windows – Software Digital Signature

Question:

I use Kaspersky antivirus and for it to allow my software, written in Delphi, to run I needed to mark it as trustworthy software.

The reason Kaspersky gave it was that the software is unreliable because it is not digitally signed.

Observing the link that @epx passed , I could verify that it is necessary to use certificates to make the digital signature:

Before you can get started, you'll need a code-signing certificate and associated private key.

Right after it says that I can generate a key in my infrastructure:

You can generate your proper code-signing certificate using your internal Windows public key infrastructure (PKI) or you can buy one from a commercial Certification Authority (CA) such as Verisign.

So I would like to know:

1- O que é assinatura digital de software?     
2- Preciso realmente dela para fornecer software e não ter o mesmo tipo de problema com o Kaspersky e outros antivirus?  
3- Como assino meu software digitalmente? 
4- Como gerar esse certificado em minha infraestrutura? 
5- Ela seria aceita pelo *Kaspersky*, por exemplo?

Answer:

You actually created several questions that might be better explored if they were separated. But I will try to answer anyway.

Roughly speaking, digital signature would be like notarization and authentication of documents at the registry, except for digital files. It confirms who issued the file and that this file has not been altered since it left the creator's hands.
Signing code or executables for Windows is called by Microsoft Authenticode .

Some Microsoft articles on the subject:
Introduction to code signing
Authenticode on MSDN
Explanation about Authenticode on the blog
Creating, viewing and managing certificates

To digitally sign you need a certificate. You can generate a certificate for yourself using openSSL or MakeCert . But since you are not recognized by other companies as someone who issues certificates of trust, not everyone will give your software complete trust. It's up to you to check whether the signature generated by you will solve your problem or not.

Below is a list of some certificate sellers that are generally considered trustworthy:

http://www.verisign.com
http://www.thawte.com
http://www.globalsign.net
http://www.geotrust.com

A cheaper alternative is to obtain the certificate from the COMODO company via the Tucows website: https://author.tucows.com/article.php?sid=&account_id=&id=2536

Post Views: 7
Scroll to Top