I was incredibly salty about this. I didn't name the CA, because they're actually nice to have reduced price for Open Source projects, but Microsoft really needs to drag the whole process into the 21st century.
The process and infrastructure reminds me very much of TLS before Let's Encrypt. If this is something that every developer needs to do for every exe, it can't be like getting an EV certificate for a Netscape Server. I thought Apple's often-buggy signing was bad, but at least they've tried to make it a one checkbox paid for in a straightforward transaction.
I would have signed with SHA-2, which for inexplicable reason is not the default despite deprecation, but my signtool crashed when I enabled it.
That CA took you for a ride. My open source Windows projects are signed, too. No smart card, no PIN when signing, no special software. I did have to provide some identity information and a photo, but identity verification is the service that CAs are expected to perform here. You would have had a better time with a different CA.
Open source developer here. Also used to get Certum certificates with reduced price for open source developers, but their smartcard junk convinced me to use another provider. And they also raised their pricing policy.
I ended up with Comodo, which was "cheap". I then discovered that this was cheap for a reason: they did not provide the identity validation (something which was not clearly stated anywhere), and I had to pay for a notary certification (which was about twice as much as the certificate price), because apparently in the US an ID card is considered as reliable as your sport club membership card.
The whole Microsoft code certification is a shit show. It provides no security whatsoever, feeds an incredible number of incompetent parasites, and at the end is a real burden for open source developers like me, who want to get rid of the nasty Windows security messages, but also want to avoid being targeted by download sites bundling your binaries with some adware crap.
signtool badly needs to be updated. The interface is very confusing and the documentation, while fairly complete, isn't very helpful.
That said, I just upgraded ours and didn't have much trouble switching to sha256. There is one quirk about the order of the arguments due to some limitation with the timestamping servers. The documentation loudly points this out though. If it helps, here's my exact command line:
signtool.exe
sign /v
/n "Company, LLC"
/ph /d "Description"
/du "https://www.website.com"
/tr "http://timestamp.comodoca.com"
/td sha256 # /td must come after /tr
/fd sha256
executable.exe
Not being able to automate these EV hardware tokens because of the password is a pain that I'm already annoyed by though.
I've ran into similar frustration getting an exe certificate.
In one example, the provider needed to check I was a legitimate business, by seeing if I was in the phone book -- so I just registered online, called them back, they saw it and granted me the certificate, then I unregistered.
Which signtool did you use? (You may have more than one on your system. This has cost me more time than I would like to admit. I'd make sure you're using the one from the latest Win 10 SDK.)
Sorry to go off topic, but I'm wondering what's the goal of the tool as there are already ways of doing this. I've created a bat file that uses youtube-dl to download a video and convert it to gif using several tools and parameters (ffmpeg, imagemagick). I use it to make inline posts on hangouts since it's 2018 and I need a mobile device to post inline videos there for some reason.
Anyway, your tool seem to get good image size on videos with lots of colors, but horrible size on simpler images. Using the --fast switch as it took 6 minutes to convert 387 frames to save 10% on filesize. I'm comparing it to ffmpeg with a pallete as it seems to get similar image quality with a smaller size in most cases.
edit: After reading this after posting it, it looks as I'm super critical/aggressive. I'm just genuinely curious at what drove you to write the tool as there are already ways to achieve what you wanted. Didn't mean to antagonize you.
If you want headless automated builds, I recommend trying Sikuli on top of a VM. It doesn't require any toolkit/OS support to automate your applications.
It is disgustingly easy to set it up, it is software none of us deserve.
They aren't sufficient to get rid of the slanderous message on their own - even with an EV. You need to have a bit of volume first. Makes interacting with your first few customers lots of fun.
Code signing certificates are a great idea if you're a company who gets to charge me hundreds of dollars per year to say that I am who I say I am. Code signing doesn't seem so great from my perspective, because I don't want to have to pay hundreds of dollars per year to a cartel engaging in a protection racket. Unsigned code warnings are nothing more than them saying, "Gosh, it sure would be a shame if we scared away potential users (wink wink)." If the certificates were based on inspection of the actual source code and building the installer inside a trusted environment, that would be one thing, but that isn't how they get assigned. Certificates are assigned based on whether or not I want to give the trust cartel a lot of money. Fuck that.
How much i hate this error message. "Windows protected your PC" - no, it didn't, it just assumed there would be something to protect from because it was unknown. It is pure scaremongering.
The average Windows user will never/should never run a program SmartScreen doesn't know about. Everyone else knows how to vet the app they're using themselves.
For your senior citizen browsing the web and clicking things, this dialog saves people. More often than you'd think.
as a malware developer who used to work for government ( not usa ofc )
we had our malware signed genuinly with digital certificate ( we bought using fake company )
so digitial certificate doesn't protect at all!
