simplewall
simplewall copied to clipboard
henrypp
Add a Digital Signature to Executables(Installer and other exe's)
Add a Digital Signature to Executables(Installer and other exe's),
like this:
You can use SignTool.exe (the tool is automatically installed with some installation of Visual Studio, if your version does not include the tool you can download it by downloading Windows SDK at: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk). you can read more about the tool here: https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe
before you can use the tool you need to create a Certificate , follow this guide: https://docs.microsoft.com/en-us/windows/uwp/packaging/create-certificate-package-signing
*please notice that after this step a new certificate will be added to your local certificate store
after this creating and exporting the Certificate, use this guide to sign the exe: https://docs.microsoft.com/en-us/windows/desktop/seccrypto/using-signtool-to-sign-a-file
after this you will receive a signed exe:
looking in signed exe cert details:
If you want you can use one of "Microsoft Trusted Root Certificate Program: Participants" to sign your certificate(i don't think they are signing for free) - so you will be trusted by a Trusted Root Certificate(you will not have the red cross in the "Digital Signature Details"): https://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx
i don't think they are signing for free
Yeah, me too ;)
Microsoft Trusted Root Certificate Program
Anyone else? I don't want to sponsor worldwide monopoly.
Self-signed certificates are untrusted by all. It's same thing as .exe without certificate. But some signers do free certificates for open source software.
Do you know who sign open source projects for free? It could be useful for other open source projects i am involved in.
@baMain,
- Certum has been free for opensource, but now it cost has €28.00.
- Process Hacker used contributed kernel-driver certificate from ReactOS project, but i dont know user-mode signature is from.
@wj32, @dmex, @XhmikosR - can you share with us about information, where you give signature for your Process Hacker and other projects?
IIRC ReactOS signed the kernel drivers for Process Hacker. For simple programs the certs aren't so expensive, though. I personally bought a cert from DigiCert when Certum's stopped being free.
@XhmikosR, i think Certum is cheaper than DigiCert (for opensource of course).
@henrypp
ReactOS signed the kernel drivers for Process Hacker
At first ReactOS signed the Process Hacker driver (including a few other open source projects) years ago but we've been using @wj32 's certificate since 2010 and they've since discontinued driver signing.
https://reactos.org/wiki/index.php?title=Driver_Signing&oldid=34012 https://reactos.org/wiki/Driver_Signing
@henrypp, Would you re-consider this ticket? I recognize your concern regarding monopoly support, however in lieu of circumstances, it is probably safer for end-users to have an application signed with a certificate recognized by the OS.
Happy to sponsor the purchase if that is of any help.
Rahmet/spasibo/etc.
Hi, seems like Windows made another hurtful change these days. I was happily using Simplewall until today. Now Windows throw an error saying it cannot verify Simplewall signature. This is brand new, the program loads but the rules are not loaded or remembered anymore. The specific error is:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Status: -1073740760 (0xC0000428)
Of course I did not make any change to the hardware and Simplewall was working flawlessly until today. The latest change was last week, when I did upgrade to Windows 11 23H2, but this Windows annoyance did not appear until today (rebooted several times during the past days). I already tried to downgrade to version 3.75 manually, hopping it was an error with the last release, but the error persist
Ok, quick workaround. Telling the installer to use the portable mode (to store settings in the program directory), avoids the previously shown error. I will need to create all rules again, but at least it is not complaining about not being able to read the profile as it was doing earlier. Not ideal, but at least works and remember the rules (it was not doing it until installing it as portable). Yet another Windows annoyance.
@Apollyon69 sw has NO digital signature, so error like that i did not know where you get...
I understand there is no digital signature, and I'm happily using simplewall for quite some time. Both with Windows 10 as with 11, with almost no issues until today, when the previously mentioned error appeared at startup, out of the blue, and every time simplewall started, not remembering any rule (old or new). I didn't change anything recently in this computer. The last patch deployed was the 23H2 update, 10 days ago (I just checked to be sure). Fortunately, reinstalling and switching to portable mode made the rules to persist, with no secondary issues (except having to set all rules again). Yet another Windows mystery. Thank you for the product, it's really useful for me, easy on resources and does exactly what I need (stop silent, unauthorized programs phoning home for no good reason)
Hi @henrypp, pls reconsider signing this great app. Signing it has significant advantages for you as a developer and for the users:
- less false positives of SAC, ISG and AVs, thus less support effort/time needed to deal with it
- less incompatibilities with some security group policies (e.g. "User Account Control: Only elevate executable files that are signed and validated"). I just stumbled upon this issue and others might as well.
- less effort and more security for users dealing with application control (e.g. WDAC), so they don't need to create new hash rules on each update and make their system more vulnerable during update
- better reputation for the software. Without a signature some security focused users might not even consider using it
- guarantees about integrity, authenticity, and non-repudiation as long as the private key has not been compromised
All of that for relatively little money. You can use the Microsoft Store to distribute and sign it, like Mozilla and KDE do, or get a certificate through other means. A MS Store developer account for individuals is only 19USD one time.
Thank you and best regard
@PhysicsIsAwesome any OSS free (or not more than 20$) sign feature available, give me example?
@PhysicsIsAwesome any OSS free (or not more than 20$) sign feature available, give me example?
I don't know of any cheaper offer than MS Store. What's wrong with using it?
@PhysicsIsAwesome even dont know wtf and where to get
Well, I offered you the only option in this price range. What did you expect?
You can sign up for Microsoft's ACS for $10/m which is the cheapest certificate and it's the only supported signer for uiaccess and integritycheck going forward.
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669
Howto: https://github.com/koaladsp/KoalaDocs/blob/master/azure-code-signing-for-plugin-developers.md
According to https://www.advancedinstaller.com/msix-publish-microsoft-store.html MS Store can sign your application for free and you only have to pay the registration fee for a developer (19$)
@dmex
So! Clock is ticking. Do we have any indication on when Azure Code Signing will be generally available?
The pricing plan of Azure Code Signing is currently unknown and it is expected that this will be revealed somewhere in 2024. We expect the pricing to be reasonable, as it concerns a fundamental service for many Microsoft Windows developers.
lol
i think cosign is better, because he exists, just required to be make sense of
