Authenticode Digital Signing

Please let our ADS show!

This sites offers only FREE software and it's supported by a few advertisement boxes (no intrusive popups).
Please:

  • disable your AdBlocker by adding CoolSoft website to whitelist
  • give the proper cookie consent
  • enable JavaScript for this website

This seconds wait is to let you update your browser configuration...

Ok, I've done the required changes... now show me your content!
!!! Please enable JavaScript !!!
Posts: 4
Joined: 24 Mar 2020 - 13:14
Authenticode Digital Signing

Hi Mysterious Creator,

I absolutely love VirtualMIDISynth.  Thank you for the effort, obvious passion, and care you've put into it.

Because VitualMIDISynth is interacting with operating system objects normally not interacted with by normal freeware/shareware, it is detected as a threat by a good portion of the antimalware community as visible on VirusTotal.

As an employee of one of the major security vendors, I would like to suggest something that will quickly allow someone to flag CoolSoft software as non-threatening (non-malware).

As of now, 2020, digitally signing software with Authenticode signatures is a must-for-trust.  This allows the assessment of threat-level to be tied directly to the vendor and an override of a threat detection to be created.

I have submitted VirtualMIDISynth for analysis in order to achieve non-malware status at my employer, but I can do so only based upon the current file version because there is no digital certificate.  As soon as the software is updated, the status override is no longer useful.

In particular, MIDIMapper.Configurator.Proxy.exe is currently detected as malware, but frankly any of the PEs (.exe or .dll) involved in VirtualMIDISynth can be signed by a single certificate and therefore be cleared by reputation of the digital certificate.

If for any reason a securty vendor does not clear your digital certificate, the digital certificate is still useful because an individual user can clear CoolSoft software, themselves, using that digital certificate.

In order to further an audience otherwise scared away from VirtualMIDISynth by their antimalware software, I hope that you are willing to Authenticode-sign your software.

Thanks, again, for such a wonderful product bringing great sound into my tech den!  :)

Posts: 1816
Joined: 25 Mar 2012 - 01:19
Re: Authenticode Digital Signing

I somehow missed this thread, and I'm very sorry ;)

I agree that Digitaly Signing binaries is the way to go... but it costs too much for a single developer making free software only.
I have no income from my free work (other than a few bucks from ADs, that actually most of people remove with AdBlockers and such...).

So spending 200$+/yr for a certificate is something I really don't like to, since I don't make money out of it.

WarsawPact wrote:
As an employee of one of the major security vendors...
Maybe you could help me clearing my doubts about self-signed certificates:

  • How are they considered by AV vendors?
  • Could they add them to their signatures DBs or this is not possible at all (as I suppose...)?
  • Will it only help end-users to flag CoolSoft software as safe (or safer)?

Thanks for your help.

Posts: 4
Joined: 24 Mar 2020 - 13:14
Re: Authenticode Digital Signing

Apologies for my tardiness.  I blame Covid!  :)

Self-signing allows for any good security suite to whitelist the software based on any affixed certificate - self-signed or not.  That 'should' work for a lot of business antimalware suites, and perhaps even some consumer ones.  It would work for the one which I am an employee of.  The key is to remember to affix the self-signed certificate to all PEs (.exe, .dll, .ocx, etc.) of the product, not just the main .exe.

There are two ways to do it.  You could sign it, or you could allow end users to assign their own certificate to it.

Some software authors do a self-validation at runtime and will exit if someone else's signature is affixed to the PE (here's looking at you, unsigned baretail.exe!), so it also depends upon whether you do any self-validation.  There may be legal reasons why you would not want to allow users to affix their own certificate to it, though, so thanks to lawyers you might be inclined to disallow foreign signatures to be affixed to your software.

In Windows, someone might write a certificate catalog to overcome even that, but now we're going beyond the scope of normalcy.

Concerning expense, Comodo has code-signing certificates for ~$85/year, but if that's too expensive then self-signing the binaries would be enough to satisfy the needs of a good security suite.

May I offer to pay for the Comodo certificate for you?  Perhaps that might serve as my recompense to you for all your continuing efforts creating, sustaining, and enhancing your fantastic software.  It would likely stop many, if not all, antimalware suites from flagging your software because the certificate would chain to a trusted root at that point.  That would serve the needs of both business and consumer antimalware software without the need to whitelist anything, especially for Joe User who doesn't understand security...

