1

I signed my binary with a certificate issued by GoDaddy.

It seems that myself and everyone I could get to test it for me confirms that it is indeed signed (much like signtool verify)

However, when I test it on my VMs (XP, Vista, 7) they appear unsigned.

I signed the executables on Windows 8.1

What's going on? Do the VMs need updating? If they do, what does this mean about releasing my binaries out there in the wild - are there going to be machines which don't have GoDaddy as a certificate authority?

dsp_099
  • 165
  • 6
  • I don't believe that Windows by default has the GoDaddy root certificate trusted. You would need to install GoDaddy's root certificate as a Trusted Root Certificate with Windows. You could do this when you install your application. http://technet.microsoft.com/en-us/library/cc754841.aspx – RoraΖ Sep 22 '14 at 11:38
  • Why are they selling the certs if they're not trusted? – dsp_099 Sep 22 '14 at 11:58
  • Every security application that involves trusting certificates has their own list of default trusted root certificates. You can see this by comparing the trusted certificates in Firefox, Chrome, and IE. GoDaddy is trusted by browsers, but the Windows operating system probably only trusts Microsoft certificates by default. – RoraΖ Sep 22 '14 at 12:38
  • This might be too obvious but: Does the GoDaddy certificate list code signing as one of the [Key Usage](http://security.stackexchange.com/questions/6844/how-are-possible-uses-for-x-509-ssl-certificates-denoted)s? –  Sep 25 '14 at 00:17
  • Try with Microsoft's [SigCheck](https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx) (`sigcheck.exe -i mysamplebinary.exe`) on the target platform. This should tell you if the binary is recognized as signed. – StackzOfZtuff Jun 26 '15 at 13:48

0 Answers0