Jump to content
Sign in to follow this  
rcmaehl

Signing Executables

Recommended Posts

Hi all,

What's the cheapest way to be able to sign my EXEs once they're compiled? I want to get rid of "unknown publisher" but what I'm finding is $300-$400 price tags to do so.

Thanks!


My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.

My Projects
Cisco FinesseGithubIRC UDFWindowEx UDF

 

Share this post


Link to post
Share on other sites

$68.88

https://www.namecheap.com/security/ssl-certificates/comodo/ev.aspx

 

Though now I dont know the difference between the issuance of EV SSL certs for a domain and EV application certs, unless the former is just a small slice of comodo's business that they are allowing namecheap to resell.

 

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

@iamtheky Isn't that certificate only useful for validating domains? I doubt it can be used to sign software and be recognized by Windows.

Some company used to offer free code signing for Open Source developers but they no longer do that now.


A cross-platform implementation of the AutoIt language

My contributions to the AutoIt Community ##AutoIt at freenode, real-time chat

3fHNZJ.gif

Spoiler

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) intend to do that to anybody.

Share this post


Link to post
Share on other sites

find Actual source material for the differences between EV certs that is more than implementation differences.  Speculating the opposite of my speculation does not move the thread forward.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

I was not sure so I raised a point, along with another comment that I wanted to make, so not all gone to waste in that post, I would be happy to know that the Namecheap certificate can be used to sign code though :)


A cross-platform implementation of the AutoIt language

My contributions to the AutoIt Community ##AutoIt at freenode, real-time chat

3fHNZJ.gif

Spoiler

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) intend to do that to anybody.

Share this post


Link to post
Share on other sites

@iamtheky   $68.88 / year. But I think It's still cheap for a commercial software.

This is a cheaper one for Open Source Projects

 

Saludos

Share this post


Link to post
Share on other sites

If you want all for free check this.

I don't know if it still works. but check anyway.

 

Saludos

 

Share this post


Link to post
Share on other sites

@Danyfirex Self signed certificates are worthless to Windows so it will still how "Unknown Publisher".


A cross-platform implementation of the AutoIt language

My contributions to the AutoIt Community ##AutoIt at freenode, real-time chat

3fHNZJ.gif

Spoiler

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) intend to do that to anybody.

Share this post


Link to post
Share on other sites
1 minute ago, TheDcoder said:

@Danyfirex Self signed certificates are worthless to Windows so it will still how "Unknown Publisher".

as I said I dont know. I've never used that method before.

 

Saludos

Share this post


Link to post
Share on other sites
7 minutes ago, Danyfirex said:

This is a cheaper one for Open Source Projects

I think this was actually the one which used to offer free certificates for Open Source projects, good to know that it is still doing for a lower amount of money.


A cross-platform implementation of the AutoIt language

My contributions to the AutoIt Community ##AutoIt at freenode, real-time chat

3fHNZJ.gif

Spoiler

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) intend to do that to anybody.

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

Unpopular opinion:  Self signing is not worth any less, because the value of EV certs is zero.  It’s the cyber equivalent of rating lipsticks.

 I’ll take a proper PKI and app whitelisting before I place any checks for signatures.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites
12 hours ago, iamtheky said:

find Actual source material for the differences between EV certs that is more than implementation differences.  Speculating the opposite of my speculation does not move the thread forward.

To @TheDcoder credit, the link you posted to says nothing about code signing.  In fact, I can't find anything on this site that says they offer code signing certificates or services.  Where is your source material?

Edited by spudw2k

Share this post


Link to post
Share on other sites

Neither does his...  EV certs are EV certs as far as I know, which admittedly is very little.  I do however have familiarity with PKI and that there are a shit ton of different names and formats for what amounts to the same certificate for different applications.

My first guess is that "EV" is used interchangeably between bullshit domain signing and bullshit code signing, and marketing just jumbles all the words together and prints what comes out. That stands until linked to something that explains to me otherwise.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

I wasn't talking about his; I was talking about yours.  Pretty rude of you to post something that doesn't address the OPs post, then get defensive when another member simply asks a question to which you now admit you don't know about.

