question

Dave-8759 avatar image
0 Votes"
Dave-8759 asked metablaster edited

Signing and trust for indy devs

Hello

I'm working on an open source, completely free, C++ project. It's built using VS community though I'm not sure if that's really relevant.

Currently when my users download the software, they're presented with a defender warning that the software is untrusted.

I've finished a release and would like to deploy it and I'm struggling to understand how to sign it (so that defender doesn't mark it as unsafe). In truth I'm a little unclear on whether I need to sign the actual software or the installation package - which I made via Inno Setup - which is what MS flags when it's downloaded from the web. I'd be fine to migrate off of Inno and onto a MS equivalent, Inno's primary task for me (other than copying files) is launching the MS VC++ redistributable.

I didn't notice these issues during development, something about downloading the executable from the web triggers the defender warning in a way that a local network copy doesn't (even when shared over network to a VM).


I understand that there are some companies that will sell a certificate to help establish trust, but I'm not sure what a zero-budget indy dev is supposed to do. I'm working on software for academic research and we really don't have money.

I could write this stuff in python of javascript and avoid signing issues, but the project really wants high performance, and (frankly) I really enjoy writing in C++. I was able to find a way for google to agree to review my software to prevent chrome from flagging it as untrusted upon download, but I'm concerned that my less-savvy users will really struggle with the MS warning that it might be unsafe.

Does anyone have tips on how to establish trust without some $$$ to grease the wheels? Is there maybe some MS program to help aspiring devs who are working for public good and not private cash?

Thanks!
Dave

windows-apic++vs-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

XiaopoYang-MSFT avatar image
0 Votes"
XiaopoYang-MSFT answered XiaopoYang-MSFT commented

As the question says, there are some ,including free(Makecert.exe), ways to sign a file.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

makecert is deprecated and both makecert and its recommended replacement "New-SelfSignedCertificate" appear to be testing tools...I'd like to understand the recommended solution for production.

From my understanding, any self-signed certificate won't provide a means for a developer to earn trust, as the certificate would only have an established trust role on the computer on which it was created? But I could be wrong, I have to admit that this space is confusing and intimidating!


0 Votes 0 ·

Yes. As the previous answer says, It's need to manually add it as a Trusted Root CA in order for UAC to tell the user running it that it's from a trusted source, but It's risky.

0 Votes 0 ·
metablaster avatar image
1 Vote"
metablaster answered metablaster edited

In order to better understand the problem, let's first break down basic definitions,

There are 2 kinds of "trust" when it comes to software, called:

  1. Chain of trust

  2. Web of trust

More information about these is here:
What is Chain of trust?
What is Web of trust?

As you can see to make your software trusted (to the end user) you either purchase signing certificate from root authority which costs money (Chain of trust) or
alternative way is to build web of trust which is free of charge (Web of trust).

Web of trust

Web of trust works like this:
1. You generate a public\private key pair (a certificate)
2. Sign your executable with a private key which creates a signature file
3. Share\Deploy your executable together with signature file
4. End user verifies if the executable is trusted, that is it comes from trusted source

However Web of trust method will not make Windows or Windows defender not complain, it will continue to complain that software is not trusted because
windows uses Chain of trust to validate executable signature.
Therefore Web of trust requires end user to allow executable to be downloaded, the end user then uses a separate software that will validate signature the executable.

This probably does not answer your question because you want Windows not to complain which costs money.
If you want to the route of Web of trust you will need Gpg4Win suite:

Gpg4Win installs Kleopatra GUI interface, documentation for Web of trust is here:

Making and verifying signatures

Self signed certificate

Self signed certificate is a third option, but it will not work like Chain of trust, because no root authority has signed it (which is not free).
In order to make that work for free, the end user will have to install your self signed certificate into trusted root on their local computer
which some users may not be willing to do, but there is a solution to this...

Before proceeding you should understand what is Public Key Cryptography:

What is Public Key Cryptography?

To create self signed certificate for software signing use Gpg4Win suite.
That suite installs the GUI tool called "Kleopatra" which you can use to create your certificate.
During creation wizard of a certificate make sure to check "Signing" checkbox under "Advanced" button.

Alternative option to create a self signed certificate is to use command line tool called Cert2SPC which is part of Windows 10 SDK

Software signing and sharing

To actually sign your executable with the created self signed certificate use SignTool which is part of Windows 10 SDK

Now once you executable is signed you will probably upload it to your server where users download it.

But in order to convince users and most importantly their Windows systems which flags it as untrusted, you will also have to upload your public key
which is your self signed certificate without private key (you keep private key for yourself to sign software).
HINT: Use Kleopatra to export your certificate without private key.

Users prior to download of your software have to download your certificate (public key) and install it to trusted root, this will make download
of your software trusted, your users need to install the certificate only once! subsequent updates to executable and or new software that you
make will be trusted because it originates from you.

Therefore installing that certificate makes you a trusted developer, you only need to ensure your private key is safe and make sure you sign
everything that you make with that private key.

Following document explains how to install your self signed certificate (public key only) into trusted root on users computer:
Installing the trusted root certificate

Now all you have to make is write a short tutorial on download site to let users know they need your certificate prior to installing of software.

As you can see, there is a reason why certificates cost money, it's because authority company that makes certificates has their certificate automatically installed
on everyones system, so users don't need to install their certificate.

You have no other options.

Like my answer, upvote it!
If you have question write it in comment section below.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.