signing executable

Hi,
we have the requirement to sign an executable in order to ba Vista-approved (whatever the official term is). Consider me a complete newbie in this. I haven't even sen Vista yet.
How do I start? What do I need to do?
Schobi
-- SpamTrap@gmx.de is never read I'm Schobi at suespammers dot org
"The sarcasm is mightier than the sword." Eric Jarvis

It doesn't need to be "Vista" approved, just "approved" :o) If you go to Verisign or somewhere and obtain a certificate for your application, this verifies where the file actually came from and replaces the "Unknown author" in the setup which usually makes the user a bit weary about installing it.
If you have a name or a software vendor on there, it looks genuine :o)
-- Zack Whittaker » ZackNET Enterprises: www.zacknet.co.uk » MSBlog on ResDev: www.msblog.org » Vista Knowledge Base: www.vistabase.co.uk » This mailing is provided "as is" with no warranties, and confers no rights. All opinions expressed are those of myself unless stated so, and not of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared that up!
--: Original message follows :-- "Hendrik Schober" wrote in message

Hi,
we have the requirement to sign an executable in order to ba Vista-approved (whatever the official term is). Consider me a complete newbie in this. I haven't even sen Vista yet.
How do I start? What do I need to do?
Schobi
-- SpamTrap@gmx.de is never read I'm Schobi at suespammers dot org
"The sarcasm is mightier than the sword." Eric Jarvis

For .Net executables, you can have Visual Studio generate a digital signature. Although it's not publicly registered with a reputable Certification Authority, (which costs a bundle), it should be enough. -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Hendrik Schober" a écrit dans le message de news: OSPgcm1bGHA.3900@TK2MSFTNGP05.phx.gbl... | Hi, | | we have the requirement to sign an executable in order | to ba Vista-approved (whatever the official term is). | Consider me a complete newbie in this. I haven't even | sen Vista yet. | | How do I start? What do I need to do? | | Schobi

Hmm, pardon my ignorance and I don't mean to sound smarmy. But isn't the idea of signing supposed to be to provide some authentication, accountability and nonrepudiation in terms of who wrote the code? If anyone can just sign an executable however they want, what's the point of signing? What would prevent someone from creating a tainted version of an app and signing it as though it were the original app?

"Pierre Szwarc" wrote in message

For .Net executables, you can have Visual Studio generate a digital signature. Although it's not publicly registered with a reputable Certification Authority, (which costs a bundle), it should be enough. -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Hendrik Schober" a écrit dans le message de news: OSPgcm1bGHA.3900@TK2MSFTNGP05.phx.gbl... | Hi, | | we have the requirement to sign an executable in order | to ba Vista-approved (whatever the official term is). | Consider me a complete newbie in this. I haven't even | sen Vista yet. | | How do I start? What do I need to do? | | Schobi

You're quite correct, of course. However, once you've installed a signed app, even if it's not certified, a modified one with a different digital certificate will be detected. -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Puppy Breath" a écrit dans le message de news: 2A18B271-7E9D-4BAF-A00D-8103A17EFCD9@microsoft.com... | Hmm, pardon my ignorance and I don't mean to sound smarmy. But isn't the | idea of signing supposed to be to provide some authentication, | accountability and nonrepudiation in terms of who wrote the code? If anyone | can just sign an executable however they want, what's the point of signing? | What would prevent someone from creating a tainted version of an app and | signing it as though it were the original app?

So on the initial installation would the user see something like "Publisher can't be verified"? And then what would happen on a subsequent attempt to replace or change it?
"Pierre Szwarc" wrote in message

You're quite correct, of course. However, once you've installed a signed app, even if it's not certified, a modified one with a different digital certificate will be detected. -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Puppy Breath" a écrit dans le message de news: 2A18B271-7E9D-4BAF-A00D-8103A17EFCD9@microsoft.com... | Hmm, pardon my ignorance and I don't mean to sound smarmy. But isn't the | idea of signing supposed to be to provide some authentication, | accountability and nonrepudiation in terms of who wrote the code? If anyone | can just sign an executable however they want, what's the point of signing? | What would prevent someone from creating a tainted version of an app and | signing it as though it were the original app?

That's about it. AFAIK, if the digital certificate's signature is different from the original installation's, you'd get a message to that effect, which should alert you to possible hanky-panky. -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Puppy Breath" a écrit dans le message de news: F6F282D6-302C-4FE2-93E2-387C358B94FB@microsoft.com... | So on the initial installation would the user see something like "Publisher | can't be verified"? And then what would happen on a subsequent attempt to | replace or change it?

Hendrik Schober wrote:

Hi,
we have the requirement to sign an executable in order to ba Vista-approved (whatever the official term is). Consider me a complete newbie in this. I haven't even sen Vista yet.
How do I start? What do I need to do?

Thank you everyone for commenting on this. It seems we'll buy a VeriSign ID and sign using this.
Schobi
-- SpamTrap@gmx.de is never read I'm Schobi at suespammers dot org
"The sarcasm is mightier than the sword." Eric Jarvis

All a certificate buys you is that you know "who" the exe came from...there is a trail. Lots of "ware" has used signing to bypass security even when they are less than reputable. I don't trust certs anymore...
Josh
"Pierre Szwarc" wrote in message

That's about it. AFAIK, if the digital certificate's signature is different from the original installation's, you'd get a message to that effect, which should alert you to possible hanky-panky. -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Puppy Breath" a écrit dans le message de news: F6F282D6-302C-4FE2-93E2-387C358B94FB@microsoft.com... | So on the initial installation would the user see something like "Publisher | can't be verified"? And then what would happen on a subsequent attempt to | replace or change it?

Which kind of defeats the whole purpose of digital signatures, doesn't it? ;)) -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Josh" a écrit dans le message de news: eJIQ5O5cGHA.4264@TK2MSFTNGP05.phx.gbl... [snip] | I don't trust certs anymore... |