#authenticode — Public Fediverse posts

Help, I need a code signing certificate that won't bankrupt me.

Three years ago, I paid $100 for a three-year code signing certificate. I've signed all my open-source projects' releases with it. Now that it's renewal time, Certera (SignMyCode.com) wants almost $700 for the same three-year certificate (excluding the mandatory HSM purchase, which I am totally on board with).

I write silly C and PowerShell code, and I timestamp my signatures so that they're perpetually valid. My PowerShell Gallery stuff, as well as binaries of aprs-weather-submit on Windows and macOS, are all signed and hashed (but not notarized by Apple, because that's another $99 a year for something that feels done unless Bob Bruninga's followers are thinking about APRS 2.0).

If I can't find a solution, anything I write or update in the future will have to be released as unsigned unless I half-ass something (like the Notepad++ developer using self-signed certs -- semi-dangerously clever). $100 every three years, fine. $700 every three years, and I'll do it if my three fans click my Buy Me A Coffee link over and over.

Is there any CA out there that will offer open-source, not-for-profit developers like me a chance to get globally-trusted code signing certificates? I don't think SigStore ever took off (sadly), and even if it did, I don't think it's part of the Microsoft Authenticode program.

#CodeSigning #SSL #TLS #certificates #Certera #SoftwareDevelopment #C #PowerShell #PowerShellGallery #AmateurRadio #HamRadio #APRS #APRS-Weather-Submit #GitHub #security #developer #Windows #macOS #Linux #Authenticode #DevSecOps #DevOps

Help, I need a code signing certificate that won't bankrupt me.

Three years ago, I paid $100 for a three-year code signing certificate. I've signed all my open-source projects' releases with it. Now that it's renewal time, Certera (SignMyCode.com) wants almost $700 for the same three-year certificate (excluding the mandatory HSM purchase, which I am totally on board with).

I write silly C and PowerShell code, and I timestamp my signatures so that they're perpetually valid. My PowerShell Gallery stuff, as well as binaries of aprs-weather-submit on Windows and macOS, are all signed and hashed (but not notarized by Apple, because that's another $99 a year for something that feels done unless Bob Bruninga's followers are thinking about APRS 2.0).

If I can't find a solution, anything I write or update in the future will have to be released as unsigned unless I half-ass something (like the Notepad++ developer using self-signed certs -- semi-dangerously clever). $100 every three years, fine. $700 every three years, and I'll do it if my three fans click my Buy Me A Coffee link over and over.

Is there any CA out there that will offer open-source, not-for-profit developers like me a chance to get globally-trusted code signing certificates? I don't think SigStore ever took off (sadly), and even if it did, I don't think it's part of the Microsoft Authenticode program.

#CodeSigning #SSL #TLS #certificates #Certera #SoftwareDevelopment #C #PowerShell #PowerShellGallery #AmateurRadio #HamRadio #APRS #APRS-Weather-Submit #GitHub #security #developer #Windows #macOS #Linux #Authenticode #DevSecOps #DevOps

Help, I need a code signing certificate that won't bankrupt me.

Three years ago, I paid $100 for a three-year code signing certificate. I've signed all my open-source projects' releases with it. Now that it's renewal time, Certera (SignMyCode.com) wants almost $700 for the same three-year certificate (excluding the mandatory HSM purchase, which I am totally on board with).

I write silly C and PowerShell code, and I timestamp my signatures so that they're perpetually valid. My PowerShell Gallery stuff, as well as binaries of aprs-weather-submit on Windows and macOS, are all signed and hashed (but not notarized by Apple, because that's another $99 a year for something that feels done unless Bob Bruninga's followers are thinking about APRS 2.0).

If I can't find a solution, anything I write or update in the future will have to be released as unsigned unless I half-ass something (like the Notepad++ developer using self-signed certs -- semi-dangerously clever). $100 every three years, fine. $700 every three years, and I'll do it if my three fans click my Buy Me A Coffee link over and over.

Is there any CA out there that will offer open-source, not-for-profit developers like me a chance to get globally-trusted code signing certificates? I don't think SigStore ever took off (sadly), and even if it did, I don't think it's part of the Microsoft Authenticode program.