As someone who enjoys the idea of writing stupid programs for my own use, occasionally even doing dumb things to the kernel, the games I have to play to work with the Software I paid for is disheartening. Yes, yes, if I screw up a kernel mode driver while toying around with faking USB input, I could brick my computer forever, but since I've already found my way to the driver SDK, and decided to continue, isn't that proof enough of willingness to take the risk?
Paying thousands of dollars per year just so that users can run your free software is ludicrous. Code signing does nothing but teaching users to ignore security errors. Nothing is stopping bad actors from signing executables. Platforms are too lazy by putting the burden on the developer. Why not let users download the apps directly from the publisher/developer ? I guess that would make it harder for the platform to leech on the developers, and gate-keep their users.
> Paying thousands of dollars per year just so that users can run your free software is ludicrous.
While I agree that requiring code signing certificates to run free software sucks, I'm curious where the thousands of dollars a year comes from? I finally broke down and purchased a code signing certificate[0] last year. The prices varied, but I don't recall seeing any for more than $300, and I was able to get my for $100 which is valid through Windows 10 and works on everything else that uses one of these EV certs. In addition to that, I purchased a Yubikey, which I wanted anyway (and having a desire to protect my code-signing key was the excuse I was looking for to purchase one of those), bringing the total cost for the first year to $140 (and subsequent years at $100). There is certainly a time cost, and it's really fun explaining that "no, I do not have a land-line phone" and "no, I don't get bills from my mobile phone company, but I can print out what qualifies as a bill from my Project Fi page[1]" all while trying to understand the accent of the non-native-English speaker I was working with.
[0] Not purely for signing open-source software, but I use it 99% of the time for signing Open Source software ... and miserable PowerShell scripts so that I don't have to remember to override the default security policy.
[1] The number of eye-rolls around the security theater involved in all of this was comical. They asked for photocopies of 6 or 7 different documents, all of which would have been trivial to forge with any information I wanted if I were so inclined. The only real verification around these documents is the notary requirement -- which, at least where I live, notaries are punished harshly if they don't follow the rules.
It took a legitimate actor six months as he underwent EV certification. Even if the primary goal didn't get met, there's still the secondary goal of having problematic publishers officially blocked by cert revocation.
Also, users DO get the app from the publisher in this case. Windows provides SmartScreen, the developer provided the binary and signature (and was on his own as to how to get it)
The security theater is just to shift liability. They don't care if the documents are fake, they just want the fraud to be plausibly your fault instead of theirs.
> Install and configure weirdo bespoke software for the smart card. It opens an SSH-server-hanging popup asking for a PIN, so I can't have headless automatic builds.
I've recently paid for a code signing cert from Comodo, and I'm still stuck in the process.
In order to verify your company phone number, it has be shown in any of the links like : (www.dnb.com) or (www.hoovers.com) including local/national registration agencies and reputable third party databases.. So please update the Company name,address and Phone number in any one of the above web site.
My company is registered in Norway, and having the company's email and domain listed in the national company registry does not help. I'm currently in SE Asia, and I have to go back to to this:
[...] you can send an attestation letter signed by your attorney, Certified Public Accountant or Latin Notary (where legally recognized) verifying the telephone number. You can download sample text for the letter [...]
We need Let's Encrypt for code signing. But how can we automate identity validation? Verify the e-mail address or phone number with a national registry, where possible?
I switched away from Comodo because of the Dun And Bradstreet requirement, and I didn't really want to support Comodo anyway after some of the shady stuff they've done.
GlobalSign were able to help me, they were a bit more expensive but vastly better support than Comodo. Super friendly phone & email support. I did need to get a Yellow Pages listing for my business for them to verify me, but Yellow Pages offer a free online listing tier in Australia. You might be able to ask for a discount if their prices are a bit too high for you & you're switching from Comodo.
If you must have a Comodo cert, you could try buying through K Software (http://codesigning.ksoftware.net/). Mitchell Vincent is great to deal with, and I used his services for years. He could probably have helped me deal with Comodo verification, but I was just too exasperated by Comodo's support drones.
I tried Comodo too, but they wanted to have a legal person to sign some document (proof of existence?). Eventually, DigiCert was pretty fast in giving out a cert. Two legal documents scanned in, a copy of a passport/id and a face to face (skype) was about enough to validate that I really exist.
There is one CA (forgot the name) that provides EV certs (for websites not code signing) that looks up data in national registries, they have a lot of stuff automated so it's quick and relatively cheap. So in theory it's possible for code signing. But Let's Encrypt repeatedly refuse working on code signing certs (it's not that cheap to operate as website DV).
Is this some new Windows thing? Because the last time I booted Windows and downloaded some pre-built open source Windows program and ran it I got no such warning.
