Digital Signature.
- How can we obtain digital signature for the existing application ? Is it neccessary for running it on Windows Vista?
Answers
Signatures are not required for running on Vista. An application without a certificate signature will have an elevated prompt that has a yellow warning message. Elevation is required for installations so this may affect users deciding to install your product. With a certificate signature users will received a green elevation prompt and identify your company as the publisher.
Signatures are only required for Vista Logo Certification. Through enrolling is logo certification program right now you can received discounted certs from Verisign, however this is a special promotion offer.
To sign an already distributed application you will need to provide an updated version of your exe that is signed.- You are correct, I forgot about drivers. If you application is a driver or uses a driver, that driver needs to be signed for 64-bit.
To sign your driver you will need to purchase a Certificate from Verisign. Then during your build or post build sign you driver.
To use your certificate and sign your exe or dll in the post build process: http://msdn2.microsoft.com/en-us/library/9sh96ycy(VS.80).aspx
Also this article is good too: http://msdn.microsoft.com/workshop/security/authcode/signing.asp
The second article mentions that you can use "makecert" to self generate a certificate. This self generated certificate should only be used for testing the signing process. Only a certificate from a trusted CA should be used for deployment.
All Replies
Signatures are not required for running on Vista. An application without a certificate signature will have an elevated prompt that has a yellow warning message. Elevation is required for installations so this may affect users deciding to install your product. With a certificate signature users will received a green elevation prompt and identify your company as the publisher.
Signatures are only required for Vista Logo Certification. Through enrolling is logo certification program right now you can received discounted certs from Verisign, however this is a special promotion offer.
To sign an already distributed application you will need to provide an updated version of your exe that is signed.Hi Oliver ,
I have this confusion because of what I had read in compatibility CookBook ,there it is said
"All 64-bit drivers have to be digitally signed for Windows Vista 64-bit editions. Unsigned drivers are not supported and cannot be installed on 64-bit Windows Vista" in the Windows Vista 64-Bit section.
And is the siginig process is done by the Verisign during Vista Logo Certification or we are provided with some files to sign it ourselfs?
Please clarify me on the above mentioned doubts.
Regards
Vikas.
- You are correct, I forgot about drivers. If you application is a driver or uses a driver, that driver needs to be signed for 64-bit.
To sign your driver you will need to purchase a Certificate from Verisign. Then during your build or post build sign you driver.
To use your certificate and sign your exe or dll in the post build process: http://msdn2.microsoft.com/en-us/library/9sh96ycy(VS.80).aspx
Also this article is good too: http://msdn.microsoft.com/workshop/security/authcode/signing.asp
The second article mentions that you can use "makecert" to self generate a certificate. This self generated certificate should only be used for testing the signing process. Only a certificate from a trusted CA should be used for deployment. - Your app also needs to be signed if it's marked with uiAccess="true".
Thanks OLIVER
These links are really helpful.
Please provide me the link from where I can easily download these signing tools.
- They're in the Platform SDK.
Thanks Aaron
I'll look for it.
I have a followup question to this.
To get rid of the yellow warning "unknown publisher" dialog and have it displays the company name, does it only require the install package to be signed? Or do the binaries that are installed also need to be signed?
Is there a use scenario that require the binaries to be signed on Vista? Will there ever be a situation where the launching of the binaries result in the "unknown publisher" dialog? In my case, these binaries cannot be downloaded individually from the web. The only way to install them is through the product installer.
When the installer is launched, is there an attempt to connect to Verisign server to verify the authentication of the signed installer, hence requiring users to have network connection to run the installer?
Thanks.
WoanYoke wrote: I have a followup question to this.
To get rid of the yellow warning "unknown publisher" dialog and have it displays the company name, does it only require the install package to be signed? Or do the binaries that are installed also need to be signed?
Is there a use scenario that require the binaries to be signed on Vista? Will there ever be a situation where the launching of the binaries result in the "unknown publisher" dialog? In my case, these binaries cannot be downloaded individually from the web. The only way to install them is through the product installer.
Binaries, as well as installation packages, must be digitally signed in order to get rid of the 'unknown publisher' message. Attempting to run an unsigned file, one will see the 'unknown publisher' dialog.
WoanYoke wrote: When the installer is launched, is there an attempt to connect to Verisign server to verify the authentication of the signed installer, hence requiring users to have network connection to run the installer?
No, it does not connect to Web. Vista has a database with Root certificate authorities and it verifies whether your certificate has been obtained from one of these organizations. Web connection is required during timestamping procedure, but not during installation of binaries or their running.
