0

I intend to buy my first digital signature intended for signing EXE files. In particular Certum Standard Code Signing caught my eye.

It is SHA-2 based with up to 4096 RSA.

Is it worth my money if I need to prevent cracking of the application. Well I am sure one could still crack it, but I hope it will be harder for some?

LinuxSecurityFreak
  • 1,562
  • 2
  • 18
  • 32
  • 2
    Signing is not encrypting. It helps users to verify authenticity of the EXE. If users do not have mechanisms to do it, or the OS is not enforcing it (like Windows 10 doesn't by default except drivers, and not on all instances now), there's no real benefit really. And no protection against cracking at all. – Aria Sep 09 '16 at 15:19
  • Obfuscating is usually good approach. You can use built-in obfuscator or try to obfuscate the most sensitive parts and keep changing it from version to version so it's not trivial to decompile it (like .net). – Aria Sep 09 '16 at 15:22
  • 1
    You **can** also encrypt some .code segments. Be aware of virusscanners though. This falls in the category 'suspicious behaviour'. Like Aria said, signatures can only verify that *you* created the program, it doesn't protect its contents (neither should it). – Yorick de Wid Sep 09 '16 at 15:37

2 Answers2

6

Code signing is just that - you add a signature to the file with your private key. This signature shows whoever downloads your file that it was signed in it's current form by the person holding the private key. If an application is popular, there is always the danger that someone alters the file to be malevolent. If the file is digitally signed, the user now knows that it was not altered after the people with access to the private key signed it.

This is all it does. It does not add any other form of security or prevent cracking of your application.

mzhaase
  • 186
  • 4
2

A cracker could just remove the signature from your code.

They can then replace it with their own, which the user would then need to accept instead of yours, or they could leave it without a signature which would prompt the user to install it without a signature.

There are software ecosystems which require a signature from a trusted authority before running a program (like most smartphone operating systems), but Windows desktop applications are none of them.

Philipp
  • 48,867
  • 8
  • 127
  • 157