code-signing-certificates-journey-of-pain-3-when-even-signing-isnt-enough

This is the third blog of the series and hopefully the last one as I am confident to have gone through all the requirements, issues and limitations of the current code signing process. ‘Code Signing Certificates’ Journey of Pain #3: When Even Signing Isn’t Enough’ shines a light on the extortion by the certificate authority industry of software publishers. Thankfully for developers and publishers alike, blockchain and smart contract technology offer substantial pain relief to this intolerable situation.

 

Check out part 1 and part 2 in the series if you haven’t already.

 

 

The Certificate Authority’s Road of Nonsense

What started as a painful and time-consuming journey has now blossomed into a full-fledged drama. We thought we had everything sorted for our executable to be installed without any OS complaining about security risks. As it turns out, we discovered that we were not there yet.

 

After weeks of calls, numerous official papers sent to the certificate authority and a number of checks to prove we were who we claimed to be, we finally received the digital certificate to sign the CodeNotary application and the Windows installer. It was now time to test the freshly signed installer and see whether everything worked as expected. However, the drama was just beginning.

 

In fact, the first surprise arrived immediately during the download of the CodeNotary installer for Windows from https://github.com/vchain-us/vcn/releases and triggered the following alert.

Google's ‘Unwanted Software Policy’ Alert

Code Signing and Google’s ‘Unwanted Software Policy’

 

We reviewed Google’s ‘Unwanted Software Policy’ to make sure our software did not breach any of the set policy guidelines. Good faith is the foundation of most of these types of policies. This policy was no different. The very first claim it makes is that software is blocked if "It is deceptive, promising a value proposition it does not meet."

 

As much as I am a strong believer in the power of AI, I struggle to see how Google can reconcile this policy with a value proposition based on an executable file. Unless someone reports that a software application does not comply with this policy, there are no indicative reasons for any software to not be compliant with this policy.

 

The one policy in the list that can be empirically verified by Google is the requirement for software to be signed by an official digital certificate. We had taken care of that.

Google's ‘Unwanted Software Policy’ Snippet

Clearly, for Google, an application signed with an official digital certificate issued by a leading CA with an industry market share of 67% is still not enough for trust. There was no way around this fact. We had to get it fixed. So we started a separate Google approval process that ended up having another set of issues all of its own. More on that later.

 

Back to the current task at hand. We manually confirmed we wanted to keep the download and clicked the appropriate button in the pop-up notification to start the install process. At this point, I was 100% sure code signing certificates would make the magic happen and the rest of the installation would be straightforward. Alas, it was not meant to be as this was when the second surprised arrived.

 

Yet Another Hurdle in the Code Signing Process

Yet Another Hurdle in the Code Signing Process

I was completely baffled. What happened to my signing certificate? Maybe something went wrong and there was no signature on the .exe file. So I checked the installer properties again. Everything was in order as shown in the image below.

Digital certificate installer properties check

The Extended Validation Certificate Scam

 

I started looking for an explanation for this alert and on a forum on Microsoft’s website. I found that by using an Extended Validation (EV) Certificate you could make the defender alerts disappear. However, that is only after 3,000+ downloads. Getting 3,000 downloads for a new application is not something you get overnight, and certainly having all these types of alerts from Chrome and Windows doesn’t help on reaching that goal either.

 

So we considered an EV certificate instead. To get the certificate we had to comply with other manual and time-consuming CA checks, add more weeks of delays to our schedule and spend another $1,000. Altogether, with the already spent $500 between the certificate and the officially registered papers, our total code signing certificate costs amounted to a whopping $1,500. So on general principle, we refused to continue to oil this broken engine.

 

Certificate Authorities’ True Intent

 

The industry’s only goal is to milk money from publishers without adding any true value other than allowing software into the game they created. Unfortunately for them, that game is now technologically outdated, dusty, and ultimately ridiculous. This is further proven by a TechTarget report that anyone can buy a counterfeit EV certificate for the same amount or less that passes the CA’s own authenticity test. And they can do so without spending the same amount of time to get it issued.

 

A Better, Technologically Upgraded Way to Sign Code

 

Luckily, there is a better way with CodeNotary . It proves the authenticity of software assets in one single step of signing.

