How to? - Self Signed Code Signing Certificate and Certificate Store

Johan_de_Klerk · June 4, 2024, 5:48am

Hi everyone,

My Code Sign certificate is due for renewal next month.
Had a quick look and for a 3 year certificate via Setup Builder it will cost ±R14 000.00.
The last certificate 3 years ago was ±R4 000.00.
This new type of certificate seems to me like one big money grabbing scheme.

Is there a way to create my own self signed code sign certificate?
Then run a small program on my users machine and register this self signed certificate in their certificate store so it could be trusted?

Any ideas and advice would be appreciated.

Regards

Johan de Klerk

ncik · June 4, 2024, 11:21am

Hi,
I create all the time self signed certificates for SSL and you can add them to the store. Usually I set expire 10 years. I do not know anything about code sign so maybe it is different. Check if this helps How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 20.04 | DigitalOcean
hth
Nenad

Johan_de_Klerk · June 4, 2024, 11:50am

Hi Nenad,

Thanks for your reply.
However yours is for web.
The code signing certificate is for signing application files (EXE’s, etc.)

Regards
Johan de Klerk

bsm-software · June 5, 2024, 9:40am

Hi!

My certificate is also expiring.

I have not been certifying my programmes for a few weeks now. So far there have been no problems.

Perhaps the hash code of the EXE and the DLLs should be enclosed ?

Bernd

Johan_de_Klerk · June 5, 2024, 10:33am

Hi Bernd,

You have me at a disadvantage here.
Please explain what you mean.

Regards
Johan de Klerk

bsm-software · June 5, 2024, 11:57am

Example:

msvcr90.dll
msvcr90.dll.md5

bsm-software · June 5, 2024, 11:57am

cdbe9690cf2b8409facad94fac9479c9 *msvcr90.dll

bsm-software · June 5, 2024, 12:10pm

There is also a validation programme:
see WIN-SFV32

jslarve · June 6, 2024, 12:36am

Luckily, anyone who modifies the DLL won’t know how to generate MD5.

bsm-software · June 6, 2024, 8:32am

In my opinion, there is nothing to be said against checking the most important exe/dll when starting the programme.

jslarve · June 6, 2024, 11:25am

I agree with that, but there is a false sense of security with this exercise, and moreso when distributing both the EXE and the md5 together :).

Not saying that code signing is bulletproof either, but it’s more of a verifiable way to ensure that the source of the files was the entity that signed them. (But it’s still a racket, IMO.)

CarlBarnes · June 6, 2024, 2:03pm

This is something done when learning or testing Code Signing.

If you Google “testing code signing with self signed certificate” you’ll find a bunch of results. Here are a few…

https://mmus.me/blog/certificates/

and many more…

bsm-software · June 7, 2024, 8:03am

Better:
The MD5 code should be stored securely (encrypted) or be retrievable via IP/REST.

jslarve · June 7, 2024, 3:03pm

Pretty sure this alternative was covered on the first day of planning the journey to designing the certificate authority infrastructure.

CarlBarnes · June 7, 2024, 4:20pm

I think the OP wants normal Code Signing that way it can be used in all the typical ways everyone knows. Like the User can view it in Explorer, installs can be confirmed signed and AV programs can check it.