#CodeSigning #SSL #TLS #certificates #Certera #SoftwareDevelopment #C #PowerShell #PowerShellGallery #AmateurRadio #HamRadio #APRS #APRS-Weather-Submit #GitHub #security #developer #Windows #macOS #Linux #Authenticode #DevSecOps #DevOps

Help, I need a code signing certificate that won't bankrupt me.

Three years ago, I paid $100 for a three-year code signing certificate. I've signed all my open-source projects' releases with it. Now that it's renewal time, Certera (SignMyCode.com) wants almost $700 for the same three-year certificate (excluding the mandatory HSM purchase, which I am totally on board with).

I write silly C and PowerShell code, and I timestamp my signatures so that they're perpetually valid. My PowerShell Gallery stuff, as well as binaries of aprs-weather-submit on Windows and macOS, are all signed and hashed (but not notarized by Apple, because that's another $99 a year for something that feels done unless Bob Bruninga's followers are thinking about APRS 2.0).

If I can't find a solution, anything I write or update in the future will have to be released as unsigned unless I half-ass something (like the Notepad++ developer using self-signed certs -- semi-dangerously clever). $100 every three years, fine. $700 every three years, and I'll do it if my three fans click my Buy Me A Coffee link over and over.

Is there any CA out there that will offer open-source, not-for-profit developers like me a chance to get globally-trusted code signing certificates? I don't think SigStore ever took off (sadly), and even if it did, I don't think it's part of the Microsoft Authenticode program.

#CodeSigning #SSL #TLS #certificates #Certera #SoftwareDevelopment #C #PowerShell #PowerShellGallery #AmateurRadio #HamRadio #APRS #APRS-Weather-Submit #GitHub #security #developer #Windows #macOS #Linux #Authenticode #DevSecOps #DevOps

Help, I need a code signing certificate that won't bankrupt me.

Three years ago, I paid $100 for a three-year code signing certificate. I've signed all my open-source projects' releases with it. Now that it's renewal time, Certera (SignMyCode.com) wants almost $700 for the same three-year certificate (excluding the mandatory HSM purchase, which I am totally on board with).

I write silly C and PowerShell code, and I timestamp my signatures so that they're perpetually valid. My PowerShell Gallery stuff, as well as binaries of aprs-weather-submit on Windows and macOS, are all signed and hashed (but not notarized by Apple, because that's another $99 a year for something that feels done unless Bob Bruninga's followers are thinking about APRS 2.0).

If I can't find a solution, anything I write or update in the future will have to be released as unsigned unless I half-ass something (like the Notepad++ developer using self-signed certs -- semi-dangerously clever). $100 every three years, fine. $700 every three years, and I'll do it if my three fans click my Buy Me A Coffee link over and over.

Is there any CA out there that will offer open-source, not-for-profit developers like me a chance to get globally-trusted code signing certificates? I don't think SigStore ever took off (sadly), and even if it did, I don't think it's part of the Microsoft Authenticode program.

#CodeSigning #SSL #TLS #certificates #Certera #SoftwareDevelopment #C #PowerShell #PowerShellGallery #AmateurRadio #HamRadio #APRS #APRS-Weather-Submit #GitHub #security #developer #Windows #macOS #Linux #Authenticode #DevSecOps #DevOps

Elastic Labs uncovered why a valid binary failed signature validation:
➡️ Microsoft’s old heuristics flagged harmless data as a malformed Authenticode signature.
💡 Takeaway: Automate checks early & watch for legacy quirks that can cause false positives.
💬 Ever had clean code flagged by outdated security logic?
👉 Follow @technadu for more infosec deep dives.

#AuthentiCode #Malware #CyberSecurity

Elastic Labs uncovered why a valid binary failed signature validation:
➡️ Microsoft’s old heuristics flagged harmless data as a malformed Authenticode signature.
💡 Takeaway: Automate checks early & watch for legacy quirks that can cause false positives.
💬 Ever had clean code flagged by outdated security logic?
👉 Follow @technadu for more infosec deep dives.