 

Check how much money you can save on digital certificates using CodeNotary and join the community that will change code signing forever. The certificate authority industry is yet one more industry that is being disrupted by blockchain and smart contract technology.

 

Start your free trial of CodeNotary now and leave the pain behind.

 

Sign Me Up!

 

If you have missed our first two blogs on the topic, you can find them here and here.

CNIL
Metrics and Logs

(formerly, Opvizor Performance Analyzer)

VMware vSphere & Cloud
PERFORMANCE MONITORING, LOG ANALYSIS, LICENSE COMPLIANCE!

Monitor and Analyze Performance and Log files:
Performance monitoring for your systems and applications with log analysis (tamperproof using immudb) and license compliance (RedHat, Oracle, SAP and more) in one virtual appliance!

Subscribe to Our Newsletter

Get the latest product updates, company news, and special offers delivered right to your inbox.

Subscribe to our newsletter

Use Case - Tamper-resistant Clinical Trials

Goal:

Blockchain PoCs were unsuccessful due to complexity and lack of developers.

Still the goal of data immutability as well as client verification is a crucial. Furthermore, the system needs to be easy to use and operate (allowing backup, maintenance windows aso.).

Implementation:

immudb is running in different datacenters across the globe. All clinical trial information is stored in immudb either as transactions or the pdf documents as a whole.

Having that single source of truth with versioned, timestamped, and cryptographically verifiable records, enables a whole new way of transparency and trust.

Use Case - Finance

Goal:

Store the source data, the decision and the rule base for financial support from governments timestamped, verifiable.

A very important functionality is the ability to compare the historic decision (based on the past rulebase) with the rulebase at a different date. Fully cryptographic verifiable Time Travel queries are required to be able to achieve that comparison.

Implementation:

While the source data, rulebase and the documented decision are stored in verifiable Blobs in immudb, the transaction is stored using the relational layer of immudb.

That allows the use of immudb’s time travel capabilities to retrieve verified historic data and recalculate with the most recent rulebase.

Use Case - eCommerce and NFT marketplace

Goal:

No matter if it’s an eCommerce platform or NFT marketplace, the goals are similar:

  • High amount of transactions (potentially millions a second)
  • Ability to read and write multiple records within one transaction
  • prevent overwrite or updates on transactions
  • comply with regulations (PCI, GDPR, …)


Implementation:

immudb is typically scaled out using Hyperscaler (i. e. AWS, Google Cloud, Microsoft Azure) distributed across the Globe. Auditors are also distributed to track the verification proof over time. Additionally, the shop or marketplace applications store immudb cryptographic state information. That high level of integrity and tamper-evidence while maintaining a very high transaction speed is key for companies to chose immudb.

Use Case - IoT Sensor Data

Goal:

IoT sensor data received by devices collecting environment data needs to be stored locally in a cryptographically verifiable manner until the data is transferred to a central datacenter. The data integrity needs to be verifiable at any given point in time and while in transit.

Implementation:

immudb runs embedded on the IoT device itself and is consistently audited by external probes. The data transfer to audit is minimal and works even with minimum bandwidth and unreliable connections.

Whenever the IoT devices are connected to a high bandwidth, the data transfer happens to a data center (large immudb deployment) and the source and destination date integrity is fully verified.

Use Case - DevOps Evidence

Goal:

CI/CD and application build logs need to be stored auditable and tamper-evident.
A very high Performance is required as the system should not slow down any build process.
Scalability is key as billions of artifacts are expected within the next years.
Next to a possibility of integrity validation, data needs to be retrievable by pipeline job id or digital asset checksum.

Implementation:

As part of the CI/CD audit functionality, data is stored within immudb using the Key/Value functionality. Key is either the CI/CD job id (i. e. Jenkins or GitLab) or the checksum of the resulting build or container image.

White Paper — Registration

We will also send you the research paper
via email.

CodeNotary — Webinar

White Paper — Registration

Please let us know where we can send the whitepaper on CodeNotary Trusted Software Supply Chain. 

Become a partner

Start Your Trial

Please enter contact information to receive an email with the virtual appliance download instructions.

Start Free Trial

Please enter contact information to receive an email with the free trial details.