Digital Signatures for Small Projects

Digital signatures are a technology used in Windows to ensure both integrity and authenticity of data. Integrity ensures that the data has not been modified. Authenticity ensures that the data came from the source claimed. Usually this is done by creating a hash of the data and encrypting the hash with public key cryptography. The details of how exactly it works are irrelevant to this post. What is relevant is the public key cryptography concept. The way this works is that there are groups call root certificate providers. These are companies like Verisign, Thawte, and Geotrust. Those companies use their root certificate to issue certificates to other people. They authenticate the recipient of the certificate to varying degrees. Hypothetically, a root certificate provider could issue certificates to anybody that asks. As a result, there are no authenticity guarantees. You would not want their root certificate included in your software. This is where companies like Microsoft come in. Microsoft has a root certificate policy to which root certificate companies must adhere in order for their root certificate to be included in Windows. The chain of trust then is: You trust your copy of Windows to be authentic through the physical certificate of authenticity and now with things like Windows Genuine Advantage there are some digital assurances in place. As a result you trust that Microsoft has included root certificates that follow their reasonably defined root certificate policy.

Let’s say you download AOL Instant Messenger. The installer for it is digitally signed with a certificate for AOL. The AOL certificate is digitally signed using one of the root certificate providers. Consequently, you trust Microsoft, Microsoft trusts root certificate providers, a root certificate provider trusts AOL, and AOL trusts the executable you received to be the one that they released. This chain of trust makes some cool things possible. Windows Live OneCare, for example, will automatically allow digitally signed programs through the firewall. This provides a level of convenience to OneCare users without sacrificing security. Because the software is digitally signed, there is a great chance it is legitimate. In the rare case that it is not legitimate, the antivirus and antispyware components can uniquely identify the digital signature without a false positive. The user remains secure with convenience and AOL doesn’t have to deal with as many support cases regarding firewalls interfering with their instant messenger.

The problem is that the root certificate providers trusted by Microsoft charge money for a code signing certificate. These code signing certificates cost a few hundred dollars. This cost is reasonable for larger companies such as AOL, Google, and others. However, there are far more small scale software projects. Examples include Gaim, 7-zip, and more. In many cases, there is usually only one developer or a single lead developer with occasional contributions from others if the project is open source. This leads me to a problem for which I have been trying to find a solution: Are there any reasonably priced code signing options for these projects? I have talked to developers of these projects and they realize the benefits of code signing, but the costs are out of their reach. What solutions are there?

Having worked with Linux systems, I know about PGP, but that is not how code signing is done in the Windows world. I am searching for a solution for developers of Windows freeware. Let me know if you know of a solution to this problem.

Leave a Reply

Your email address will not be published. Required fields are marked *