Digital signatures are used to verify the integrity and authenticity of digital messages, including software such as Setup packages. Assuming that the recipient has the means and the know-how, no modification to the message goes undetected and the recipient also knows who signed the message. This is why digital signatures are so important in the world of electronic software distribution.
Actually using digital signatures, either as a signer or as a recipient, takes some effort. It is up to you to decide whether the result is worth the trouble. If you decide that you do want to use digital signatures for your Setup packages, then InstallMate tries hard to make that as painless as possible; refer to Digitally Signing the Setup Package to see how. Meanwhile, the following information might help you to come to grips with the concept of digital signatures. Be sure to check the references in For further information as well; ours is not the final word on digital signatures.
As mentioned above, digital signatures are used as integrity checks and to identify the person or organization who signed the message. Whether or not the signer is the same entity as the author of the message is a different matter, which we'll leave out of consideration here.
In theory, a digitally signed electronic message (or software package) cannot be modified without the recipient noticing, although the nature of the change is generally not known. By the same theory, the signer of the message cannot deny that he signed the message, or if he does, the recipient can prove otherwise.
In practice, things are not quite so simple and clear-cut.
- First and foremost, many recipients do not bother or know how to check digitally signed software. The InstallMate distribution is digitally signed by Tarma Software Research; did you check our signature before installing InstallMate on your computer? If a recipient doesn't check the signature, then it might as well not have been there in the first place. Fortunately, recent web browsers automatically check for the presence of a digital signature if you try to download and run a program from the Internet, which is a good first line of defense. However, Windows itself does not, so once the software is on your computer it is implicitly trusted and no one will check the signature if you don't.
- Second, even if the recipient did remember to check the signature and even if it appears to be good, how do you know that the signer of the message or software package is really the person or organization that he claims to be? This depends on the information in the signature certificate (see step 6 in the procedure above), which in turn is signed by yet another party to vouch for that information. Clearly, this introduces a chicken-and-egg problem, which in practice is resolved by having a limited number of implicitly trusted Certification Authorities (CA) at the top of the signature chain. Their certificates are not countersigned, but are distributed in a (presumably) secure way and are for all practical purposes "built into the system".
- Third, a digital signature, even if deemed "OK", is no guarantee the the message or software package won't harm your computer. Even bonafide developers can make mistakes, but worse still, an unscrupulous person can fairly easily create his own certificate and use it to sign some piece of malicious software. Although the certificate will probably not be countersigned by a trusted Certification Authority, chances are that a good number of recipients will fall for the ruse and assume that everything is OK if the signature is; what do they know or care about Certification Authorities and other intricacies of digital signatures after all?
Here is how to check the InstallMate distribution signature.
- In Windows Explorer, navigate to the InstallMate distribution package. That is not the Tin.exe file or any of the other files in the InstallMate program folder; it's the tin7.exe file that you downloaded from our web site.
- Select the file, then press Alt+Enter to open its Properties dialog.
- Click on the tab Digital Signatures, then see if Tarma Software Research Ltd appears in the Signature list (it should be the only name in the list).
- Select our name, then click the Details button to open the Digital Signature Details dialog.
- Underneath the heading Digital Signature Information, it should say: This digital signature is OK. If it does not, someone has tampered with the file, or it has become damaged at some point between leaving our development system and arriving on your computer, or even while sitting on your computer.
- If you are curious, click the View Certificate button for further details.
Note: If you followed the above procedure but did not see a Digital Signatures tab, then either someone removed the signature from our distribution file, or your version of Windows doesn't have the required security updates installed. In either case, you're none the wiser.
To attach a digital signature to an electronic message or software package, you need an electronic certificate that confirms who you are, plus a few other things. Tarma Software Research obtained its certificate from Thawte Consulting CC, a Certification Authority with its headquarters in South Africa. They in turn verified our business credentials and identity, then generated and signed a certificate for us. Because Thawte is a top-level CA, their root certificate is distributed with Windows and Windows updates, which in turn allows you to double-check everything. That is, if you remember to...
If you just need a certificate for testing or gaining experience with digital signatures, you can generate your own certificates with tools that Microsoft provides. They are not countersigned and should not be used for software publishing, but can serve for in-house experiments. See For further information below for the details.
Digital signatures do not solve any major software problems and introduce a few of their own. Whether or not you want to use them, is up to you to decide, or maybe the organization you work for doesn't leave you any choice in the matter. In any case, Tarma Software Research signs its public software distributions on the ground that it probably will increase customer confidence. And to make our own life a bit easier, we have added digital signature support to InstallMate; now all we have to remember is our private key password...
InstallMate relies on a number of Microsoft tools to sign your Setup package. Specifically, it runs the SignTool program to do the actual signing. Manual use of SignTool is fairly involved, so InstallMate tries to make things easier by feeding it the information it needs without your explicit involvement. The only point at which your input is required, is when SignTool needs your private key password; for security reasons, InstallMate never deals with that part of the signing process.
The information that InstallMate communicates to SignTool can be subdivided into two broad categories.
- Project-independent information includes those options that rarely vary from project to project, such as the location of your credentials (certificate), your private key storage, and a few other things. The project-independent information is entered (hopefully) once in the Preferences - Code signing dialog, then reused each time you sign a distribution file, regardless of the project.
- Project-specific information comprises the title of your application and the optional web site URL for support information, this being the only two extra items that SignTool will add to the signature. You do not have to enter them separately; InstallMate automatically extracts them from the corresponding information in your project.
To sum up then, once you have set the SignTool options in InstallMate, the rest is automatic. When SignTool runs, InstallMate captures the output messages from SignTool and redirects them to a file called SignCode.log in the configuration's folder. The messages are also sent to the Diagnostic Messages Area and the log file, so they form part of your project's audit trail. Finally, InstallMate checks the exit code that SignTool returns, in order to determine if the signing process was successful.
Microsoft's implementation of digital signatures on Windows is updated regularly. Therefore, your first port of call should be the Microsoft developer's web site if you want to know more about digital signatures under Windows, or need to download their tools. Because their web site also changes with some regularity, your best bet is to use Microsoft's or other web search facilities to locate the information that you are after.
Go to http://msdn.microsoft.com or use an independent web search engine to search for keywords and phrases like:
Authenticode, Code signing, Digital signatures, SignCode, MakeCert
To obtain a certificate suitable for software publishing, contact a Certification Authority. Again, the easiest method to find one might be to use a web search engine to search for one or more of the following phrases:
Certification Authority, SPC, Software Publishing Certificate