none
verification certificate

    Question

  • hey,

    I recently coded my game engine (Tritank, please try it out! Visit the site:

    https://sites.google.com/site/tritankshooter/)

    But i have this problem that when it runs on some OS, it says that my software can't be verified and may be potentailly malware. But how can I add a verification certificate to my program to ensure others my game isnt malware?

    Does this has to do with manifest files?

    Please reply

    DardanC

    • Moved by Helen Zhao Friday, March 23, 2012 9:15 AM (From:Visual C++ General)
    Thursday, March 22, 2012 8:15 AM

Answers

All replies

  • In general you need a certificate that is code signing capable, that should be a Class 3 certificate. With this certificate you can sign your executable.

    Those Class  3 cetificates are very expensive since your personal data will be verified. See here:

    http://www.symantec.com/theme.jsp?themeid=verisign-code-signing&inid=vrsn_symc_cs_index&mboxSession=1332406580373-641872

    Here more general infos on code signing:

    http://en.wikipedia.org/wiki/Code_signing

    Thursday, March 22, 2012 8:57 AM
  • so a certificate isnt free?

    Isn't there a free way to prove that, or can't you make a certificate yourself?

    Thursday, March 22, 2012 9:15 AM
  • so a certificate isnt free?

    No, at least certificates that are codesigning capable (Class 3 certificates)

    Isn't there a free way to prove that, or can't you make a certificate yourself?

    No there is no "free way". When you create an certificate by your own, you would be still anonymous and you could sign malware. Therefore Class 3 certificates need a REAL verification of the certificate owner. If you sign an executable with your certificate your name will be visible in this certificate. If a valid certificate will be abused it will be invalidated and can not be used anymore.
    Thursday, March 22, 2012 10:01 AM
  • >so a certificate isnt free?

    No. Certificate from CA(certificate authority), such as such as Verisign, will cost you something from 400 USD for year. See example:

    https://www.rapidsslonline.com/code-signing-certificates.aspx

    Now, you can understand why on your computer only "big names" have their products signed.

    >Isn't there a free way to prove that, or can't you make a certificate yourself?

    Yes, there is a way to make your own test certificate "How to: Create Your Own Test Certificate": http://msdn.microsoft.com/en-us/library/ff699202.aspx

    Quote: "When you have a certificate from a CA, it displays the publisher in the installation dialogs, which makes your application appear more trustworthy. If you use a test (self-created) certificate, the installation dialogs will display an "Unknown publisher" message. For applications deployed internally in an organization, this is an acceptable practice."



    Thursday, March 22, 2012 11:08 AM
  • Yes, there is a way to make your own test certificate "How to: Create Your Own Test Certificate": http://msdn.microsoft.com/en-us/library/ff699202.aspxbut

    but this test certificate must be added to the local certificate store to work properly. In general a testcertificate is not available on machines that are outside the focus of the person who created this certificate.

    If I would use the application without adding the test certificate I'd get an warning / error message since the certificate is not valid! and I would definately not add an test certificate to my certificate store...


    • Edited by Bordon Thursday, March 22, 2012 11:31 AM
    Thursday, March 22, 2012 11:30 AM
  • >If I would use the application without adding the test certificate I'd get an warning / error message since the certificate is not valid! and I would definately not add an test certificate to my certificate store.

    That is why i always quote the source, MSDN in this case. My own opinion is not very important, but it is interesting (at least) to know what Microsoft (MSDN) thinks in almost every case: "If you use a test (self-created) certificate, the installation dialogs will display an "Unknown publisher" message. For applications deployed internally in an organization, this is an acceptable practice."



    Thursday, March 22, 2012 11:44 AM
  • ok, i see it is quite a business to sign your executable.

    But if I use a test certificate, what will be the use of that then? Is it wise to use such a certificate?

    Thursday, March 22, 2012 12:19 PM
  • ok, i see it is quite a business to sign your executable.

    But if I use a test certificate, what will be the use of that then? Is it wise to use such a certificate?

    I think that inside the organization it is recommended to use its own certificate (better than nothing). By the way, there are two signing technologies on Windows: Authenticode and Strong Name signing. In this case, we talk about Authenticode (http://msdn.microsoft.com/en-us/library/ie/ms537364(v=vs.85).aspx#Cert2SPC).

    Option to sign with Strong Name exists only for .NET managed applications (including C++/CLI) http://msdn.microsoft.com/en-us/library/h4fa028b(v=vs.100).aspxStrong-name signing, or strong-naming, gives a software component a globally unique identity that cannot be spoofed by someone else. Strong names are used to guarantee that component dependencies and configuration statements map to exactly the correct component and component version. And Strong name signing is used widely because it is free and often necessary.

    Microsoft does not recommend to use Strong Name Signing as a replacement for Authenticode. And only certificate verified by CA can give you way for installation without warnings on any Windows computer.

    Thursday, March 22, 2012 12:35 PM
  • Some companies sell certificates at $99/year (less for multi-years),
    see
     
    Thursday, March 22, 2012 3:08 PM
  • Some companies sell certificates at $99/year (less for multi-years),
    see
     
    Thank you, Pierre, that is really interesting information. But also note, that this became possible just few months ago.
    Thursday, March 22, 2012 3:31 PM
  • so how do you exaclty implement an authenticode or strongname?

    And which one do you recommend for me?

    Thursday, March 22, 2012 7:40 PM
  • Some companies sell certificates at $99/year (less for multi-years), see http://timheuer.com/blog/archive/2011/12/12/code-signing-for-independent-developer.aspx

    https://www.certs4less.com/codesigning.html

    Seems to be $149 now. :(

    Hard to imagine how any of the code signing authorities aren't onto a
    good thing though - even if they'd cost $50 a shot.

    Dave

    Thursday, March 22, 2012 10:39 PM
  • Hi DardanC,

    According to your description, I'd like to move this thread to "Application Security for Windows Desktop Forum" for better support.

    Thanks for your understanding and active participation in the MSDN Forum.

    Best regards,


    Helen Zhao [MSFT]
    MSDN Community Support | Feedback to us

    Friday, March 23, 2012 9:15 AM
  • ok but I'm quite new here

    how do you actually move a question to another forum?

    Friday, March 23, 2012 4:50 PM
  • oh never mind.

    Though could anyone here please explain how you add these authenthicodes/ strongnames?

    Friday, March 23, 2012 8:18 PM
  • oh never mind.

    Though could anyone here please explain how you add these authenthicodes/ strongnames?

    See here "Basics of Signing and Verifying code": http://www.codeproject.com/Articles/325833/Basics-of-Signing-and-Verifying-code
    • Marked as answer by DardanC Saturday, March 24, 2012 4:40 PM
    Saturday, March 24, 2012 12:19 PM