Also, the validation requirements to obtain a code-signing certificate, while certainly not bulletproof, are not nothing: you need to send in articles of incorporation and your business needs a listing with a physical address and phone number in a public directory (e.g., bbb.org), and someone representing your business needs to pick up that phone when the cert validator calls it.
Your business name and physical address are injected into the certificate. Basically code-signing certificates make it easier for people to find you and sue you if they truly want to. I suspect that's the whole point.
The problem here is that the Notepad++ developer wants his certificate to say CN=Notepad++, but he won't be able to obtain that until he has some kind of business or organization registered in his jurisdiction with that name. Whereas CN=FIRSTNAME LASTNAME he could probably obtain immediately (just send in his driver's license during validation).
Why? If I expect to make four figures on spreading malware/adware, and I can assuage the nerves of people like you by spending two or three figures on a certificate, I'm going to buy the certificate and make it look all nice and pretty and take your money.
> Your business name and physical address are injected into the certificate. Basically code-signing certificates make it easier for people to find you and sue you if they truly want to. I suspect that's the whole point.
So I have to incorporate in Delaware, make up a fake address, and rent a burner phone for a while. I'm not seeing the downside.
https://www.bizfilings.com/toolkit/research-topics/incorpora...
> Delaware does not require director names and addresses to be listed in the Certificate of Incorporation.
This is a misapplication of Bayes theorem.
P(bad) is the probability any app is bad
P(signed) is the probability any app is signed
P(bad if signed) = P(signed if bad) * P(bad) / P(signed)
Malware authors have incentive to make their apps appear legitimate, either by stealing keys, impersonating companies, or other mechanisms. Signing also helps get past automated checks (per the paper above).
Further, those probabilities assume random distribution, but I'd suggest that really expensive/dangerous malware has greater incentives to appear safe, so it is even more likely to be signed, even if most malware is not. Stuxnet would be a case in point - high value, sophisticated malware, signed.
P(really bad if signed) = P(signed if really bad) * P(really bad) / P(signed)
P(really bad) is lower,
but P(signed if really bad) approaches 1,
so P(really bad if signed) approaches P(really bad)
Also the fact that you are required to have a corporation, why? If I develop again an open source software I need to register a corporation just to deploy that software on Windows the correct way? That is total bullshit for me, just let me sign my software like is done on other platforms for nothing or a very small fee and done.
$20 doesn't get you an EV certificate anywhere.
We're talking about non-trivial hundreds of dollars per year, which is completely unsustainable for an open source driver for example.
Signing and certificates revolve around trust/mistrust in the delivery channel not in the purveyor.
That problem can be solved with other tools, like PGP. You don't have to be blackmailed by a platform's certificate racket.
Why?
> you need to send in articles of incorporation and your business needs a listing with a physical address and phone number in a public directory (e.g., bbb.org), and someone representing your business needs to pick up that phone when the cert validator calls it.
So you only trust code that comes from businesses?
Ever notice how most con-men wear nice suits? Your advocating for the digital equivalent.
I don't trust poor people either. Bigger chance that they're scaming .... because they need the money.
Even in good old bureaucratic Germany this will take you less than an hour and cost you about 30€. Can't believe it can be much worse anywhere else.
Reputation requirements either shouldn't have backdoors or shouldn't exist in the first place.
1. https://twitter.com/JosephRyanRies/status/951643158118567937
Arguably the Reputation requirement is more helpful than the information held in the certificate, since Reputation is hard to fake whereas that information is provided by the requestor and its validation depends on the CA's processes (which as I said varies wildly).
It is one of those "greater good" things. It does suck for FOSS however.
I will definitely pull this thread out next time someone complain that Apple is too expensive and that they are milking the poor developers...
For 400$/ year you're getting nothing. I was told here that I could go lower, but this is what I was paying for last decade.
Other companies also milking their developers does not invalidate this argument.
(The only acceptable price is $0, IMO.)
Also, Windows "trust system" seemingly works also on unsigned binaries. If you don't disable bunch of security settings, you would be blocked similar to self-signed certificates on HTTPS. You can go around, by clicking tiny button. Is enough users do it, software getting flagged as OK.
Certificate solves that this should be done per certificate, not per binary.
I've used them for years and can recommend them.
The parent comment's issue is that EV certificates are essentially required due to the poorly-designed SmartScreen reputation filter. The $85/yr certificate you're mentioning doesn't help solve this.
The current code-signing-certificate model is pointless, regardless of price.
