Share via

Signing and trust for indy devs

Dave 1 Reputation point
2021-09-06T22:39:15.05+00:00

Hello

I'm working on an open source, completely free, C++ project. It's built using VS community though I'm not sure if that's really relevant.

Currently when my users download the software, they're presented with a defender warning that the software is untrusted.

I've finished a release and would like to deploy it and I'm struggling to understand how to sign it (so that defender doesn't mark it as unsafe). In truth I'm a little unclear on whether I need to sign the actual software or the installation package - which I made via Inno Setup - which is what MS flags when it's downloaded from the web. I'd be fine to migrate off of Inno and onto a MS equivalent, Inno's primary task for me (other than copying files) is launching the MS VC++ redistributable.

I didn't notice these issues during development, something about downloading the executable from the web triggers the defender warning in a way that a local network copy doesn't (even when shared over network to a VM).

I understand that there are some companies that will sell a certificate to help establish trust, but I'm not sure what a zero-budget indy dev is supposed to do. I'm working on software for academic research and we really don't have money.

I could write this stuff in python of javascript and avoid signing issues, but the project really wants high performance, and (frankly) I really enjoy writing in C++. I was able to find a way for google to agree to review my software to prevent chrome from flagging it as untrusted upon download, but I'm concerned that my less-savvy users will really struggle with the MS warning that it might be unsafe.

Does anyone have tips on how to establish trust without some $$$ to grease the wheels? Is there maybe some MS program to help aspiring devs who are working for public good and not private cash?

Thanks!
Dave

Visual Studio
Visual Studio
A family of Microsoft suites of integrated development tools for building applications for Windows, the web and mobile devices.
4,763 questions
Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,471 questions
C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,591 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. metablaster 91 Reputation points
    2021-09-07T06:30:29.823+00:00

    In order to better understand the problem, let's first break down basic definitions,

    There are 2 kinds of "trust" when it comes to software, called:

    1. Chain of trust
    2. Web of trust

    More information about these is here:
    What is Chain of trust?
    What is Web of trust?

    As you can see to make your software trusted (to the end user) you either purchase signing certificate from root authority which costs money (Chain of trust) or
    alternative way is to build web of trust which is free of charge (Web of trust).

    Web of trust

    Web of trust works like this:

    1. You generate a public\private key pair (a certificate)
    2. Sign your executable with a private key which creates a signature file
    3. Share\Deploy your executable together with signature file
    4. End user verifies if the executable is trusted, that is it comes from trusted source

    However Web of trust method will not make Windows or Windows defender not complain, it will continue to complain that software is not trusted because
    windows uses Chain of trust to validate executable signature.
    Therefore Web of trust requires end user to allow executable to be downloaded, the end user then uses a separate software that will validate signature the executable.

    This probably does not answer your question because you want Windows not to complain which costs money.
    If you want to the route of Web of trust you will need Gpg4Win suite:

    Gpg4Win installs Kleopatra GUI interface, documentation for Web of trust is here:

    Making and verifying signatures

    Self signed certificate

    Self signed certificate is a third option, but it will not work like Chain of trust, because no root authority has signed it (which is not free).
    In order to make that work for free, the end user will have to install your self signed certificate into trusted root on their local computer
    which some users may not be willing to do, but there is a solution to this...

    Before proceeding you should understand what is Public Key Cryptography:

    What is Public Key Cryptography?

    To create self signed certificate for software signing use Gpg4Win suite.
    That suite installs the GUI tool called "Kleopatra" which you can use to create your certificate.
    During creation wizard of a certificate make sure to check "Signing" checkbox under "Advanced" button.

    Alternative option to create a self signed certificate is to use command line tool called Cert2SPC which is part of Windows 10 SDK

    Software signing and sharing

    To actually sign your executable with the created self signed certificate use SignTool which is part of Windows 10 SDK

    Now once you executable is signed you will probably upload it to your server where users download it.

    But in order to convince users and most importantly their Windows systems which flags it as untrusted, you will also have to upload your public key
    which is your self signed certificate without private key (you keep private key for yourself to sign software).
    HINT: Use Kleopatra to export your certificate without private key.

    Users prior to download of your software have to download your certificate (public key) and install it to trusted root, this will make download
    of your software trusted, your users need to install the certificate only once! subsequent updates to executable and or new software that you
    make will be trusted because it originates from you.

    Therefore installing that certificate makes you a trusted developer, you only need to ensure your private key is safe and make sure you sign
    everything that you make with that private key.

    Following document explains how to install your self signed certificate (public key only) into trusted root on users computer:
    Installing the trusted root certificate

    Now all you have to make is write a short tutorial on download site to let users know they need your certificate prior to installing of software.

    As you can see, there is a reason why certificates cost money, it's because authority company that makes certificates has their certificate automatically installed
    on everyones system, so users don't need to install their certificate.

    You have no other options.

    Like my answer, upvote it!
    If you have question write it in comment section below.

    1 person found this answer helpful.
    0 comments
  2. Xiaopo Yang - MSFT 11,746 Reputation points Microsoft Vendor
    2021-09-07T03:17:41.067+00:00

    As the question says, there are some ,including free(Makecert.exe), ways to sign a file.