An EV sig on .exe automatically whitelists any it with SmartScreen. It still shows a message, but a far less scary one.
Edit - hmm, it sounds like the dev got an EV cert though, because regular ones don’t require storing keys on a token. So I’m not sure what’s going on here...
I think a proper EV should not show any warning at all. The issue here is using SHA1 instead of SHA256, not sure why op would do this. SHA1 signing was deprecated..
I haven't used Windows in 10 years, so I don't understand: What is the point of signing this binary at all? If users want to run software they know is legitimate because they can review the source on GitHub and download via HTTPS from the GitHub page, why do they have this "Windows protection" feature enabled? Wouldn't a better solution be for the project maintainer to tell the user to disable it since they're in a position of trust which is at the same level as distributing a valid binary?
[+] [-] pornel|7 years ago|reply
I was incredibly salty about this. I didn't name the CA, because they're actually nice to have reduced price for Open Source projects, but Microsoft really needs to drag the whole process into the 21st century.
The process and infrastructure reminds me very much of TLS before Let's Encrypt. If this is something that every developer needs to do for every exe, it can't be like getting an EV certificate for a Netscape Server. I thought Apple's often-buggy signing was bad, but at least they've tried to make it a one checkbox paid for in a straightforward transaction.
I would have signed with SHA-2, which for inexplicable reason is not the default despite deprecation, but my signtool crashed when I enabled it.
[+] [-] electroly|7 years ago|reply
[+] [-] xroche|7 years ago|reply
I ended up with Comodo, which was "cheap". I then discovered that this was cheap for a reason: they did not provide the identity validation (something which was not clearly stated anywhere), and I had to pay for a notary certification (which was about twice as much as the certificate price), because apparently in the US an ID card is considered as reliable as your sport club membership card.
The whole Microsoft code certification is a shit show. It provides no security whatsoever, feeds an incredible number of incompetent parasites, and at the end is a real burden for open source developers like me, who want to get rid of the nasty Windows security messages, but also want to avoid being targeted by download sites bundling your binaries with some adware crap.
A "let's encrypt for code" ? Please sign-me up!
[+] [-] eco|7 years ago|reply
That said, I just upgraded ours and didn't have much trouble switching to sha256. There is one quirk about the order of the arguments due to some limitation with the timestamping servers. The documentation loudly points this out though. If it helps, here's my exact command line:
Not being able to automate these EV hardware tokens because of the password is a pain that I'm already annoyed by though.[+] [-] plasma|7 years ago|reply
In one example, the provider needed to check I was a legitimate business, by seeing if I was in the phone book -- so I just registered online, called them back, they saw it and granted me the certificate, then I unregistered.
Waste of time.
[+] [-] IvyMike|7 years ago|reply
[+] [-] mnkypete|7 years ago|reply
signtool sign /a /fd SHA256 /tr "http://timestamp.globalsign.com/?signature=sha2" /td SHA256 <exefile>
[+] [-] nodja|7 years ago|reply
Anyway, your tool seem to get good image size on videos with lots of colors, but horrible size on simpler images. Using the --fast switch as it took 6 minutes to convert 387 frames to save 10% on filesize. I'm comparing it to ffmpeg with a pallete as it seems to get similar image quality with a smaller size in most cases.
Gist of my bat file. https://gist.github.com/Nodja/8ece6c3d866867877442e34bf67ece...
edit: After reading this after posting it, it looks as I'm super critical/aggressive. I'm just genuinely curious at what drove you to write the tool as there are already ways to achieve what you wanted. Didn't mean to antagonize you.
[+] [-] microcolonel|7 years ago|reply
It is disgustingly easy to set it up, it is software none of us deserve.
http://www.sikuli.org/
[+] [-] mnkypete|7 years ago|reply
EV certs immediately gain trust: https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-sma...
[+] [-] slededit|7 years ago|reply
[+] [-] gruez|7 years ago|reply
apparently sha2 signing wasn't working for him
https://news.ycombinator.com/item?id=17200491
>I would have signed with SHA-2, which for inexplicable reason is not default despite deprecation, but my signtool crashed when I enabled it.
[+] [-] ehsankia|7 years ago|reply
[+] [-] BugsJustFindMe|7 years ago|reply
Code signing certificates are a great idea if you're a company who gets to charge me hundreds of dollars per year to say that I am who I say I am. Code signing doesn't seem so great from my perspective, because I don't want to have to pay hundreds of dollars per year to a cartel engaging in a protection racket. Unsigned code warnings are nothing more than them saying, "Gosh, it sure would be a shame if we scared away potential users (wink wink)." If the certificates were based on inspection of the actual source code and building the installer inside a trusted environment, that would be one thing, but that isn't how they get assigned. Certificates are assigned based on whether or not I want to give the trust cartel a lot of money. Fuck that.
