authenticode

Trying to get my head around authenticode code-signing and strong-naming. Am I right in thinking that if I code-sign an exe that references a few dlls (not strong named) that a malicious user could replace my DLLs and distribute the app in a way that appears as if it's signed by me, but is running their code? Assuming that's true, it seems like you wouldn't really want to sign a .NET app without strong-naming the whole thing, otherwise you're giving people the ability to execute code under the guise of an app you wrote? The reason I'm unsure, is that none of the articles I found online

I have a program which is used by a large number of people who are not always super computer savvy. I want to make sure that rather than having my executable say it is from an unknown author that it says it was signed by me. As far as I know this can be done with Microsoft Authenticode. I understand I need a certificate to do this and was looking for one at a reasonable price. I stumbled upon the page Microsoft Authenticode Certificates . It looks like GlobalSign has everything I need. What is the experience with certificates from them or is there a better company? Are there any good tutorials

I'm trying to write a C# program that verifies the digital signature of exe's. The exe's are signed with an authenticode certificate, and I want to detect tampering. I've been able to create a SignedCms instance as described here: Get timestamp from Authenticode Signed files in .NET I assumed SignedCms.CheckSignature would do the trick, but this method never throws an exception... Even not when I modify some bits of the exe... David Pope I'm assuming you've scoured the .NET Framework docs and didn't find what you needed. The answer to this StackOverflow question has a link that describes how

We recently tried out digitally signing our .NET binaries. We have a Windows Service which typically starts up within 10 seconds. However after we started digitally signing it, the time increased to around 20-30 seconds. Googling led to me this: http://support.microsoft.com/kb/936707 which basically says that I have to set generatePublisherEvidence to false. But the description of generatePublisherEvidence on MSDN points to the fact that this is not applicable for .NET 4. Still I tried out this setting and it did work. I double checked that my binaries do target .NET 4. Can someone please

My company purchased a Driver Signing Certificate from Go Daddy. I used it to sign a simple INF file that is a driver for some of our USB devices that use Microsoft's usbser.sys. Everything seems to work on the Windows 7 64-bit computer where I signed it: if I right-click on the INF file and select "Install" then the second warning I see is this good warning that shows the correct Publisher name: However, if I go to a different computer (Windows Vista 64-bit), right click on the INF file, and select "Install", then I get this error message instead: This makes me think that my drivers are not

We need to dual sign our binaries with SHA1 and SHA2 using signtool.exe, our certificate supports 256-bit SHA2. Using the Windows 8 SDK's signtool: e.g.: signtool.exe sign /as /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll /f "certificate.pfx" /p XXXXXXX "file.dll" (where XXXXXXX is our password for the certificate) fails with the cryptic error: SignTool Error: SignedCode::Sign returned error: 0x80070057 The parameter is incorrect. SignTool Error: An error occurred while attempting to sign: file.dll Signing without a timestamp works, signing individually as SHA1 or SHA256

I'm trying to sign an ActiveX control with a code signing certificate issued by Thawte. I was able to successfully sign the control using signtool.exe. When I look at the file properties, it says "The certificate in the signature cannot be verified." When I view the certificate it says "Windows does not have enough information to verify the certificate." On the certification path tab, it says "The issuer of this certificate cannot be found." In internet explorer, the certificate is recognized as signed but the user receives warnings that the publisher is not verified. I've tried creating a