Posts: 1816
Joined: 25 Mar 2012 - 01:19
Re: Authenticode Digital Signing
WarsawPact wrote:
I blame Covid! :)

Me too, I hope you're well 😉

I've not abandoned my will to sign/self-sign my binaries, just only lowered its prority because latest versions of VMS almost stopped being flagged as malicious.
Version 2.11.0 (the latest available today) is flagged by only 1/68 AV engines (https://www.virustotal.com/gui/file/14ae374547b39cb8b2c6332de140a4d89357...).
So the issue has reduced since the start of this thread (but I'm aware it could get back again in the future).

WarsawPact wrote:
Some software authors do a self-validation at runtime and will exit if someone else's signature is affixed to the PE

I'm not actually doing such a test, so you're free to attach your own signature as long as you keep your signed PEs for your private use.
Anyway, I'm going to test self-signature on the next version (1.12, actually in beta stage).
Will release a new beta soon, with self-signature attched; stay tuned...

WarsawPact wrote:
May I offer to pay for the Comodo certificate for you?  Perhaps that might serve as my recompense to you for all your continuing efforts creating, sustaining, and enhancing your fantastic software.

Thanks for your offer but... paying a third party (like Comodo, VerySign and others) for something I won't ever get money from is something I really don't like to do.
More generally speaking, I don't like to pay to offer my software for free.
Let's see if/how self-signature works before, ok? 😉

Posts: 1816
Joined: 25 Mar 2012 - 01:19
Re: Authenticode Digital Signing

I've just published VirtualMIDISynth 2.12.0, the first one signed with my new self-signed certificate.

More info here: https://coolsoft.altervista.org/en/code-signing

Please check it out and give your feedback.

Posts: 4
Joined: 24 Mar 2020 - 13:14
Re: Authenticode Digital Signing

Because VirtualMIDISynth 2.12.0 is now signed I am able to clear its reputation within my own enterprise operations, thank you very much!  8-)

I did notice, however, after downloading the .zip file with its certificate and the new VirtualMIDISynth 2.12.0, the VirtualMIDISynth product appears to have a different self-signed certificate than the .zip:

■ .zip
Subject Name:  C=IT, S=Italy, L=Italy, O=CoolSoft Certification Authority (self-signed), CN=CoolSoft Certification Authority (self-signed), E=[email protected]
Serial No.:  371b744404401192b1f813cc27b2e11a5d329994
Thumbprint:  e9c576bfe77e19873e22b938a0c7f45b6c243e91

■ VirtualMIDISynth 2.12.0:
Subject Name:  C=IT, S=Italy, L=Italy, O=CoolSoft, CN=Claudio Nicora (CoolSoft), E=[email protected]
Serial No.:  46017bd1c21bb1aca1a48092029becb257c824cb
Thumbprint:  99b00e0aab1a1750dc3beb6fa17402321256d6b5

Is the current VirtualMIDISynth 2.12.0 product certificate to be replaced in a future version with the .zip certificate?  I have currently cleared the reputation only of the VirtualMIDISynth 2.12.0 product certificate since that certificate is what will be evaluated when the software runs...

Posts: 1816
Joined: 25 Mar 2012 - 01:19
Re: Authenticode Digital Signing

In the zip file I've included the self-signed CA (Certification Authority) certificate (371b7444...) I've used to sign "my own, personal" certificate (46017bd1...), used to sign VirtualMIDISynth binaries.

If you add that certificate (the CA one) to Windows Trusted Certification Authorities repository, then all of my other certificates will appear as trusted, because they were signed by a "trusted" CA.
Doing so, when you double-click on VMS setup, Windows will show you a Blue Yes-No dialog containing my name as the author of the binary, instead of the Yellow Yes-No dialog shown when the certificate is not recognised.

If you only need to trust the signer of binaries, it's fine to trust only the author certificate (46017bd1...) 👍

Posts: 4
Joined: 24 Mar 2020 - 13:14
Re: Authenticode Digital Signing

Hey, no worries, my mistake.  When I first looked at the code-signing cert I didn't notice that it is, indeed, chained to your root.  Looking at the Certification Path dialog, a certificate that chains to a trusted root will always show the full path.  Because I had not yet added your CA it didn't list the chain, broken or not, at all.  That visually threw me for a loop.  Upon closer inspection, the General tab indeed shows your CA as the parent certificate.  Thank you so much, though the CA does not chain to a known CA it is still enough to whitelist VMS and anything else you may sign.  Superb, Sir!  8-)