Recent

Author Topic: Self signing your Windows applications  (Read 13070 times)

Timewarp

  • Full Member
  • ***
  • Posts: 144
Self signing your Windows applications
« on: January 03, 2012, 05:18:01 pm »
I've had some (current and past) problems with my Windows applications being detected as malware / false positive.

I just received feedback from them telling me I should at least use self signed certificate.  That helps them to see history and more unlikely being detected.

Others here do that? Cause, I had no idea that could be useful.

BigChimp

  • Hero Member
  • *****
  • Posts: 5740
  • Add to the wiki - it's free ;)
    • FPCUp, PaperTiger scanning and other open source projects
Re: Self signing your Windows applications
« Reply #1 on: January 03, 2012, 05:41:47 pm »
I've done it for CheckRide (see sig).

Wonder how it will stop virusscanners etc detecting it as malware as you've got a signature set? Or are you talking about some corporate antivirus that can whitelist stuff based on certificates used for signing (if such a thing exists)?
« Last Edit: January 03, 2012, 05:57:23 pm by BigChimp »
Want quicker answers to your questions? Read http://wiki.lazarus.freepascal.org/Lazarus_Faq#What_is_the_correct_way_to_ask_questions_in_the_forum.3F

Open source including papertiger OCR/PDF scanning:
https://bitbucket.org/reiniero

Lazarus trunk+FPC trunk x86, Windows x64 unless otherwise specified

Timewarp

  • Full Member
  • ***
  • Posts: 144
Re: Self signing your Windows applications
« Reply #2 on: January 03, 2012, 07:15:07 pm »
Nothing to do with corporations.

What I did understand is that application without any singature gets very poor rating.

It was also said that, if there was false detection, it's going to be noticed & fixed many times faster, if certificate history is known to them. Means it has been checked before and found clean. Or you have used same certificate before in earlier versions, etc.

ludob

  • Hero Member
  • *****
  • Posts: 1173
Re: Self signing your Windows applications
« Reply #3 on: January 03, 2012, 07:47:03 pm »
Quote
What I did understand is that application without any singature gets very poor rating.
And self-signed gets a better rating???? What is the antivirus you are using?

Timewarp

  • Full Member
  • ***
  • Posts: 144
Re: Self signing your Windows applications
« Reply #4 on: January 03, 2012, 10:40:38 pm »
What is the antivirus you are using?
F-Secure. I don't use it myself, but it's popular here (for obvious reasons). Problem is my users get false positive and end up losing their files. (And you all can guess where they complain first)

I was contacted by them directly (my native language). Said they were sorry for the problems and everything is fixed now. Also it was made clear that nowdays Windows application without any certificate is rare and not a good idea. Advice for me was that I should use self signed certificate in the future to reduce chance of false detections.

It was also said, that they don't trust verisign certificate any more than self signed until they have confirmed it by them selves. Seems it's all about the history..

marcov

  • Administrator
  • Hero Member
  • *
  • Posts: 12025
  • FPC developer.
Re: Self signing your Windows applications
« Reply #5 on: January 04, 2012, 11:12:34 am »
It's an interesting twist to an old story. I hear the self signing for the first time.

While I think the self signing is a potentially good way to avoid trouble with avirus companies (and if you could run a posteven in lazarus , relatively painless), that is only one side (the avirus company's).   The "everything is already signed" is total bogus IMHO. Only end-user software is signed.

The thing they don't say is that generic threat detection is the cause for the bulk of the problems. In corporate virusscanners this is disabled, and those only react on signatures (since any follow up will be done by expensive staff, and there are too many false positives)

The consumer based antivirus circus however is based on a fear, and a notification sometimes (even when false) gives the consumer the feeling the product "works". And it's always the low end end-user products that give the false warnings (avira specially). I suspect they are big on generic functionality because their organization is simpler and can't afford as large invests in the signature scan as the big ones (mcafee and norton to a lesser degree, these write that off on the corporate market)

In general we standardly advise to either use a corporate version (great argument if the customer bangs on about "professionalism" and he turns out to use a consumer product), or to disable generic detections on systems that run custom software.
« Last Edit: January 04, 2012, 11:15:15 am by marcov »

BigChimp

  • Hero Member
  • *****
  • Posts: 5740
  • Add to the wiki - it's free ;)
    • FPCUp, PaperTiger scanning and other open source projects
Re: Self signing your Windows applications
« Reply #6 on: January 04, 2012, 02:10:48 pm »
If you want to (and your product is open source - could still be payware) there are CAs around that will give you a cert to sign your open source products with (I remember a Polish one that offered free certs)...

