Code Signing Anyone?

[Scott Kane]

Hi Bill, Jacqui and all,

> That's neither possible nor desirable.

Indeed.  It would be grounds for a cert to be pulled by the authenticator.

> It's not possible because the code signing takes into account a checksum 
> for the whole .exe (along with other factors) and that is different with 
> every application created, even though the embedded engine is the same.

Yep.  That's exactly right.  If it were even possible then every IDE 
developer on the planet would be issueing their programmer customers with 
cert's and that would make the cert's useless.  The whole point is to make 
each application unique, identifiable and trackable (a cert can be pulled by 
Microsoft or their authorized issuer which brings up an even nastier dialog 
box).  Each cert' applicant is verified manually (by a human) with human 
readable documentation.

> It's not desirable because then any miscreant could download a trial copy 
> of Rev, write the next great trojan horse virus malware spybot and it 
> would appear to have been "signed" by Runtime Rev.

Which is the whole point of the cert' as Bill rightly says.

> In Windows XP, unsigned applications aren't so bad. But the end user 
> experience gets much worse under Windows Vista, especially with limited 
> accounts and UAC active. Signing applications is something anyone who 
> distributes on Windows should know about. I hope Scott writes up the 
> article.

Judging by the reaction I'd say writing it is a go and I'm going to enquire 
about getting a special price for RR customers but I can't guarantee that so 
don't hold me to it as it will probably depend on the number of potential 
customers.   I'll get onto it this week and submit it to Heather etc and 
hopefully they'll publish it in the near future.  :-)

Scott Kane
"When a distinguished but elderly scientist states that something is 
possible, he is almost certainly right. When he states that something is 
impossible, he is very probably wrong."
Arthur C Clarke