Authenticode Digital Signing

Please let our ADS show!

This sites offers only FREE software and it's supported by a few advertisement boxes (no intrusive popups).
Please:

  • disable your AdBlocker by adding CoolSoft website to whitelist
  • give the proper cookie consent
  • enable JavaScript for this website

This seconds wait is to let you update your browser configuration...

Ok, I've done the required changes... now show me your content!
!!! Please enable JavaScript !!!
Posts: 2
Joined: 24 Mar 2020 - 13:14
Authenticode Digital Signing

Hi Mysterious Creator,

I absolutely love VirtualMIDISynth.  Thank you for the effort, obvious passion, and care you've put into it.

Because VitualMIDISynth is interacting with operating system objects normally not interacted with by normal freeware/shareware, it is detected as a threat by a good portion of the antimalware community as visible on VirusTotal.

As an employee of one of the major security vendors, I would like to suggest something that will quickly allow someone to flag CoolSoft software as non-threatening (non-malware).

As of now, 2020, digitally signing software with Authenticode signatures is a must-for-trust.  This allows the assessment of threat-level to be tied directly to the vendor and an override of a threat detection to be created.

I have submitted VirtualMIDISynth for analysis in order to achieve non-malware status at my employer, but I can do so only based upon the current file version because there is no digital certificate.  As soon as the software is updated, the status override is no longer useful.

In particular, MIDIMapper.Configurator.Proxy.exe is currently detected as malware, but frankly any of the PEs (.exe or .dll) involved in VirtualMIDISynth can be signed by a single certificate and therefore be cleared by reputation of the digital certificate.

If for any reason a securty vendor does not clear your digital certificate, the digital certificate is still useful because an individual user can clear CoolSoft software, themselves, using that digital certificate.

In order to further an audience otherwise scared away from VirtualMIDISynth by their antimalware software, I hope that you are willing to Authenticode-sign your software.

Thanks, again, for such a wonderful product bringing great sound into my tech den!  :)

Posts: 1770
Joined: 25 Mar 2012 - 01:19
Re: Authenticode Digital Signing

I somehow missed this thread, and I'm very sorry ;)

I agree that Digitaly Signing binaries is the way to go... but it costs too much for a single developer making free software only.
I have no income from my free work (other than a few bucks from ADs, that actually most of people remove with AdBlockers and such...).

So spending 200$+/yr for a certificate is something I really don't like to, since I don't make money out of it.

WarsawPact wrote:
As an employee of one of the major security vendors...
Maybe you could help me clearing my doubts about self-signed certificates:

  • How are they considered by AV vendors?
  • Could they add them to their signatures DBs or this is not possible at all (as I suppose...)?
  • Will it only help end-users to flag CoolSoft software as safe (or safer)?

Thanks for your help.

Posts: 2
Joined: 24 Mar 2020 - 13:14
Re: Authenticode Digital Signing

Apologies for my tardiness.  I blame Covid!  :)

Self-signing allows for any good security suite to whitelist the software based on any affixed certificate - self-signed or not.  That 'should' work for a lot of business antimalware suites, and perhaps even some consumer ones.  It would work for the one which I am an employee of.  The key is to remember to affix the self-signed certificate to all PEs (.exe, .dll, .ocx, etc.) of the product, not just the main .exe.

There are two ways to do it.  You could sign it, or you could allow end users to assign their own certificate to it.

Some software authors do a self-validation at runtime and will exit if someone else's signature is affixed to the PE (here's looking at you, unsigned baretail.exe!), so it also depends upon whether you do any self-validation.  There may be legal reasons why you would not want to allow users to affix their own certificate to it, though, so thanks to lawyers you might be inclined to disallow foreign signatures to be affixed to your software.

In Windows, someone might write a certificate catalog to overcome even that, but now we're going beyond the scope of normalcy.

Concerning expense, Comodo has code-signing certificates for ~$85/year, but if that's too expensive then self-signing the binaries would be enough to satisfy the needs of a good security suite.

May I offer to pay for the Comodo certificate for you?  Perhaps that might serve as my recompense to you for all your continuing efforts creating, sustaining, and enhancing your fantastic software.  It would likely stop many, if not all, antimalware suites from flagging your software because the certificate would chain to a trusted root at that point.  That would serve the needs of both business and consumer antimalware software without the need to whitelist anything, especially for Joe User who doesn't understand security...

Posts: 1770
Joined: 25 Mar 2012 - 01:19
Re: Authenticode Digital Signing
WarsawPact wrote:
I blame Covid! :)

Me too, I hope you're well 😉

I've not abandoned my will to sign/self-sign my binaries, just only lowered its prority because latest versions of VMS almost stopped being flagged as malicious.
Version 2.11.0 (the latest available today) is flagged by only 1/68 AV engines (https://www.virustotal.com/gui/file/14ae374547b39cb8b2c6332de140a4d89357...).
So the issue has reduced since the start of this thread (but I'm aware it could get back again in the future).

WarsawPact wrote:
Some software authors do a self-validation at runtime and will exit if someone else's signature is affixed to the PE

I'm not actually doing such a test, so you're free to attach your own signature as long as you keep your signed PEs for your private use.
Anyway, I'm going to test self-signature on the next version (1.12, actually in beta stage).
Will release a new beta soon, with self-signature attched; stay tuned...

WarsawPact wrote:
May I offer to pay for the Comodo certificate for you?  Perhaps that might serve as my recompense to you for all your continuing efforts creating, sustaining, and enhancing your fantastic software.

Thanks for your offer but... paying a third party (like Comodo, VerySign and others) for something I won't ever get money from is something I really don't like to do.
More generally speaking, I don't like to pay to offer my software for free.
Let's see if/how self-signature works before, ok? 😉