Jump to content

Code signing, catalog files etc.

Petr
 Share

Recommended Posts

Petr

Petr

Posted
Posted

Just an idea - what about to use code signing and catalog files just in the way it was supposed to use them?

I see at least these possible advantages:

- all updates and hotfixes for Windows ME would seamlessly install without the of nircmd utility and other tricks.

- all updates, hotfixes etc. would be signed so anybody who downloaded them would be able to test the integrity and origin.

- maybe also it would enable to make slipstreamed IE6.0SP1 available for download, exactly as it is from Microsoft, when Microsoft will stop the support. (IE5.5SP2 is already crippled on the Microsoft download servers, the first cab for each platform is missing, so you can add components, but not to install it from the scratch)

- maybe also the functionality of Windows Update site could be duplicated (after Microsoft will close it)

In general, I see two possibilities how to manage these certificates.

1. To buy commercial code signing certificate (is this sufficient?), or

2. To create our own root certificate authority.

Both approaches would have some advantages and disadvanatages.

- commercial certificate is not free of charge. I did not made deep research but it looks like Comodo code signing certificate for € 99 per year could be the right one. I think I could donate this amount if necessary.

- Own certificates would not be recognized by Windows by default, the root certificate has to be imported at first.

- Own root certificate would mean that all people involved could use their own code signing certificate.

- Own root certificate would mean to use also own timestamping service (?)

- Official certificate would mean that the person who would create all the .CAT files and who would sign all files would be clearly expressed - do we accept this?

Some details about code signing process are here: http://www.instantssl.com/code-signing/cod...ng-process.html

SIGNCODE.EXE is part of IEAK6 for example, CHKTRUST.EXE is part of IEAK4 or Visual Studio .NET

My feeling is that everything is very easy - but only if you know how to do it. Is here anybody experienced?

Any comments?

Petr

Link to comment
Share on other sites

Acheron

Acheron

Posted
Posted
Just an idea - what about to use code signing and catalog files just in the way it was supposed to use them?

I see at least these possible advantages:

- all updates and hotfixes for Windows ME would seamlessly install without the of nircmd utility and other tricks.

- all updates, hotfixes etc. would be signed so anybody who downloaded them would be able to test the integrity and origin.

- maybe also it would enable to make slipstreamed IE6.0SP1 available for download, exactly as it is from Microsoft, when Microsoft will stop the support. (IE5.5SP2 is already crippled on the Microsoft download servers, the first cab for each platform is missing, so you can add components, but not to install it from the scratch)

- maybe also the functionality of Windows Update site could be duplicated (after Microsoft will close it)

In general, I see two possibilities how to manage these certificates.

1. To buy commercial code signing certificate (is this sufficient?), or

2. To create our own root certificate authority.

Both approaches would have some advantages and disadvanatages.

- commercial certificate is not free of charge. I did not made deep research but it looks like Comodo code signing certificate for € 99 per year could be the right one. I think I could donate this amount if necessary.

- Own certificates would not be recognized by Windows by default, the root certificate has to be imported at first.

- Own root certificate would mean that all people involved could use their own code signing certificate.

- Own root certificate would mean to use also own timestamping service (?)

- Official certificate would mean that the person who would create all the .CAT files and who would sign all files would be clearly expressed - do we accept this?

Some details about code signing process are here: http://www.instantssl.com/code-signing/cod...ng-process.html

SIGNCODE.EXE is part of IEAK6 for example, CHKTRUST.EXE is part of IEAK4 or Visual Studio .NET

My feeling is that everything is very easy - but only if you know how to do it. Is here anybody experienced?

Any comments?

Petr

I thought code-signing only worked when compiling a project. Didn't know you could atach digital signatures afterwards. Well if this is true I'll go for solution two :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...