#AuthentiCode #Malware #CyberSecurity

Автоматизация подписи кода в современных условиях

Подпись кода — это процесс проставления цифровой подписи на программном обеспечении. Цифровая подпись гарантирует пользователю, что программа является неподдельной и что её код не подвергся никаким изменениям в промежутке между созданием программы и выпуском. В старые времена для подписи билдов использовалась подписи GPG , а секретные ключи хранились где-нибудь на флэшке. Потом для приложений Windows появились система Authenticode . Сейчас для опенсорса и проприетарных ОС постепенно внедряются новые методы автоматизации подписи кода.

https://habr.com/ru/companies/globalsign/articles/904926/

#Mozilla #подпись_кода #Windows #Azure_Trusted_Signing #GitHub_Action #EVсертификат #GPG #Authenticode #signcode #Firefox_CI #Buildbot #Taskcluster #Autograph #Hardware_Security_Module #HSM #rcodesign #osslsigncode #MSIX #applecodesign #Apple_Code_Signing

Автоматизация подписи кода в современных условиях

Подпись кода — это процесс проставления цифровой подписи на программном обеспечении. Цифровая подпись гарантирует пользователю, что программа является неподдельной и что её код не подвергся никаким изменениям в промежутке между созданием программы и выпуском. В старые времена для подписи билдов использовалась подписи GPG , а секретные ключи хранились где-нибудь на флэшке. Потом для приложений Windows появились система Authenticode . Сейчас для опенсорса и проприетарных ОС постепенно внедряются новые методы автоматизации подписи кода.

https://habr.com/ru/companies/globalsign/articles/904926/

#Mozilla #подпись_кода #Windows #Azure_Trusted_Signing #GitHub_Action #EVсертификат #GPG #Authenticode #signcode #Firefox_CI #Buildbot #Taskcluster #Autograph #Hardware_Security_Module #HSM #rcodesign #osslsigncode #MSIX #applecodesign #Apple_Code_Signing

Автоматизация подписи кода в современных условиях

Подпись кода — это процесс проставления цифровой подписи на программном обеспечении. Цифровая подпись гарантирует пользователю, что программа является неподдельной и что её код не подвергся никаким изменениям в промежутке между созданием программы и выпуском. В старые времена для подписи билдов использовалась подписи GPG , а секретные ключи хранились где-нибудь на флэшке. Потом для приложений Windows появились система Authenticode . Сейчас для опенсорса и проприетарных ОС постепенно внедряются новые методы автоматизации подписи кода.

https://habr.com/ru/companies/globalsign/articles/904926/

#Mozilla #подпись_кода #Windows #Azure_Trusted_Signing #GitHub_Action #EVсертификат #GPG #Authenticode #signcode #Firefox_CI #Buildbot #Taskcluster #Autograph #Hardware_Security_Module #HSM #rcodesign #osslsigncode #MSIX #applecodesign #Apple_Code_Signing

Автоматизация подписи кода в современных условиях

Подпись кода — это процесс проставления цифровой подписи на программном обеспечении. Цифровая подпись гарантирует пользователю, что программа является неподдельной и что её код не подвергся никаким изменениям в промежутке между созданием программы и выпуском. В старые времена для подписи билдов использовалась подписи GPG , а секретные ключи хранились где-нибудь на флэшке. Потом для приложений Windows появились система Authenticode . Сейчас для опенсорса и проприетарных ОС постепенно внедряются новые методы автоматизации подписи кода.

https://habr.com/ru/companies/globalsign/articles/904926/

#Mozilla #подпись_кода #Windows #Azure_Trusted_Signing #GitHub_Action #EVсертификат #GPG #Authenticode #signcode #Firefox_CI #Buildbot #Taskcluster #Autograph #Hardware_Security_Module #HSM #rcodesign #osslsigncode #MSIX #applecodesign #Apple_Code_Signing

PowerShell-OpenAuthenticode http://dlvr.it/TJ0mZY via PlanetPowerShell #PowerShell #OpenAuthenticode #CrossPlatform #Authenticode

PowerShell-OpenAuthenticode http://dlvr.it/TJ0mZY via PlanetPowerShell #PowerShell #OpenAuthenticode #CrossPlatform #Authenticode

PowerShell-OpenAuthenticode http://dlvr.it/TJ0mZY via PlanetPowerShell #PowerShell #OpenAuthenticode #CrossPlatform #Authenticode

PowerShell-OpenAuthenticode http://dlvr.it/TJ0mZY via PlanetPowerShell #PowerShell #OpenAuthenticode #CrossPlatform #Authenticode

PowerShell-OpenAuthenticode http://dlvr.it/TJ0mZY via PlanetPowerShell #PowerShell #OpenAuthenticode #CrossPlatform #Authenticode

I've just renewed the #Authenticode certificate I use to sign #PuTTY.

