madshi.net

That code signing you recommend to use?

I suppose you're asking which certificate provider I recommend?

Depends on whether you need to support Windows 10 with SecureBoot enabled. If you do, you'll have to get one of those "EV" Code Signing Certificates. See more details here:

http://blogs.msdn.com/b/windows_hardwar ... ws-10.aspx

Only a few providers can offer those. E.g. try digicert.

Yeah, my problem its with secure boot. if i signing my code will work without disable secure boot? You know something about comodo code signing https://cheapsslsecurity.com/comodo/cod ... kQodTO0GEA

i use AppInit_DLLs to load my dlls, but only if secure boot its disabled.

I don't think Comodo supports EV certificates yet, but I don't really know for sure, you'd need to ask them.

Usually you only need to sign drivers. If you use AppInit_DLLs, then I don't know if you need to sign at all. Of course signing everything helps with avoiding anti-virus false positives. But if we're only talking about user mode dlls and exes, then you probably don't need an EV certificate, and a normal certificate should suffice (if you need one at all). I don't really have any knowledge about AppInit_DLLs, though, so I can't tell you if it needs signed dlls or not.

if i signin my dll you think i will need disable secure boot?

As I said, I've no knowledge about AppInit_DLLs.

@PSLorde

AppInit_DLLs registry key only takes effect after rebooting and can be disabled on newer OS versions via a separate registry key. That method only injects into processes that link against user32.dll so it's no better than SetWindowsHookEx. Why use it?

--Iconic

A note about code signing with an EV code signing certificate; As these certificates use a SHA2 hashing algorithm they are not compatible with anything lower than Windows 8. SHA2 EV Code Signing certificates are not supported on Windows XP, Vista or 7 (for now). So you will either have to ship 2 versions of your files for the different OS groups (The cheaper option), or you can double sign your files with both a SHA1 and a SHA2 certificate. I have not yet tried the latter, however the order of signing is apparently important. The SHA1 certificate must be the first in the chain.

choochy2003 wrote:A note about code signing with an EV code signing certificate; As these certificates use a SHA2 hashing algorithm they are not compatible with anything lower than Windows 8. SHA2 EV Code Signing certificates are not supported on Windows XP, Vista or 7 (for now). So you will either have to ship 2 versions of your files for the different OS groups (The cheaper option), or you can double sign your files with both a SHA1 and a SHA2 certificate. I have not yet tried the latter, however the order of signing is apparently important. The SHA1 certificate must be the first in the chain.

Interesting! How does double signing work? You simply run signtool twice?

Yes, dual-signing requires you to run SignTool twice, using the /as switch on your second call. The /as switch just commands SignTool to append the signature.The other caveats are that you must use the VS2012 (or newer) developer command prompt for SHA2 signing and that you use the http://timestamp.geotrust.com/tsa timestamp server inplace of the timestamp.verisign.com server that you use for your SHA1 certificate.

Ok, thank you!