• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:

Software Digital Signature

I want to know more information about digital signature, how digital signature companies sign a software code and how to start digital signing business company?
0
Mohamed Abowarda
Asked:
Mohamed Abowarda
  • 9
  • 4
  • 3
  • +2
5 Solutions
 
jakosysadminCommented:
Your search terms should be "Class 3 PKI" and probably "steep initial investment" both HR and HW-wise.. ;)
0
 
Mohamed AbowardaSoftware EngineerAuthor Commented:
@jakopriit: I need more explanation.

Actually, I want to know how can I digitally sign software EXE myself.
0
 
gtkfreakCommented:
You can self-generate a certificate and then use that to self-sign your code using OpenSSL. Alternatively, see this link on code signing.
http://www.top20toolbar.com/misc/codesigncert.htm
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Mohamed AbowardaSoftware EngineerAuthor Commented:
@gtkfreak: How can I self-generate a certificate? Also, what commands do I need to use on OpenSLL to sign the code?
0
 
m_walkerCommented:
Have a read of this

http://msdn.microsoft.com/en-us/library/bb530410.aspx#vistauac_topic6h

On that page goto section "8. Authenticode Sign Your Application"

0
 
gtkfreakCommented:
0
 
Mohamed AbowardaSoftware EngineerAuthor Commented:
@gtkfreak: Thanks! One more thing, how can I build trusted company to commercially sign codes like VeriSign, Thawte, etc....
0
 
m_walkerCommented:
If you want to sign certificates that will work on 3rd party computers the will need to be signed by a known CA (Certificate Authority) such as verisign.  With out that, they wont be able to verify your certificate is valid.  
I think you can buy certificate from some top level CAs that will let you sign others, but it will cost you (if you can still get them).  You will also have to prove you have the correct setup in place and pass all audits.

The key reason it is hard is you need to have your signing public certificate published, then that needs to be installed into every browser in the world to work, this is down via product updates from windows, apple, firefox etc....

If you can sign certificates, then you can forge certificates (hence the audits).  If just anyone could do it, then SSL would be worthless.

You could try looking at re-selling like at : http://www.instantssl.com/ssl-certificate-affiliates/resellers/ssl-certificate-index.html
In which case you dont sign them yourself, but can get them signed at the CA.
0
 
Mohamed AbowardaSoftware EngineerAuthor Commented:
> "this is down via product updates from windows, apple, firefox etc...."

How can I make my certification imported on all browsers in the world by OS updates, firefox updates, etc...?
0
 
m_walkerCommented:
You need to be a registered CA, else you can not do it.  If you certificate is signed by a registered CA then you dont need to have hosts knon about it as it can be verified by one of the installed root and intermediate CA already published.

I dont have the doc reference atm, but in order to become a CA there is a list of things you must meet and pass and audit.  These are thigs like having your top level private certificate off line on a computer that is in a secure location and NEVER gets connected to the internet (eg: In a safe).  That certificate is used to sign your intermediate Certificates which are used to sign user certificates.  You need to prove that no-one can get a certificate signed unless its valid.  You will need to demonstrait how you verify that someone is entitiled to that request certificate.

eg:  Lets say your bank has a web site www.abcbank.com.  When you visit that web site it d/l the certificate from web site.  In there will be a CN=www.abcbank.com .... Now If I make a certificate with CN=www.abcbank.com then I would have the private key and could fake the banks ssl connection... this is bad.

Seach the net for "how to be a root level CA"  or simular.
0
 
Mohamed AbowardaSoftware EngineerAuthor Commented:
@m_walker: I need to know from where can I register CA and become root level CA, where can I prove the things you mentioned?

Thanks,
0
 
gtkfreakCommented:
Difficult but not impossible. You will have to look it up yourself. If you want to sign macros / code just for one computer, you can look around for selfcert.exe to get a self signed certificate. Note that this will only run on the computer where it was signed.
0
 
Mohamed AbowardaSoftware EngineerAuthor Commented:
@gtkfreak: I have already done self-singed certification, however I am not sure if I need to contact Microsoft, Firefox and all the web browsers companies to ask them to publish the certification with their updates and make it world wide trusted.
0
 
jakosysadminCommented:
Your little enterprise WILL NOT be accepted as root level CA unless it _strictly_ adheres to rules and regulations set. And to do that you need steep initial investments (the first post). Business continuity is a major concern. Utmost data security - you need to guard your root private keys better than your life. You need to set up comprehensive verification procedures for applicants. Etc, etc.
0
 
TomasPCommented:
In short, forget about being a CA. It is expensive and per the other's comments this is something you must not just roll yourself. The whole concept is built around a chain of trust where the most trusted is at the root. In short what you offer is the equivalent of saying "I am me because I say I am me". Not worth much in the security world.
If you are serious about signing your code so it is trusted, do some reasearch about buying a CODE signing certificate from a well known CA.
0
 
Mohamed AbowardaSoftware EngineerAuthor Commented:
@TomasP: No! I could do CA business later on, that's why I posted that question.

It's expensive doesn't mean it's impossible, I don't want frustration please, If anyone know what to do in steps to become CA root, no matter how much time it will take or how much money, etc... please post.
0
 
TomasPCommented:
The mechanical steps of being a root CA issing self-signed certs can be found here

http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
http://www.ibm.com/developerworks/lotus/library/ls-Certification_Authority/?S_TACT=105AGX99&S_CMP=CP

Start with the basics of setting up an internal CA as noted above.
Build the internal CA until it can offer CA services to partner companies. This is building the trust. When the pool of clients that trust you islarge enough spin away from the parent company

0
 
Mohamed AbowardaSoftware EngineerAuthor Commented:
@TomasP: OK, that's great, what's the difference between normal certificate and extended validation certificate?
0
 
TomasPCommented:
No difference in cryptography, but the CA undergoes a more stringent background check/interview and once passed and undergo a deeper audit can offer certs marked as extended...more trustworthy
0
 
Mohamed AbowardaSoftware EngineerAuthor Commented:
@TomasP: I still don't understand the difference between normal certificate and extended validation certificate, technically how the browser recognize that this is normal certificate or this is extended validation certificate?
0
 
TomasPCommented:
This document will help you understand the policy property in the certificate and how it should be handled

http://www.cabforum.org/Guidelines_v1_2.pdf

This is an excerpt from wikipedia: http://en.wikipedia.org/wiki/Extended_Validation_Certificate#Extended_Validation_certificate_identification
"EV certificates are standard x.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement"

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now