/Certificate_authority

 

I personally like Digicert, however there really isn't any difference between them.



#6 razz3333

razz3333
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 31 May 2017 - 09:31 AM

KingDavidIII, thank you so very much for your detailed explanation.  I truly appreciate your time and effort.  Thanks to your 2 links I did a lot of reading and figured out that what I need to do is download the MakeCert tool and create a Make Certificate.

 

My program will always be freeware and thus it simply would not make sense for me to pay annual fees for a verified digital signature certificate.  I will explain on my website why the program is not verified by a digital signature and I'll also include this explanation in a "Read Me" text file packaged within the zip file.

 

I'll also probably need to explain that if they have real-time anti malware protection, that their anti-malware program may flag my program as malware and thereby move it to quarantine (like happened to me with Zemana AntiMalware).  Naturally I removed it from quarantine and thereby it was white-listed by Zemana and there after I was able to launch the program.


Edited by razz3333, 31 May 2017 - 09:33 AM.


#7 Moritz30

Moritz30

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 05 June 2017 - 06:14 AM

KingDavidIII, thank you so very much for your detailed explanation.  I truly appreciate your time and effort.  Thanks to your 2 links I did a lot of reading and figured out that what I need to do is download the MakeCert tool and create a Make Certificate.
 
My program will always be freeware and thus it simply would not make sense for me to pay annual fees for a verified digital signature certificate.  I will explain on my website why the program is not verified by a digital signature and I'll also include this explanation in a "Read Me" text file packaged within the zip file.
 
I'll also probably need to explain that if they have real-time anti malware protection, that their anti-malware program may flag my program as malware and thereby move it to quarantine (like happened to me with Zemana AntiMalware).  Naturally I removed it from quarantine and thereby it was white-listed by Zemana and there after I was able to launch the program.


I'd just make to note that signatures made with a self-created certificate will not be valid on systems the certificate was not manually added as trusted on. If you want a certificate which can be used to create signatures that are trusted by default you will need to buy one from an Authenticode CA like Comodo.
White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#8 razz3333

razz3333
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 05 June 2017 - 05:51 PM

Moritz30, thank you for your input.  It turns out that I came to the same conclusion after a little more research, so I agree with you 100%.

 

So due to my program being freeware, it will be released without a digital signature.  That will just have to do  :)



#9 Moritz30

Moritz30

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 05 June 2017 - 05:53 PM

Moritz30, thank you for your input.  It turns out that I came to the same conclusion after a little more research, so I agree with you 100%.
 
So due to my program being freeware, it will be released without a digital signature.  That will just have to do  :)

Actually you can get very cheap code signing certificates from GoGetSSL or kSoftware (DISCLAIMER: Both are sponsoring me/my developer team but ven if they weren't sponsors I would recommend them)

Edited by Moritz30, 05 June 2017 - 05:54 PM.

White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#10 razz3333

razz3333
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 05 June 2017 - 07:56 PM

Actually you can get very cheap code signing certificates from GoGetSSL or kSoftware (DISCLAIMER: Both are sponsoring me/my developer team but ven if they weren't sponsors I would recommend them)

 

I guess the definition of "very cheap" would vary according to every individual.  Any hint as to what I could expect to pay?


Edited by razz3333, 05 June 2017 - 07:56 PM.


#11 Moritz30

Moritz30

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 06 June 2017 - 01:20 AM

Actually you can get very cheap code signing certificates from GoGetSSL or kSoftware (DISCLAIMER: Both are sponsoring me/my developer team but ven if they weren't sponsors I would recommend them)

 
I guess the definition of "very cheap" would vary according to every individual.  Any hint as to what I could expect to pay?

1 year:
kSoftware: 84$
GoGetSSL: 83.85$ (cheaper for resellers but I don't think you are so not listing that price here)

Plus the fees for a notary to notarize the face to face verification document (only if you do not have a D&B listing which you van only get as business or sole trader)
White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#12 razz3333

razz3333
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 06 June 2017 - 05:00 PM

Moritz30, thanks again for all your info.  It is just too much money for something I will never be selling.  It just does not make sense to me.  I will do my best to explain to users (before they download) that my program has no digital signature and the reason why.  I'll explain what they need to do if it gets flagged as malware.

 

Anyway, thanks again.



#13 KingDavidlll

KingDavidlll

  • Malware Study Hall Junior
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 09 June 2017 - 02:23 AM

I would still recommend signing it as a signed application which is untrusted is still better than an unsigned application.  You can provide the public key on your website and have a link to it in the description to ensure that people are using what you created and not something else.  This is essential for businesses who wish to use your program.  Also you can set rules to automatically block all unsigned applications which would stop your program, however warn people if it is signed but untrusted.  You'll also be able to put your name in the self-signed cert so more free advertising!



#14 Moritz30

Moritz30

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 10 June 2017 - 05:24 AM

I would still recommend signing it as a signed application which is untrusted is still better than an unsigned application.  You can provide the public key on your website and have a link to it in the description to ensure that people are using what you created and not something else.  This is essential for businesses who wish to use your program.  Also you can set rules to automatically block all unsigned applications which would stop your program, however warn people if it is signed but untrusted.  You'll also be able to put your name in the self-signed cert so more free advertising!


Only publishing the public key is pointless. You have to publish the whole certificate (without private key of course).

Signing with untrusted certificates has the advantages you said but does have the disadvantage of being detected as suspicious by some AV software, too.
White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#15 razz3333

razz3333
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 10 June 2017 - 03:06 PM

KIngDavidlll & Moritz30, thank you both for all your input.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users