Jump to content

Signing Executables

rcmaehl

By rcmaehl,
in Developer General Discussion

 Share

Recommended Posts

rcmaehl Universalist

rcmaehl

Posted
Posted

Hi all,

What's the cheapest way to be able to sign my EXEs once they're compiled? I want to get rid of "unknown publisher" but what I'm finding is $300-$400 price tags to do so.

Thanks!

My UDFs are generally for me. If they aren't updated for a while, it means I'm not using them myself. As soon as I start using them again, they'll get updated.

My Projects

WhyNotWin11
Cisco FinesseGithubIRC UDFWindowEx UDF

 

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted (edited)

$68.88

https://www.namecheap.com/security/ssl-certificates/comodo/ev.aspx

 

Though now I dont know the difference between the issuance of EV SSL certs for a domain and EV application certs, unless the former is just a small slice of comodo's business that they are allowing namecheap to resell.

 

Edited by iamtheky 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
TheDcoder Universalist

TheDcoder

Posted
Posted

@iamtheky Isn't that certificate only useful for validating domains? I doubt it can be used to sign software and be recognized by Windows.

Some company used to offer free code signing for Open Source developers but they no longer do that now.

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted

find Actual source material for the differences between EV certs that is more than implementation differences.  Speculating the opposite of my speculation does not move the thread forward. 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
TheDcoder Universalist

TheDcoder

Posted
Posted

I was not sure so I raised a point, along with another comment that I wanted to make, so not all gone to waste in that post, I would be happy to know that the Namecheap certificate can be used to sign code though :)

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites
Danyfirex Universalist

Danyfirex

Posted
Posted

@iamtheky   $68.88 / year. But I think It's still cheap for a commercial software.

This is a cheaper one for Open Source Projects

 

Saludos

:hyper: Danysys.com :ninja:

autoit_scripter_blue_userbar.png

       AutoIt...

 

UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker

Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection   PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut

 

 

Link to comment
Share on other sites
Danyfirex Universalist

Danyfirex

Posted
Posted

If you want all for free check this.

I don't know if it still works. but check anyway.

 

Saludos

 

:hyper: Danysys.com :ninja:

autoit_scripter_blue_userbar.png

       AutoIt...

 

UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker

Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection   PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut

 

 

Link to comment
Share on other sites
Danyfirex Universalist

Danyfirex

Posted
Posted
1 minute ago, TheDcoder said:

@Danyfirex Self signed certificates are worthless to Windows so it will still how "Unknown Publisher".

as I said I dont know. I've never used that method before.

 

Saludos

:hyper: Danysys.com :ninja:

autoit_scripter_blue_userbar.png

       AutoIt...

 

UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker

Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection   PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut

 

 

Link to comment
Share on other sites
TheDcoder Universalist

TheDcoder

Posted
Posted
7 minutes ago, Danyfirex said:

This is a cheaper one for Open Source Projects

I think this was actually the one which used to offer free certificates for Open Source projects, good to know that it is still doing for a lower amount of money.

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites
Danyfirex Universalist

Danyfirex

Posted
Posted

Yes It was.  anyway It's still cheap.

 

Saludos

:hyper: Danysys.com :ninja:

autoit_scripter_blue_userbar.png

       AutoIt...

 

UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker

Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection   PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut

 

 

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted

Unpopular opinion:  Self signing is not worth any less, because the value of EV certs is zero.  It’s the cyber equivalent of rating lipsticks.

 I’ll take a proper PKI and app whitelisting before I place any checks for signatures. 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
spudw2k Universalist

spudw2k

Posted
Posted (edited)
12 hours ago, iamtheky said:

find Actual source material for the differences between EV certs that is more than implementation differences.  Speculating the opposite of my speculation does not move the thread forward.

To @TheDcoder credit, the link you posted to says nothing about code signing.  In fact, I can't find anything on this site that says they offer code signing certificates or services.  Where is your source material?