That might impress Avira and similar companies even more  :D
Want quicker answers to your questions? Read http://wiki.lazarus.freepascal.org/Lazarus_Faq#What_is_the_correct_way_to_ask_questions_in_the_forum.3F

Open source including papertiger OCR/PDF scanning:
https://bitbucket.org/reiniero

Lazarus trunk+FPC trunk x86, Windows x64 unless otherwise specified

TurboRascal

  • Hero Member
  • *****
  • Posts: 672
  • "Good sysadmin. Bad programmer."™
Re: Self signing your Windows applications
« Reply #7 on: January 08, 2012, 01:34:27 am »
So, how is the application signing done? I've never done that before nor felt any need for it so far...

Btw. I must defend Avira since I've almost never had a false positive with it, even with the free version either on my machines or my users, something which I cannot say for many others, first of all AVG and AVAST, but also McAfee and Symantec. Actually my best experiences concerning detection accuracy, both for quality of detections and lack of false ones are Avira and NOD32, so I guess I find their heuristics the best. YMMV...
Regards, ArNy the Turbo Rascal
-
"The secret is to give them what they need, not what they want." - Scotty, STTNG:Relics

BigChimp

  • Hero Member
  • *****
  • Posts: 5740
  • Add to the wiki - it's free ;)
    • FPCUp, PaperTiger scanning and other open source projects
Re: Self signing your Windows applications
« Reply #8 on: January 08, 2012, 05:40:04 am »
So, how is the application signing done? I've never done that before nor felt any need for it so far...

From my notes:

Got a certificate in .cer, .p12 and .pem forms
Used Certificate manager (certmgr.msc), imported p12 format into key store, marked as exportable, enable strong private key protection, to personal store
Remember/note Common name (CN) in Subject property. This will be used to select the certificate from the keystore

Actual signing
Took Microsoft signing tool from Windows/Platform SDK
"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool" sign /n "subject name of signing cert" /t http://timestamp.verisign.com/scripts/timstamp.dll /v "the exe you want to sign.exe"
(/t: timestamping url)

I'm sure there must be other ways... but this worked for me  :)
Want quicker answers to your questions? Read http://wiki.lazarus.freepascal.org/Lazarus_Faq#What_is_the_correct_way_to_ask_questions_in_the_forum.3F

Open source including papertiger OCR/PDF scanning:
https://bitbucket.org/reiniero

Lazarus trunk+FPC trunk x86, Windows x64 unless otherwise specified

TurboRascal

  • Hero Member
  • *****
  • Posts: 672
  • "Good sysadmin. Bad programmer."™
Re: Self signing your Windows applications
« Reply #9 on: January 09, 2012, 06:42:12 pm »
Thanks, this seems clear enough to do it :)

I guess CACERT certificates could be used?
Regards, ArNy the Turbo Rascal
-
"The secret is to give them what they need, not what they want." - Scotty, STTNG:Relics

ludob

  • Hero Member
  • *****
  • Posts: 1173
Re: Self signing your Windows applications
« Reply #10 on: January 10, 2012, 08:41:55 am »
I guess CACERT certificates could be used?
You need to have a code signing certificate. The most common certificates (some free ones) can only be used to sign emails. Code signing certificates are much more difficult to get. The commercial ones are quite expensive and are considered at a higher level as the ones used for HTTPS connections!

The other point you need to watch out for is the acceptance of the root certificate authority. If windows (or firefox or whatever program verifying the certificate) does not recognise the root certificate authority then your signed program is still recognised as self-signed. The list of root ca's is typically build into the software that does cert checking to avoid tampering. Which means also that it is updated very rarely. A windows XP will therefor recognise less root ca's than Win7. If the CA has a page like this http://wiki.cacert.org/FAQ/BrowserClients you'll be probably in trouble regarding the code signing.

 

TinyPortal © 2005-2018