Overview
How can users trust code that is published on the Internet? Two issues that must be addressed are those of ensuring integrity and authenticity. Authenticity assures users that they know where the code came from. Integrity verifies that the code hasn't been tampered with since its publication.
In the Microsoft article titled Introduction to Code Signing, they write:
Microsoft's solution to these issues is Microsoft Authenticode coupled with an infrastructure of trusted entities. Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures.
While Authenticode itself cannot guarantee that signed code is safe to run, Authenticode is the mechanism by which users can be informed of whether the software publisher is participating in the infrastructure of trusted entities. Thus, Authenticode serves the needs of both software publishers and users who rely upon the Internet for the downloading of software.
If you plan to distribute your software over the Internet and you expect that some of your users will be using Windows XP Service Pack 2, Windows Vista or later you may want to consider signing your setups. Due to the changes made to Internet Explorer in Windows XP SP2, and the Windows Vista or later OS's, when a customer downloads and runs your software, they will be presented with a warning dialog asking the user if they really want to run your software. On that dialog, they will see "Unknown Publisher" if it is not signed. On the other hand, if you do sign your code, they will instead see your company name and an optional web link to follow for more information. If you plan to distribute on Windows Vista or later, another point of consideration beyond user experience, is the fact that Windows Vista or later has the ability to prevent any unsigned applications from launching with full privileges. This may impact both the installing and application functionality.
If you would like to purchase a code signing certificate, they are available from a number of companies, including Verisign, Thawte and Comodo.
During the purchase process, you will be instructed on creating and saving a "private key" file, which will later be used along with your certificate to actually "sign" your software. You will also be asked for a password to protect your private key. Do not misplace any of this information. Each piece is extremely important!
It will take about 3-5 days for your application to be approved and your certificate issued. Keep in mind that you will likely need to provide supporting documentation to prove you actually are who you say you are. It's not something to be taken lightly and will likely require senior management to be involved.
Now that you have a code signing certificate, you'll need to download some software from Microsoft so you can start using it.
The current tool available from Microsoft to digitally
sign files is called "SignTool.exe". This tool is installed
in the \Bin folder of the Platform Software Development Kit (SDK). You
can download the Platform SDK from: http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5
The tool previous to signtool.exe available for signing files was called
"SignCode.exe" and only ships with the .NET Framework SDK version
1.0 and 1.1.
Install the package to your system and locate one of the two tools (SignCode.exe or SignTool.exe).
Once the Authenticode file signing tool is installed on your system, you are ready to start signing your setup.
Before publishing your final setup, select Publish > Settings from the menu and click on the Code Signing tab.
Check the "Code sign setups" checkbox and fill in the available fields including selecting the desired tool's location on your system.
Publish your final setup by selecting Publish > Build.
Tip: See the Code Signing Defaults section of the Preferences (Edit > Preferences, Code Signing page) for configuring defaults to use for code signing your setups every time you start a new project.
To verify that everything went according to plan and view your signature, SignTool.exe contains the verify command that determines whether the signing certificate was issued by a trusted authority, whether the signing certificate has been revoked, and, optionally, whether the signing certificate is valid for a specific policy. Simply run SignTool.exe and pass it the option verify followed by the full path to the setup file.
Alternatively, you could simply upload the setup to a web site and then download and run it from a computer using Windows XP SP2, or Windows Vista or later. You'll see the same information.
There are many good resources on the Internet for finding out more about code signing, Authenticode, Windows XP/Vista or later, Security and related issues. Here are a few places to start.
Copyright © 2010 Indigo Rose Software. All rights reserved.