Now #Windows #Defender gives me dire warnings about my own nightly builds. Apparently it thinks the new cert belongs to some previously unknown SW publisher, who might be a malware source for all it knows.

Is there any way to reassure it? E.g. the old cert hasn't expired yet, so I could use each one to cross-sign a declaration that the other one belongs to the same person.

Is there a standard procedure for this?

I've just renewed the #Authenticode certificate I use to sign #PuTTY.

Now #Windows #Defender gives me dire warnings about my own nightly builds. Apparently it thinks the new cert belongs to some previously unknown SW publisher, who might be a malware source for all it knows.

Is there any way to reassure it? E.g. the old cert hasn't expired yet, so I could use each one to cross-sign a declaration that the other one belongs to the same person.

Is there a standard procedure for this?

I've just renewed the #Authenticode certificate I use to sign #PuTTY.

Now #Windows #Defender gives me dire warnings about my own nightly builds. Apparently it thinks the new cert belongs to some previously unknown SW publisher, who might be a malware source for all it knows.

Is there any way to reassure it? E.g. the old cert hasn't expired yet, so I could use each one to cross-sign a declaration that the other one belongs to the same person.

Is there a standard procedure for this?

I've just renewed the #Authenticode certificate I use to sign #PuTTY.

Now #Windows #Defender gives me dire warnings about my own nightly builds. Apparently it thinks the new cert belongs to some previously unknown SW publisher, who might be a malware source for all it knows.

Is there any way to reassure it? E.g. the old cert hasn't expired yet, so I could use each one to cross-sign a declaration that the other one belongs to the same person.

Is there a standard procedure for this?

I've just renewed the #Authenticode certificate I use to sign #PuTTY.

Now #Windows #Defender gives me dire warnings about my own nightly builds. Apparently it thinks the new cert belongs to some previously unknown SW publisher, who might be a malware source for all it knows.

Is there any way to reassure it? E.g. the old cert hasn't expired yet, so I could use each one to cross-sign a declaration that the other one belongs to the same person.

Is there a standard procedure for this?

Je ne suis pas surpris de découvrir que pour l'horodatage certifié, Microsoft n'a pas été foutu de suivre la #RFC3161 et a pondu un incompatible truc à sa sauce. Comme d'hab.
Donc le répondeur #TSA doit idéalement pouvoir répondre à du 'application/timestamp-request' compatible avec #OpenSSL, et à du 'application/octet-stream' microsoftesque (au moins c'est du ASN.1) pour leur machin #authenticode. Je comprends pourquoi mon répondeur TSA bricolé avec un peu de #Perl fonctionne avec tout sauf MS.

Je ne suis pas surpris de découvrir que pour l'horodatage certifié, Microsoft n'a pas été foutu de suivre la #RFC3161 et a pondu un incompatible truc à sa sauce. Comme d'hab.
Donc le répondeur #TSA doit idéalement pouvoir répondre à du 'application/timestamp-request' compatible avec #OpenSSL, et à du 'application/octet-stream' microsoftesque (au moins c'est du ASN.1) pour leur machin #authenticode. Je comprends pourquoi mon répondeur TSA bricolé avec un peu de #Perl fonctionne avec tout sauf MS.

Je ne suis pas surpris de découvrir que pour l'horodatage certifié, Microsoft n'a pas été foutu de suivre la #RFC3161 et a pondu un incompatible truc à sa sauce. Comme d'hab.
Donc le répondeur #TSA doit idéalement pouvoir répondre à du 'application/timestamp-request' compatible avec #OpenSSL, et à du 'application/octet-stream' microsoftesque (au moins c'est du ASN.1) pour leur machin #authenticode. Je comprends pourquoi mon répondeur TSA bricolé avec un peu de #Perl fonctionne avec tout sauf MS.

