Microsoft released Windows XP SP2 several years ago, yet still only a minority of software publishers digitally sign their products to enable Windows to verify the identity of the publisher. When someone downloads software that has not been signed, the web browser displays a message that the publisher could not be verified and the application may not be trusted.
Developers hope that users will dismiss these warnings with "OK". But this may be a false assumption as people become more security conscious. A software publishing certificate (or code signing certificate) may seem an undesirable expense but you only need to make a few extra sales of a product per year to justify it.
Code Signing Certificate
Code signing, or Authenticode, to use the name of Microsoft's implementation of it, is a technology based on standard cryptographic techniques. Two keys are generated. One key is used to encrypt information and the other must be used to decrypt it. The encrypting key is kept private, and is known as the private key. The decrypting key can be made public.
Code signing, or Authenticode, to use the name of Microsoft's implementation of it, is a technology based on standard cryptographic techniques. Two keys are generated. One key is used to encrypt information and the other must be used to decrypt it. The encrypting key is kept private, and is known as the private key. The decrypting key can be made public.
When a program or file is signed, the code signing tool generates a one-way hash of the file contents. This is a large number that is for all practical purposes unique to the file that generated it. This value is then encrypted using the private key and stored, together with the public key, in the file's digital certificate. When someone opens the file, their computer also generates a hash of the contents. At the same time, it decrypts the encrypted hash using the public key, and compares the results. If they are identical, the signature is valid and the file has not been modified since the signature was added.
Verifying integrity
Digital signatures provide the ability to prove the integrity of a file. In the case of software, this has the advantage that it can show that a file has not been infected by a virus since it was created. It would, of course, be possible for someone to infect a program with a virus and then sign it. Therefore an important additional function of Authenticode digital signing is that it can also verify who the software publisher is, and that it is a publisher that can be trusted.
Digital signatures provide the ability to prove the integrity of a file. In the case of software, this has the advantage that it can show that a file has not been infected by a virus since it was created. It would, of course, be possible for someone to infect a program with a virus and then sign it. Therefore an important additional function of Authenticode digital signing is that it can also verify who the software publisher is, and that it is a publisher that can be trusted.
To do this, digital signatures are counter-signed by a trusted certification authority, whose job it is to verify the integrity of the companies and individuals who apply for code signing certificates before they are issued. Windows will only trust certificates signed by one of three certification authorities: Verisign, Thawte and Comodo.
When you buy a code signing certificate, you are asked to provide documentary proof that you are who your certificate will show you to be. This prevents malicious inividuals from obtaining certificates that would enable them to claim their software came from Microsoft or any other reputable company.
Establishing trust
Establishing trust
The manual checking needed to verify the identity of applicants is the reason why code signing certificates seem expensive. However, the cost is really a small price to pay for a measure that helps establish trust between you and your customers, and which will encourage more potential buyers to install your free trial products with confidence.
About the Author
Julian Moss is director of Tech-Pro Limited. Visit Tech-Pro.net for more information on code signing for developers, and to download a free code signing tool.
Julian Moss is director of Tech-Pro Limited. Visit Tech-Pro.net for more information on code signing for developers, and to download a free code signing tool.
No comments:
Post a Comment