EV is extended validation.  In order to be issued a EV cert (whether for SSL or code signing) requires a "rigorous" background check.  It is a way to provide an additional level of consumer confidence/trust in the publisher. 

SSL and code signing certs don't require EV, but it affords additional trust, at an additional price.


Share this post


Link to post
Share on other sites

rigorous, not so much.  lets go with news from ......today

 

 

https://arstechnica.com/information-technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/

Tell me again how EV domain certs cannot be used to sign code, because I am not finding it, for real i'd like to know the difference.  Are they owned by the issuer or the person who receives the cert?  Are the apps hosted on that domain provided the green lock of safety or just the static content?  Is the app EV a more rigorous vetting than a domain EV, at what point are they not the same thing.

And its not rude, its skeptical af that anyone here has any real truth.  $5 paperweights and $1 rocks are only separated by marketing.

 

edit: for the last 20min I diligently attempted to google variations of "EV code signing -vs- EV domain cert", and found nothing.  I did learn more about code signing, which is nice; but nothing about material differences and limitations.  From what I am reading I can gen some off our CA tomorrow, but seems like it should be easier to find info.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Did you read this / do you not trust wiki?
https://en.wikipedia.org/wiki/Public_key_certificate

Relevant sections
Types of certificate - Each one has specific purpose and usage.  They are not interchangeable.
Validation levels - This is where EV comes from.  EV in itself has nothing to do with the certificate type/usage.  


Here's a heavy read, as all RFCs are:
https://tools.ietf.org/html/rfc5280#section-4.2.1.3

 


Share this post


Link to post
Share on other sites

Thanks for the defence @spudw2k. I have to admit though, I know nothing about certificates. I was talking from the knowledge that I gained while researching something.

12 minutes ago, spudw2k said:

Types of certificate - Each one has specific purpose and usage.  They are not interchangeable.

This is the point that I was thinking about, domain validation certificates cannot sign code if this is true.


A cross-platform implementation of the AutoIt language

My contributions to the AutoIt Community ##AutoIt at freenode, real-time chat

3fHNZJ.gif

Spoiler

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) intend to do that to anybody.

Share this post


Link to post
Share on other sites

That is technically false for (Microsoft) PKI.  I can generate certificates for specific applications but could still apply them whimsically.  Going to try and interchange more today.

My question is only, if there are no differences between EV certs, what controls prevent them from being used for other than the intended purpose they were generated for.  Are they all administrative controls?

edit:  So cant do any local EV stuff (i think local EV is very much not a thing).  I understand the browser trust more now, but that didnt help me with implementations, but it looks like with comodo the vendor is maintaining the private side thus limiting its usage.  But with the gaming of them I am seeing, I still dont understand where all the controls lie.  

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Like I said, EV doesn't have to do with certificate usage or types.  It's a validation level.

Focus on the certificate usage/application piece; it doesn't matter if it is EV, DV, local, self-signed.  See what it takes to generate a code signing certificate, TLS/SSL certificate, machine identity certificate and see if they are interchangeable.  I think you'll find they aren't.  

Since you are in an MS env, it may be fair to assume you have access to IIS.  If you feel so inclined, try generating a non-TLS certificate and see if you cant use it with HTTPS on IIS. 

 

10 hours ago, iamtheky said:

My question is only, if there are no differences between EV certs, what controls prevent them from being used for other than the intended purpose they were generated for.  Are they all administrative controls?

There is nothing (necessarily) to stop a person from using an EV certificate maliciously once they have it; but still, the certificate can only be used for the purpose it was built for (TLS, code signing, etc.)  EV goes back to the background screening the CA is supposed to perform before issuing the cert to validate legitimacy of the requester.  I'm sure there is some agreement as well between the CA and the requester will use it in an honorable fashion, and it can be revoked if the agreement is broken.  


Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...