Digital signature of software

8

I use the Kaspersky antivirus and for it to allow my software, written in Delphi, to run I needed to mark it as reliable software.

The reason Kaspersky gave was that the software is not reliable because it is not digitally signed.

Looking at the link that @epx passed , I could verify that it is necessary to use certificates to make the digital signature:

  

Before you can get started, you'll need a code-signing certificate and   associated private key.

Soon it says that I can generate a key in my infrastructure:

  

You can generate your own code-signing certificate using your   internal public key infrastructure (PKI) or you can buy one   from a commercial Certification Authority (CA) such as Verisign.

Then I would like to know:

1- O que é assinatura digital de software?     
2- Preciso realmente dela para fornecer software e não ter o mesmo tipo de problema com o Kaspersky e outros antivirus?  
3- Como assino meu software digitalmente? 
4- Como gerar esse certificado em minha infraestrutura? 
5- Ela seria aceita pelo *Kaspersky*, por exemplo?
    
asked by anonymous 29.03.2014 / 12:57

1 answer

4

You've actually created a number of questions that might have been better explored if they were separate. But I'll try to respond anyway.

Briefly, digital signature would be like signature recognition and document authentication at the notary's office, but for digital files. It confirms who issued the file and that file was not changed after it left the creator's hands. The code signature or executable for Windows is called by Microsoft Authenticode .

Some Microsoft Articles on the Subject:
Introduction to Code Signing
Authenticode on MSDN
Authenticode Explanation on Blog
Creating, Viewing, and Managing Certificates

To digitally sign you need a certificate. You can generate a certificate for yourself using openSSL or MakeCert . But as you are not recognized by other companies as someone who issues trust certificates, not everyone will give full confidence to your software. It's up to you to verify that the signature you generated will solve your problem or not.

Below is a list of some certificate vendors that are generally considered trusted:

link link > link link

A cheaper alternative is to get the certificate from the company COMODO via the site Tucows: link

    
03.04.2014 / 15:28