Oh, no. We just kept renewing our EV certs with them for past several years... if only we'd known that we can't. Damn. Such an amateur shop this Digicert. Unacceptable.
https://www.youtube.com/watch?v=mwuk0E-tfeg
It's a nightmare. Complete scam.
I needed this for Polar: https://getpolarized.io/
Mind you... it's Open Source but I still want my users to be able to download it without warnings.
No joke - it took me 2 weeks to get the CSC with about 4 hours per day working on just this CSC issue.
It's just a labyrinth of insanity from not having a listing on D&B to them insisting I pay $2k to expedite it.
I still don't have one from Apple because it requires a D&B number so I had to get a personal cert from them.
I went with a cheap one for Windows BUT it gives errors on install for like the first 1k downloads until Windows says it's legit.
It's a complete scam.
BTW.. if you get in the MS App Store you don't have to worry about a CSC so that's good I guess.
Last I checked expedited D&B was around $40 USD (10 business days) and same-day D&B around $500 USD.
Free D&B said it would take 30 business days, but it actually only took them 5 business days when I applied for it.
First, we ran Windows under Parallels on a Mac Mini (we needed the build machine to handle Mac builds as well). I think I set the Windows VM to never lock the screen or sign you out, but the physical Mac would lock its own screen as usual. You could set things up the same way with a VMware VM running on a Windows host.
Then the only problem to solve was how to type in the signing password every time the certificate utility popped up its password dialog.
Like so many things on Windows, it was AutoHotkey to the rescue! I wrote a little 5-10 line AutoHotkey script to watch for the password dialog opening, type in the password and hit Enter.
Bingo, we had fully automated EV code signing for our Windows builds.
You mentioned that logging out or letting the screen go to sleep would lock the cert. I don't quite remember it that way, but I could be remembering wrong. It seemed that the certificate utility simply wanted a password typed into its dialog for every code signing.
So it may be that this AutoHotkey setup would also work with the cert utility running on a physical Windows machine with normal screen locking. In any case, it definitely worked great in a VM.
Of course this meant that we had to store the signing password in plain text inside the VM, but that was a lesser evil than requiring someone to babysit the machine whenever we pushed a build.
I did need to get into D&B, and it was a bit of a faff - their website is a maze, and it took around a week after filling the form to get listed. Didn't need much time on it though.
One of the other requirements I had to fulfil was having a telephone number published in a sanctioned list of websites for a callback - so I registered a Skype number, published the number, did the callback, and terminated the number. Not sure what that was meant to prove...
Now all we have are app store and certificate rackets. Im looking at Google and Apple too. Shame on the industry for accepting 30% revenue share on their services. The idea of an app store is great but not when it excludes other legitimate ways of installing software on device.
These practices are anticompetitive and monopolistic.
Good for Notepad++. I couldnt agree more with its sentiment.
Is there any evidence that was ever really a thing / effective?
How could you possibly know?
There are plenty of examples of previously trustworthy software becoming untrustworthy, same with sites you download the code from.
That line reads like the absurd advice that security experts put out about "only download something you trust" and ignoring that nobody has a clue how to evaluate that aside form say limiting them self to FOSS and reading all the code...
This is mostly a meme from the overzealous FOSS and privacy crowd, not the security crowd. Professional security engineers do not, as a rule, encourage software engineers (or end users more generally) to only use open source software because "you can inspect the code for vulnerabilities."
Anyone with legitimate security expertise will understand the benefits of specialization and core competencies. Namely that despite the ideological perspective of many in the FOSS community, it is actually better to trust someone else with the security of your software. Because you most likely can't trust yourself with that task anyway.
The idea that most people can reliably identify security vulnerabilities in the software they use just because it's open source is laughable. They might find trivial low hanging fruit or obvious malicious activity, but they won't have a better picture of the overall security posture just because they can read the code.
As an obvious case in point, consider how few people identify vulnerabilities in Firefox versus how many people use Firefox. The people who write complex open source software don't even reliably find the issues in their own code.
Don't forget, you have to compile from source as well. I'm thinking the parent you replied to forgot how awful sourceforge was, and even trustworthy projects could have garbage bundled in.
The security paranoid experts and FOSS zealots have always thought for some inexplicable reasons that if you can download a source and build the program yourself, then it's safe.
Any scum can pay money to get a certificate; you don't have to pass an ethics examination.
It is just a racket.
I think I like the old way better.
You downloaded it to an isolated environment and ran it and proved it didn't cause unexpected side effects. It was run behind a firewall that could log internet communication. If it proved to be good, you ran it in your main environment. If it proved to be bad you warned everyone who would listen to you.