[+] [-] badsectoracula|7 years ago|reply
[+] [-] ocdtrekkie|7 years ago|reply
For your senior citizen browsing the web and clicking things, this dialog saves people. More often than you'd think.
[+] [-] zeusk|7 years ago|reply
[+] [-] me1337|7 years ago|reply
[+] [-] mrguyorama|7 years ago|reply
[+] [-] freeone3000|7 years ago|reply
[+] [-] codetrotter|7 years ago|reply
[+] [-] z3t4|7 years ago|reply
[+] [-] mdip|7 years ago|reply
While I agree that requiring code signing certificates to run free software sucks, I'm curious where the thousands of dollars a year comes from? I finally broke down and purchased a code signing certificate[0] last year. The prices varied, but I don't recall seeing any for more than $300, and I was able to get my for $100 which is valid through Windows 10 and works on everything else that uses one of these EV certs. In addition to that, I purchased a Yubikey, which I wanted anyway (and having a desire to protect my code-signing key was the excuse I was looking for to purchase one of those), bringing the total cost for the first year to $140 (and subsequent years at $100). There is certainly a time cost, and it's really fun explaining that "no, I do not have a land-line phone" and "no, I don't get bills from my mobile phone company, but I can print out what qualifies as a bill from my Project Fi page[1]" all while trying to understand the accent of the non-native-English speaker I was working with.
[0] Not purely for signing open-source software, but I use it 99% of the time for signing Open Source software ... and miserable PowerShell scripts so that I don't have to remember to override the default security policy.
[1] The number of eye-rolls around the security theater involved in all of this was comical. They asked for photocopies of 6 or 7 different documents, all of which would have been trivial to forge with any information I wanted if I were so inclined. The only real verification around these documents is the notary requirement -- which, at least where I live, notaries are punished harshly if they don't follow the rules.
[+] [-] freeone3000|7 years ago|reply
Also, users DO get the app from the publisher in this case. Windows provides SmartScreen, the developer provided the binary and signature (and was on his own as to how to get it)
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] sp332|7 years ago|reply
[+] [-] zwetan|7 years ago|reply
You can automate this with scsigntool.exe check out https://www.mgtek.com/smartcard
but yeah doing all this to publish signed exe under Windows is a PITA
[+] [-] bb88|7 years ago|reply
[+] [-] kaivi|7 years ago|reply
In order to verify your company phone number, it has be shown in any of the links like : (www.dnb.com) or (www.hoovers.com) including local/national registration agencies and reputable third party databases.. So please update the Company name,address and Phone number in any one of the above web site.
My company is registered in Norway, and having the company's email and domain listed in the national company registry does not help. I'm currently in SE Asia, and I have to go back to to this:
[...] you can send an attestation letter signed by your attorney, Certified Public Accountant or Latin Notary (where legally recognized) verifying the telephone number. You can download sample text for the letter [...]
We need Let's Encrypt for code signing. But how can we automate identity validation? Verify the e-mail address or phone number with a national registry, where possible?
[+] [-] SyneRyder|7 years ago|reply
GlobalSign were able to help me, they were a bit more expensive but vastly better support than Comodo. Super friendly phone & email support. I did need to get a Yellow Pages listing for my business for them to verify me, but Yellow Pages offer a free online listing tier in Australia. You might be able to ask for a discount if their prices are a bit too high for you & you're switching from Comodo.
If you must have a Comodo cert, you could try buying through K Software (http://codesigning.ksoftware.net/). Mitchell Vincent is great to deal with, and I used his services for years. He could probably have helped me deal with Comodo verification, but I was just too exasperated by Comodo's support drones.
[+] [-] diamondo25|7 years ago|reply
[+] [-] Boulth|7 years ago|reply
[+] [-] ryandrake|7 years ago|reply
[+] [-] 21|7 years ago|reply
BTW, Chrome has a similar thing, compile an .exe, put it on a personal site, and try to download it.
[+] [-] eps|7 years ago|reply
Edit - hmm, it sounds like the dev got an EV cert though, because regular ones don’t require storing keys on a token. So I’m not sure what’s going on here...
[+] [-] mnkypete|7 years ago|reply
https://www.globalsign.com/en/blog/microsoft-announces-updat...
[+] [-] vortico|7 years ago|reply
[+] [-] api|7 years ago|reply
This is how painful it is to ship software for major platforms. Windows is by far the worst. Apple and Android are a bit better but not really great.
[+] [-] grenoire|7 years ago|reply
[+] [-] jenscow|7 years ago|reply
[+] [-] djrogers|7 years ago|reply
[+] [-] garganzol|7 years ago|reply