Spent the past couple of days rewriting my old pkcs7/authenticode library stuff for go-uefi into the new cryptobytes API.

So far quite happy with it and hopefully makes me sleep better at night.

https://github.com/Foxboron/go-uefi/commit/1b4504c78072bbf10eb957028da159c1761f3494

#Golang #UEFI #Authenticode #SecureBoot

Spent the past couple of days rewriting my old pkcs7/authenticode library stuff for go-uefi into the new cryptobytes API.

So far quite happy with it and hopefully makes me sleep better at night.

https://github.com/Foxboron/go-uefi/commit/1b4504c78072bbf10eb957028da159c1761f3494

#Golang #UEFI #Authenticode #SecureBoot

Spent the past couple of days rewriting my old pkcs7/authenticode library stuff for go-uefi into the new cryptobytes API.

So far quite happy with it and hopefully makes me sleep better at night.

https://github.com/Foxboron/go-uefi/commit/1b4504c78072bbf10eb957028da159c1761f3494

#Golang #UEFI #Authenticode #SecureBoot

Spent the past couple of days rewriting my old pkcs7/authenticode library stuff for go-uefi into the new cryptobytes API.

So far quite happy with it and hopefully makes me sleep better at night.

https://github.com/Foxboron/go-uefi/commit/1b4504c78072bbf10eb957028da159c1761f3494

#Golang #UEFI #Authenticode #SecureBoot

Spent the past couple of days rewriting my old pkcs7/authenticode library stuff for go-uefi into the new cryptobytes API.

So far quite happy with it and hopefully makes me sleep better at night.

https://github.com/Foxboron/go-uefi/commit/1b4504c78072bbf10eb957028da159c1761f3494

#Golang #UEFI #Authenticode #SecureBoot

Does anyone happen to know what COFF sections get included when using #Authenticode signatures?

Does anyone happen to know what COFF sections get included when using #Authenticode signatures?

Does anyone happen to know what COFF sections get included when using #Authenticode signatures?

Does anyone happen to know what COFF sections get included when using #Authenticode signatures?

Does anyone happen to know what COFF sections get included when using #Authenticode signatures?

@vcsjones just stumbled upon your story on https://vcsjones.dev/subject-interface-packages/ - very helpful, thank you very much!

#authenticode

@vcsjones just stumbled upon your story on https://vcsjones.dev/subject-interface-packages/ - very helpful, thank you very much!

#authenticode

@vcsjones just stumbled upon your story on https://vcsjones.dev/subject-interface-packages/ - very helpful, thank you very much!

#authenticode

@vcsjones just stumbled upon your story on https://vcsjones.dev/subject-interface-packages/ - very helpful, thank you very much!

#authenticode

10-year-old #Windows bug with 'opt-in' fix exploited in 3CX attack https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-with-opt-in-fix-exploited-in-3cx-attack/ Users have to manually activate the 2013 fix by creating a registry key! (The article shows how.) I did it 2 yr. ago and haven't had any problems on Windows 10 Home. #authenticode #DigitalSignature #security

10-year-old #Windows bug with 'opt-in' fix exploited in 3CX attack https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-with-opt-in-fix-exploited-in-3cx-attack/ Users have to manually activate the 2013 fix by creating a registry key! (The article shows how.) I did it 2 yr. ago and haven't had any problems on Windows 10 Home. #authenticode #DigitalSignature #security

10-year-old #Windows bug with 'opt-in' fix exploited in 3CX attack https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-with-opt-in-fix-exploited-in-3cx-attack/ Users have to manually activate the 2013 fix by creating a registry key! (The article shows how.) I did it 2 yr. ago and haven't had any problems on Windows 10 Home. #authenticode #DigitalSignature #security

10-year-old #Windows bug with 'opt-in' fix exploited in 3CX attack https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-with-opt-in-fix-exploited-in-3cx-attack/ Users have to manually activate the 2013 fix by creating a registry key! (The article shows how.) I did it 2 yr. ago and haven't had any problems on Windows 10 Home. #authenticode #DigitalSignature #security