Edited by spudw2k
Spoiler

Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of CardsHideItICUIcon FreezerIpod EjectorJunos Configuration ExplorerLink DownloaderMD5 Folder EnumeratorPassGen ◊ Ping ToolQuick NICRead OCRRemoteITSchTasksGuiSpyCamSystem Scan Report ToolSystem UpTimeTransparency Machine VMWare ESX Builder
Misc Code Snippets: ADODB ExampleCheckHover ◊ Detect SafeModeDynEnumArrayGetNetStatData ◊ HashArrayIsBetweenDates Local AdminsMake ChoiceRecursive File ListRemove Sizebox StyleRetrieve PNPDeviceIDRetreive SysListView32 ContentsSet IE Homepage Tickle Expired PasswordTranspose Array
Projects: Drive Space Usage GUI ◊ LEDkITPlasma_kIt ◊ Scan Engine BuilderSpeeDBurnerSubnetCalc
Cool Stuff: AutoItObject UDF Extract Icon From ProcGuiCtrlFontRotateHex Edit FuncsRun binaryService_UDF

 

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted

Neither does his...  EV certs are EV certs as far as I know, which admittedly is very little.  I do however have familiarity with PKI and that there are a shit ton of different names and formats for what amounts to the same certificate for different applications.

My first guess is that "EV" is used interchangeably between bullshit domain signing and bullshit code signing, and marketing just jumbles all the words together and prints what comes out. That stands until linked to something that explains to me otherwise. 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
spudw2k Universalist

spudw2k

Posted
Posted

I wasn't talking about his; I was talking about yours.  Pretty rude of you to post something that doesn't address the OPs post, then get defensive when another member simply asks a question to which you now admit you don't know about.

EV is extended validation.  In order to be issued a EV cert (whether for SSL or code signing) requires a "rigorous" background check.  It is a way to provide an additional level of consumer confidence/trust in the publisher. 

SSL and code signing certs don't require EV, but it affords additional trust, at an additional price.

Spoiler

Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of CardsHideItICUIcon FreezerIpod EjectorJunos Configuration ExplorerLink DownloaderMD5 Folder EnumeratorPassGen ◊ Ping ToolQuick NICRead OCRRemoteITSchTasksGuiSpyCamSystem Scan Report ToolSystem UpTimeTransparency Machine VMWare ESX Builder
Misc Code Snippets: ADODB ExampleCheckHover ◊ Detect SafeModeDynEnumArrayGetNetStatData ◊ HashArrayIsBetweenDates Local AdminsMake ChoiceRecursive File ListRemove Sizebox StyleRetrieve PNPDeviceIDRetreive SysListView32 ContentsSet IE Homepage Tickle Expired PasswordTranspose Array
Projects: Drive Space Usage GUI ◊ LEDkITPlasma_kIt ◊ Scan Engine BuilderSpeeDBurnerSubnetCalc
Cool Stuff: AutoItObject UDF Extract Icon From ProcGuiCtrlFontRotateHex Edit FuncsRun binaryService_UDF

 

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted (edited)

rigorous, not so much.  lets go with news from ......today

 

 

https://arstechnica.com/information-technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/

Tell me again how EV domain certs cannot be used to sign code, because I am not finding it, for real i'd like to know the difference.  Are they owned by the issuer or the person who receives the cert?  Are the apps hosted on that domain provided the green lock of safety or just the static content?  Is the app EV a more rigorous vetting than a domain EV, at what point are they not the same thing.

And its not rude, its skeptical af that anyone here has any real truth.  $5 paperweights and $1 rocks are only separated by marketing.

 

edit: for the last 20min I diligently attempted to google variations of "EV code signing -vs- EV domain cert", and found nothing.  I did learn more about code signing, which is nice; but nothing about material differences and limitations.  From what I am reading I can gen some off our CA tomorrow, but seems like it should be easier to find info.

Edited by iamtheky 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
spudw2k Universalist

spudw2k

Posted
Posted

Did you read this / do you not trust wiki?
https://en.wikipedia.org/wiki/Public_key_certificate

Relevant sections
Types of certificate - Each one has specific purpose and usage.  They are not interchangeable.
Validation levels - This is where EV comes from.  EV in itself has nothing to do with the certificate type/usage.  


