Signcoding 3rd part redistributables

[NewsArchive]

I just came across something missing in my SB script that caused me to pause
for a thought .....

3rd party redistributables such as FM3's Autonet.exe and TPSFix.exe and
Capesofts Makeover Styler.exe.

Should they not be codesigned by the author? Yes, of course I can and will
do that but just curious if anyone had thought about this? Not a problem for
me as mentioned but perhaps a thought for the community at large as some may
not have access to codesigning facilities perhaps? Mind you, if not then
they should not be producing Vista applications anyway but I just realised
that I do not code sign my redistributables and need to.

FWIW

John Fligg

[NewsArchive]

> Should they not be codesigned by the author? Yes, of course I can and will
> do that but just curious if anyone had thought about this? Not a problem for
> me as mentioned but perhaps a thought for the community at large as some may
> not have access to codesigning facilities perhaps? Mind you, if not then
> they should not be producing Vista applications anyway but I just realised
> that I do not code sign my redistributables and need to.

John,

I think that authors should sign 3rd party exes that they distribute
because as far as the end user is concerned - the author IS the source for
them.

I also think that having only ONE code sign authority lessens any
possibility of confusion by the end user ( example - they know who you are
because they purchased the program from you, but they have no idea who
CapeSoft is - so most likely if prompted by Vista to run a program from an
unknown entity they would say NO - thus defeating your program).


As far as anyone not having access to code signing...

With the release of Vista and heightened installer and security
requirements, that company is already out of business unless they take
steps to get a code sign certificate and a Vista compatible installer.

There are some "dead" companies out there that may think that this does not
apply to them, but the world is just waiting for them to fall down and act
properly dead.


Code Signing and a SetupBuilder class installer are no longer an option.

;-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

www.clarionproseries.com - "Serious imaging tools for Clarion Developers"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms!"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

[NewsArchive]

Thanks Charles - my sentiments precisely.

I just thought I would raise the issue because I realised I had not
codesigned some of my exe's. Now I have <g>

John

[NewsArchive]

Hi John,

>Should they not be codesigned by the author? Yes, of course I can and

If the compiles are to be distributed with your compiles, i.e. they
are not linked in (local) or they are exes etc. they should be
codesigned. Even tools that are developer exes only are being
codesigned in my new installs.

I've been trying out some software lately and it amazes me how many
installs are still not code signed! I even downloaded some (small)
installer from MS that was not codesigned!

Just my $0.01<g>

Best regards,

Arnór Baldvinsson
Icetips Creative, Inc.
San Antonio, Texas, USA
www.icetips.com


Subscribe to information from Icetips.com:
http://www.icetips.com/subscribe.php

[NewsArchive]

John,

It is indeed a good idea (and one that we've tackled briefly previously). I
was going to get SetupBuilder to sign all the EXEs included in the installs
at install creation time, but there's an issue at present where the install
does not compile if there is nothing to code sign (as only a couple of
products have included EXEs). I'll need to relook at this.

--
Geoff (Capesoft)

CapeSoft - where the computer obeys you!!
www.capesoft.com

http://www.capesoft.com

[NewsArchive]

Not a problem Geoff. But the arguments put forward that clients might not
know who Aapesoft are could raise some issues. They do make sense. i.e. The
client knows my company so will accept anything from me whereas any mention
of Capesoft may cause problems.

Would it not be best to allow the developer to codesign the included exe's?

Not that I wish to take away any security or marketing opportunities from
Capesoft of course.

John

[NewsArchive]

John,

> Would it not be best to allow the developer to codesign the included exe's?

No reason they can't.

Beginning with the latest AFE server installer, which includes several
EXE's, they are all signed by me but the developer can sign them again
before distribution if desired. In either event they are signed which
makes the difference.

As an example I took the Clarion 7 EXE and signed it with my cert. No
problem, well other than now it has my signature on it!<g>

--
Lee White

http://CWaddons.com
http://LodestarSoftware.com
http://DeveloperPLUS.com

Programmer: code writer working with a schema provided by a DBA
DBA.......: egghead who designs database schemas
Developer.: drain bamaged masochist that does BOTH!

[NewsArchive]

> As an example I took the Clarion 7 EXE and signed it with my cert. No
> problem, well other than now it has my signature on it!<g>

No worries... I made a copy first and replaced it after!<g>

--
Lee White

http://CWaddons.com
http://LodestarSoftware.com
http://DeveloperPLUS.com

Programmer: code writer working with a schema provided by a DBA
DBA.......: egghead who designs database schemas
Developer.: drain bamaged masochist that does BOTH!

[NewsArchive]

Lee,

Cool - that's the news I'm after. Makes sense that you can supercede the
original signature.

--
Geoff (Capesoft)

CapeSoft - where the computer obeys you!!
www.capesoft.com

http://www.capesoft.com

[NewsArchive]

> know who Aapesoft are
Who is Aapesoft anyway? <g>

> Would it not be best to allow the developer to codesign the included
> exe's?
Yeah - I guess if re-signing an EXE supercedes a previous signature then
that would be on the money. My thoughts are that it would be better to have
a signed exe (for those who don't sign) than an unsigned one - but if a
subsequent signing does not supercede a previous one, then I guess it would
probably be better to leave them unsigned.

> Not that I wish to take away any security or marketing opportunities from
> Capesoft of course.
LOL - no, it'll only come back to haunt us. At some stage we added an icon
to the Access Control windows of Secwin, which points to www.capesoft.com.
Quite frequently we get some one mailing us pleading for an activation code
or the like because their supplier has dropped off the planet.

--
Geoff (Capesoft)

CapeSoft - where the computer obeys you!!
www.capesoft.com

http://www.capesoft.com