I feel like the more "social" the web appears to be becoming, the less social it actually is. We had tight little BBS and IRC communities where this stuff was all discussed. Social meant we actually had meaningful conversations... okay, not always meaningful, but it was often about the pursuit of something useful.
It's nigh on impossible with the proliferation of the internet to take this approach these days. Things just didn't scale that well. This is why things like DD-WRT and other hacker sites while being more accessible are still very much a niche market.
It's funny how much more technical you had to be back then just to get online. It's as if we're driving the automatic version of the internet now. Back then we had cobble all the pieces together and even when you had, it was like driving with a manual gearshift.
Are you asking if software existed before code signing? Yes, it did.
Of course not, the person who wrote that has absolutely no concept of the modern Internet user, and probably thinks themselves materially better than them.
If your security model is "do your research" then you're going to fail.
I’ve been using personal computers for over 30 years and I don’t remember those days.
I remember that 99/100 users didn’t think before installing a free screensaver and got hit with some kind of malware.
While I disagree with how centralized this practice is I’m applauding that an effort is being made to keep malware off consumer devices.
What we need is a decentralized and self policing ecosystem. A Wikipedia of validation.
Something that’s truly monumenta to pull together.
I understand why so many vendors have centralized their efforts.
We must now contend with these power brokers and ask their permission for every install.
With attacks getting more and more sophisticated just downloading from the legitimate site no longer guarantees integrity. Sometimes not even having the exe signed does it, with supply chain attacks and code injected long before being signed.
Perhaps also posting the hash on a public website (a tweet for example) 24h before making the installer available would mitigate the code signing issue. You could use it as an authoritative source that's less likely to be breached/modified after posting without immediately raising flags. And if it was an unauthorized post the 24h also gives the author enough time to flag it. Supply chain attacks are not considered here.
The app stores do not offer any kind of information that would help to put my trust in the developer and application.
Certifactes are a fallacy that tell nothing about the security of the app. They just tell that the app was signed someone that has a security certificate.
Also why do all security experts want to shove their security agenda to the world ? If you are dealing with life or death matter than it is probably better not to expose your world to the wild. For everything else it is OK to live without the safety net, it is OK if someone looses some money or your mum's disk gets encrypted. People fall every day and I sencerly hope that there will not be some police that will force you to wear a helmet ass soon as you get out of the bed.
A blockchain could be used for that. When you publish something, take its hash, and the add it to a public ledger.
This.
The sad thing is that this is still as important to do as it ever was -- but fewer people do it.
The Linux kernel, as of today, has ~20 million lines of code, and hundreds of vulnerabilities.
Since I presume that you are a user of Linux - what kind of research do you, personally do, to identify, and protect yourself from the potential dangers of running your operating system? Have you read through all of those 20 million LOC, and understood them in context? Do you compile your kernel from scratch? Do you completely, and fully understand the machine code that your C compiler will transform them into?
This is all in stark contrast to macOS's System Integrity Protection, which I can turn off once to never be bothered again.
I understand why Microsoft would enforce higher standards on drivers which can touch the kernel. But, the same fundamental problem applies: it isn't reasonable for non-profit, open source developers—many of whom I consider perfectly trustworthy—to pay hundreds of dollars for a certificate! Let me make the final decision about who I trust. It's my machine—I even built it myself!
The primary place I run into this problem is with drivers to support weird video game controllers.
---
† You can enable a "testsigning" mode via the command line which persists across reboots, but this only seems to work for certain drivers. If anyone can explain why it sometimes works, I'd appreciate it, as my research has never turned up anything.
The plethora of support emails is what motivated me to get one in the first place. I used to get accused of giving users a "virus" and getting into infinite loops on why they should trust me. I'm sure I was wasting more than $100/year of my time responding to these emails, so I just gave in and got one.
Now, I don't know what to do.
What does code signing in Windows actually verify? That executable's author at some point paid money to some company that Microsoft deemed an "authority"?
It's a rotten system. The whole CA pyramid is bullshit.
What we really need is a way to know that executable notepad++2.0 is signed by the same person who signed notepad++1.0 already installed on your computer, and that it's the same person who controls notepad-plus-plus.org, and that this identity has existed for well over 10 years. This is legitimately useful info that would allow people to make more informed decisions about what to install.
BTW, the part about historic record seems like one of the few good uses for blockchain technology.
Have you used Let's Encrypt? It verifies that you own the domain in question. HTTPS requires that the server you're connecting to has been identified.
They're checking organisational or individual identity, which is a work intensive process (e.g. "email me your driver's license, business license, and tax return so I can manually review them.")