Here's a heavy read, as all RFCs are:
https://tools.ietf.org/html/rfc5280#section-4.2.1.3

 

Spoiler

Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of CardsHideItICUIcon FreezerIpod EjectorJunos Configuration ExplorerLink DownloaderMD5 Folder EnumeratorPassGen ◊ Ping ToolQuick NICRead OCRRemoteITSchTasksGuiSpyCamSystem Scan Report ToolSystem UpTimeTransparency Machine VMWare ESX Builder
Misc Code Snippets: ADODB ExampleCheckHover ◊ Detect SafeModeDynEnumArrayGetNetStatData ◊ HashArrayIsBetweenDates Local AdminsMake ChoiceRecursive File ListRemove Sizebox StyleRetrieve PNPDeviceIDRetreive SysListView32 ContentsSet IE Homepage Tickle Expired PasswordTranspose Array
Projects: Drive Space Usage GUI ◊ LEDkITPlasma_kIt ◊ Scan Engine BuilderSpeeDBurnerSubnetCalc
Cool Stuff: AutoItObject UDF Extract Icon From ProcGuiCtrlFontRotateHex Edit FuncsRun binaryService_UDF

 

Link to comment
Share on other sites
TheDcoder Universalist

TheDcoder

Posted
Posted

Thanks for the defence @spudw2k. I have to admit though, I know nothing about certificates. I was talking from the knowledge that I gained while researching something.

12 minutes ago, spudw2k said:

Types of certificate - Each one has specific purpose and usage.  They are not interchangeable.

This is the point that I was thinking about, domain validation certificates cannot sign code if this is true.

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted (edited)

That is technically false for (Microsoft) PKI.  I can generate certificates for specific applications but could still apply them whimsically.  Going to try and interchange more today.

My question is only, if there are no differences between EV certs, what controls prevent them from being used for other than the intended purpose they were generated for.  Are they all administrative controls?

edit:  So cant do any local EV stuff (i think local EV is very much not a thing).  I understand the browser trust more now, but that didnt help me with implementations, but it looks like with comodo the vendor is maintaining the private side thus limiting its usage.  But with the gaming of them I am seeing, I still dont understand where all the controls lie.  

Edited by iamtheky 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
spudw2k Universalist

spudw2k

Posted
Posted

Like I said, EV doesn't have to do with certificate usage or types.  It's a validation level.

Focus on the certificate usage/application piece; it doesn't matter if it is EV, DV, local, self-signed.  See what it takes to generate a code signing certificate, TLS/SSL certificate, machine identity certificate and see if they are interchangeable.  I think you'll find they aren't.  

Since you are in an MS env, it may be fair to assume you have access to IIS.  If you feel so inclined, try generating a non-TLS certificate and see if you cant use it with HTTPS on IIS. 

 

10 hours ago, iamtheky said:

My question is only, if there are no differences between EV certs, what controls prevent them from being used for other than the intended purpose they were generated for.  Are they all administrative controls?

There is nothing (necessarily) to stop a person from using an EV certificate maliciously once they have it; but still, the certificate can only be used for the purpose it was built for (TLS, code signing, etc.)  EV goes back to the background screening the CA is supposed to perform before issuing the cert to validate legitimacy of the requester.  I'm sure there is some agreement as well between the CA and the requester will use it in an honorable fashion, and it can be revoked if the agreement is broken.  

Spoiler

Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of CardsHideItICUIcon FreezerIpod EjectorJunos Configuration ExplorerLink DownloaderMD5 Folder EnumeratorPassGen ◊ Ping ToolQuick NICRead OCRRemoteITSchTasksGuiSpyCamSystem Scan Report ToolSystem UpTimeTransparency Machine VMWare ESX Builder
Misc Code Snippets: ADODB ExampleCheckHover ◊ Detect SafeModeDynEnumArrayGetNetStatData ◊ HashArrayIsBetweenDates Local AdminsMake ChoiceRecursive File ListRemove Sizebox StyleRetrieve PNPDeviceIDRetreive SysListView32 ContentsSet IE Homepage Tickle Expired PasswordTranspose Array
Projects: Drive Space Usage GUI ◊ LEDkITPlasma_kIt ◊ Scan Engine BuilderSpeeDBurnerSubnetCalc
Cool Stuff: AutoItObject UDF Extract Icon From ProcGuiCtrlFontRotateHex Edit FuncsRun binaryService_UDF

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...