We developed an app in .net 4.5. I've done test installs on a few computers with no issues. I haven't code signed anything that I am aware of.

What is code signing and why do I need it????

We developed an app in .net 4.5. I've done test installs on a few computers with no issues. I haven't code signed anything that I am aware of.

What is code signing and why do I need it????

First of all, without a code-signing certificate from a trusted Certificate Authority (CA), you can't do any serious software development today! No way.

Because of the potential damage that a Windows executable can cause to a computer system, it is important that users be able trust code published on the Internet. If you know that an application is signed by "Microsoft, Inc." instead of "IHackYou, LLC", you’ll be much more likely to install it. Code Signing certificates confirm publisher details and content integrity of downloadable code.

As a software publisher, there are four important reasons to sign your code:

1. To prove its Integrity

Digitally signing your code helps to ensure that it cannot be tampered with, either on your servers, or when it is being downloaded to a user’s computer, especially over an insecure protocol like HTTP or FTP. This provides the user the confidence of knowing that the program they’ve just downloaded is the same one that you built.

2. To develop its Reputation

Internet Explorer’s SmartScreen Application Reputation feature helps level the playing field. This feature uses a variety of signals to evaluate the reputation of a given download, including the download history and popularity, anti-virus results, reputation of the site it has been delivered from, and more. The best way to accumulate your good reputation and allow it to benefit all of your software is to digitally sign your code. Signing your code allows the SmartScreen Application Reputation service to recognize a program’s origins, and allow that origin information to influence the reputation of the program. Small publishers benefit the most from this. For instance, while most users have never heard of me, my freeware programs are digitally signed by my certificate, and the clean reputation for my certificate means that SmartScreen Application Reputation can identify them as non-malicious.

When SmartScreen recognizes non-malicious code, the user benefits from a more streamlined trust experience, and fewer security prompts are shown when downloading and running the program. In contrast, unsigned and unknown programs are treated with suspicion and show more security warnings; our data indicates that 25-40% of such programs are eventually determined to be malicious.

And on top of this, most anti-virus or anti-spyware vendors have their own reputation based system (e.g. avast!, Symantec, etc.).

3. Avoid Security Alert with "Unknown Publisher"

Any application that has not been signed with a digital certificate from a trusted CA (Certificate Authority) displays a message that the publisher is "Unknown". Since most software is downloaded from the Internet, the "Unknown Publisher" message might make the user think the software is spyware, and should not be trusted by the recipient. Even worse is that a company wide policy may prohibit the installation of the software no matter what the user thinks. For example, on all modern UAC-aware operating systems (Vista, Windows Server, Windows 7, Windows Server 2008 R2, Windows 8.x, and Windows Server 2012 (R2) an installer that requests administrator execution level privileges (to run elevated) will result in "A referral was returned from the server" error if the "User Account Control: Only elevate executables that are signed and validated" security policy is enabled and the installer is not code-signed. The only solution is to code-sign the install/uninstall.

4. Help to prevent anti-virus "heuristics" from quarantining your executables

Just about EVERY anti-virus application flags an unsigned *.exe file as a virus sooner or later. Signed executables are more likely to be considered benign by antivirus engines or excluded by policy for performance reasons.

To cut a long story short, you should always code-sign all your application files (.exe, .dll, .ocx, etc.) and your install/uninstall.

Does this help?

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

At this point we don't distribute via the internet so that eliminates most of these issues.....HOWEVER, it is something we may want to look at in the future so we're right back at square one. It looks like we'll be getting a certificate.

Thanks.

OK.....so does the code-sign application directive in Setup Builder code sign the installation program I'm creating or my underlying application being installed? Or both? Or neither?

The "problem" is that most (95+%) Windows machines have an anti-virus and/or anti-spyware product installed. So don't be surprised when your unsigned application gets flagged as malicious on a regular basis. And when you run the installer elevated, there is no way around a code-signature at all.

See attached screenshots. You'll definitely see the "Unknown" warning when an app is launched elevated or from a network share. I would never ever give an application access to my system when the Publisher is not verified and Unknown.

Friedrich

To code-sign your install/uninstall, you can go to "General Information" -> "Digital Signature". This lets you code-sign and timestamp (optional) your install and uninstall executables.

To code-sign your own application files (.exe, .dll, .ocx, etc.) you can use the "#code-sign application..." compiler directive.

Friedrich

Cool...that's what I was looking for. I talked to the development team. We're moving from a massive application that we had to custom install for a handful of clients to a small app directed toward small business and home users so these issues are all new to us.

You are a TREMENDOUS resource. I feel sorry for folks still beating their heads against the wall struggling with the "other" installer guys.

Thanks again. I'm putting together a budget to get unforeseen software purchased. I'll add COMODO to my list.

Thanks so much for your kind words! :)

Friedrich