It might be possible for a charity to run a FOSS code signing CA, but it is unclear who's paying for that since it needs actual staff.
[1] https://en.sklep.certum.pl/data-safety/code-signing-certific...
edit: updated price
Digicert lists EV code signing certs as $664/yr. But if you are to enter their site through a side door or just plainly cry into the support's jacket, then the price magically drops to $104/yr. And that's for an EV cert! So the only reason there are $600 certs is that there are people who do pay that.
• The registration process is painfully manual (including e-mailing scanned documents). It's like an "Enterprise" CA from before Let's Encrypt.
• The website wouldn't send the final cert to any browser other than Internet Explorer.
• Microsoft's signing tools are a hot garbage. All options default to "subtly wrong". To get a working signature you need a half dozen flags in an exact order, different from what the official documentation uses.
• Microsoft's docs are either: a) plentiful but only tangentially related vague introduction, or b) scraps of incomplete technical information, mainly for Windows XP only. It's as if they've tried to improve it many times, but every time gave up after rewriting the first chapter.
• Signing can't be automated or used remotely, because its weirdo software wants a PIN entered from the local keyboard.
https://docs.microsoft.com/en-us/windows-hardware/drivers/da...
Follow the steps under “Buy a DigiCert EV code signing certificate“.
You’re welcome. ;)
https://www.quora.com/What-is-the-difference-between-static-...
What really surprises me is that the author of something as great as Notepad++ isn't making enough money from the project to easily be able to pay for the certificate.
> However I cannot use "Notepad++" as CN to sign because Notepad++ doesn’t exist as company or organization
CAs would put author's name as CN, which isn't great, especially for collaborative project.
https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hac...
Edit: downvoted? The project is GPL, not a revenue source.
Orthogonally, I also think that $99 App Store fees are a terrible waste of money. You should get charged only when submitting to an app store for review.
There are plenty of root certificates that came installed on my computer, and I don't even trust them. Why would these CAs charge so much for so little value?
Yes, this is stupid and outdated, I agree - I personally think that Keybase issuing code signing certificates and being able to verify that the person who signed this also owns this GitHub and that Twitter account would still be super valuable.
D Language community recently [1][2] bought a certificate reluctantly to satisfy Windows defender, virus scan warning, etc. Sadly we are stuck with this immoral blackmails.
[1] https://forum.dlang.org/post/sclqnbggytmyetwrxppb@forum.dlan...
[2]https://dlang.org/changelog/2.082.0.html#signed_windows_bina...
Code signing reduces ops overhead and latency in environments that are using app whitelisting.
If the code is signed, then the signing certificate can be trusted once. All upgrades and patches that are signed with that certificate can be automatically whitelisted, with no intervention from teams managing the whitelisting.
But if the code isn't signed, then if even a single byte changes in the executable, it must be re-whitelisted - usually manually.
The more signed apps there are, the easier it is for companies to start using application whitelisting, the fewer people are needed to maintain it, and the faster patches to those applications can be deployed. Making it easier for companies to move to whitelisting increases security for the ecosystem in the aggregate.
I'm not sure what the author means by this.
I kind of see them like taxi medallions
Taxi medallions are pricey because there's limited supply and high demand. Code signing certificates have limited demand and unlimited supply, but are expensive because they require manual verification (like EV certificates) and has a bunch of startup costs (to get included as a root).
I really don't get how a FOSS author blames FOSS authors?! The problem is clearly with Microsoft and many FOSS authors don't bother and just sign it with their own, web-of-trust'ed PGP keys.
Off topic, but I have to say that whenever I need to open hundreds of files at once and perform regex operations-- this editor rocks that task like no other. Kudos to Notepad++
If I need to just edit one file quickly with a simple change, npp is still my go to.
After using SublimeText for 5 years, notepad++ is like using a regular notepad but that’s my personal opinion.
Preferably one that does not require a USB dongle. Did order one from Comodo, but was not able to get the USB dongle to work.
Notepad++ - Crack on!
What does that mean?
I'm wondering if they are aware of free alternatives like signify or pgp that would work just as well (minus the windows UAC thing). Right now there are only checksums but no way to verify they are from the author and are distributed on the same server as the binary, so the only security layer is https.
As Windows only project, UAC is the only thing that matters in this equation.
Main advantage is that authenticode is built into windows and is easy to verify, unlike PGP. Not to mention that the certificates provide some assurance as to who the real author is, unlike PGP where identities could be generated on demand.
The blue UAC prompt and no warning message is the main point, though.
In theory users could manually verify a PGP-signed executable, but that's well outside of the average Windows user's knowledge.