I want to upload my application to github so people could start aiding in it's development.
What issues should I be aware of? I know theres a matter or security...they would not be able to open the solution without the .pfx file right? But I've read that if people get access to your certificate that they could sign malware with your certificate.
How should I go about doing this?
You might want to look into delay signing.
Related
I'm developing C++ program. I generate a certificate from our PKI Solution configured in our company(Microsoft). I sign my .exe using the certificate(generated). But when I make my file on the server (internet) and download it, I have the problem of displaying SmartScreen.What should I do to make my .exe works well in all computer of our company? Should I buy a certificate to sign my code? Sign my code with root certificate?
I think problem is your application has downloaded a few users and the reputation is unknown to Microsoft
P.S. And you can distribute your program in Microsoft Store
I was recently given a VB.NET project for fixing some bugs and creating an installer for it. I was told to use Install Shield LE.
All went well with creating the install script but Windows 8 is giving me a smart screen warning when downloading the application from a web site and trying to install it.
I am aware of Windows 8 policy where popular applications get more "trust points" and become popular but the application is targeted for a fairly small audience of people therefore we can not rely on this option. Even more, people without proper knowledge would be repelled by the warning message and that could cause MS to never raise the trust for the application.
My question is, do I have to sign both - the application and the installer with a certificate? If so how do I sign the installer, as there is a signing tab for the project but I can't find one for the installer.
Bonus points if anyone can tell me if acquiring a proper certificate will remove the warning message telling this isn't a commonly downloaded file and might be dangerous from chrome/IE when downloading the application. There are many threads about this, I know, but most of them suggest adding the site to webmaster tools but that hasn't helped and we're still receiving the message
Thanks.
If I have read your post correctly then you are talking about an application as opposed to a website, and for that you would need a code signing certificate. Certificates that sign websites are different so first and foremost decide what it is that you are producing and want to sign.
Having decided that then you need to decide who you will use to supply your certificate. Typical sources would be VeriSign, Thwaite or Globalsign to name but three. All charge different prices but essentially do the same thing.
Once you have the certificate then the installer that you use to build your application signs the code files you select and the actual installer (msi or exe) itself.
That should eliminate the message that you now see warning people about potentially dangerous files that they are about to download.
I cannot stress enough however that you need to be clear about which type of certificate you need BEFORE you go ahead and buy one. I think from your description you are talking about a code signing certificate but do check first.
Following CAB forum regulation you will need to have an Extended Validation code signing in order to bypass the smart screen filter.
Extended Validation code signing will establish immediate trust with the machine, as you go through a more stringent validation process to obtain it! (or at least that's the rationale behind it!)
I think you can get an extended validation code signing either from SYmantec or GLobalsign.
Im developing a win 8 game in js.
When i deploy my app, can any user can see my code files?
My files has some database passwords, i need to ofuscate it?
There's not really any good way to prevent people from mucking with your REST service if it's public. Sure, you can obfuscate things, digitally sign code, pass around certificates, etc. But in the end it's always possible for someone to reverse engineer your code, emulate a trusted client, or diagnose the network traffic directly.
A better solution here is to focus on mitigating unwanted attacks. Validate the input coming into each web service call, trust nothing, and do a threat analysis on your API. For example, if you were writing a Battleship game, have the server keep track of where each ship is and never expose that information to the clients, allowing them to write a fake client that could cheat. Do the scoring server side, so people can't just post fake scores and get on the high score list.
With that said, unless you're writing the next World of Warcraft, it's unlikely anyone cares enough about your game to jump through any hoops.
Everyone has access to every source file of your app. You just have to go to C:\Program Files\WindowsApps\ to see all your installed apps. If you have a HTML5 app installed, you'll notice that all the .html and .js files are freely accessible by anyone.
You may want to make a simple C# library that won't be so easy to reverse engineer, and put in it the "security critical" parts of your app. You can see how to integrate C# in HTML/JS apps in this MSDN page: http://msdn.microsoft.com/en-us/library/windows/apps/hh779077%28v=vs.110%29.aspx
I have Lazarus(quite a lot like Delphi) application which downloads few files from https://example.com/UpdateFolder. And i was wondering if anything can be done in order for APP to know that it is downloading files from right website? Because if I am right there is a way for hacker to trick APP into going to different website and downloading wrong files and I think it is done somehow by editing system32/driver/etc/hosts file. I would appreciate any suggestions
It depends entirely on your application that downloads the files. If it's able to handle SSL you have nothing to worry about AFAIK, since you need a trusted certificate before it'll make the connection, which will be hard to fake with a Windows host file edit.
Alternatively, and this is why we have domain names in the first place - so a last resort, you could hard-code the IP address of the server that contains the updates and do a trace to make sure the IP of the website your application is connecting to, is the same one you have on file.
However, this makes it very difficult if that IP changes, since you then need to roll out a new update of your entire application (or dll's responsible) just for that, and makes the process that much harder to maintain...
I want to develop an app using Adobe AIR. But I have to sign it using a code signing certificate. I don't wan to buy a code signing certificate. Would it be OK if I distribute my app with a self-signed certificate?
The only difference between using a real certificate and a self-signed certificate is what the user sees in the initial installation dialog. With a real certificated they'll see a yellow "!" and the app will shown to be of "KNOWN" origin, and your company name will be shown. With a self-signed cert, there will be a red "?", and it will say the app's publisher is "UNKNOWN". You can see samples of the two dialogs at the very bottom of this page.
So realistically, it comes down to whether you're okay with people seeing a scary warning at install time. If you're only offering up the apps as a "use at your own risk" thing, or the app will be used mainly by a small group of people who already know who you are (an internal company app, e.g.) that may not be an issue, but if you hope for random internet people to come use your app and trust it, a cert may be a good idea.
That depends on your definition of "OK", but most likely no.
A self-signed certificate will not have been issued by a trusted CA, and your certificate will be considered untrusted by the client. I don't think (but have not tested) that the user is actively prevented from installing an app with an untrusted certificate, but they would at least get a warning, and that doesn't give your user a good first impression of your app.
If it's just for yourself or for a small group of people who know and trust you, then a self-signed certificate is most likely not a problem, but if you're distributing it to the world, you will almost certainly prefer a proper certificate.
I have recently looked into developing an Air App for the company to distribute to customers. On OSX Mavericks - on my mac and my designer's mac a red warning signs pops up stating that we are an unknown publisher - This was using the self signed certificate. The whole process was clunky with the installation, I had to verify that we were legitimate, as this warning sign inferred we were a looking to distribute something underhand.
From a marketing perspective this looked terrible.
In addition to this I managed to find someone to test the whole process of downloading the air app with a self signed cert on windows with an 'average' amount IT skills and this is what they said:
"Nah I didn't download it... it looked like it wanted to put a virus on my computer." And that is where download ended.
Currently we are looking to get some seal of trust on the application for distribution purposes.
Verisign, Thawte look interesting, although costly.
http://www.symantec.com/code-signing/adobe-air
https://www.thawte.com/code-signing/
Or read this page for more information
http://help.adobe.com/en_US/air/build/WS5b3ccc516d4fbf351e63e3d118666ade46-7ff0.html