I usually make free windows applications, now I want to digitally sign them. So

Question

I usually make free windows applications, now I want to digitally sign them. So users can be sure that its from me. But instead of buying the code signing certificate, I thought I may create my own. But then again, if I can create, then anybody can create with same info as mine. However I don't actually understand how this whole thing works at end user.

Lets say I have a string in my application, and I digitally sign it. But then some other guy changes that string and he create his own certificate with same company name as mine then signs it. How the end user will know it's from him, not from me. Or Its doesn't work this way?

As far as I understood, when creating own certificate, it needs to be added in some sort of store so Windows can recognize it ? That means, if I create my own certificate, all end users will need to add my certificate as well in their Computers? And if that's true, then how can I be sure that if I purchase the certificate, it will be available at user end. What if its not there?

Explanation / Answer

The point of code signing is to prove that the program is from a particular, presumably reliable, source. Typically a CA based certificate ensures that some identity verification has been done so you have a fairly high degree of trust that the code is from the person who signed it.

You can self-sign, which will still prove that it was released by the holder of the private key that corresponds to the public key it is signed with, however, there is no independent verification of the identity, so it is only useful for verifying the same person produced two different programs.

Someone else could make a similar certificate with the same details, but they would not have your private key and the thumbprint of the certificate would not match. Your users shouldn't be trusting the identity information of a self-signed certificate anyway, they should just know that the last program they got from you matches the new program they got from you, so if the first was actually from you, then so is the second.

Without compromising your private key, which only you have, there is no way for the attacker to match the thumbprint of your signature, thus they can't truly impersonate you to an alert user.

That said, your average user may well not recognize that fact and would just trust whatever is provided by the certificate, even if it has a different thumbprint. This is why it really is worth getting a code signing cert from a CA if you want to do this kind of thing.

You can obtain one very cheaply from some of the cheaper CAs. Personally, I got mine through StartSSL. It was $60 to get my identity verified and after that I can issue as many SSL certs and S/Mime certs as I want in my name for a year, as well as being issued a code signing certificate in my name.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.