back to article Windows code-signing tweaks sure to irritate software developers

Changes that mean signing certificates for Windows can only be sold in hardware form – or from an as-yet undefined cloud-based "service” – from the start of February are likely to have a big effect on software development. US trade body the Certificate Authority Security Council decided in December that "best practice" for …

  1. Dr. Mouse Silver badge

    "It's interesting that one-man-and-a-dog shops won't be especially affected by the procedural changes, but will complain about the approximate doubling of certificate prices. Meanwhile, large ISVs with automated build-and-test systems won't especially worry about an extra few hundred pounds, but may have to revise their processes a lot."

    So, basically, it's going to hit everyone in exactly the way which will hurt them the most. Nice move, MS!

  2. Halfmad

    Why bash MS? Surely your ire should be directed at the Certificate Authority Security Council ?

  3. phuzz Silver badge
    Gimp

    Of course it's Microsoft's fault, just as if they hadn't done this it would instead be "lol microsoft so insecure".

  4. Peter G Green

    So we're back to hardware dongles... It's like the 1980's all over again :-)

  5. tr1ck5t3r

    And the best bit, MS have introduced their own disruptive technology that will be the demise of MS.

    How stupid can you get price gouging your sales & engineering proxy staff when Western economies are already flatlining?

    China's just announced tightening capital control's are going to trigger the mother of all financial crashes.

  6. Kraggy
    FAIL

    Since when did Microsoft ever follow "best practices" except when it suited their agenda?

  7. Richard Plinston Silver badge

    "best practices"

    When a consultant has told a client of mine that some way is "best practices" it has always been that they have not actually evaluated the real needs and just want to do what they have done elsewhere and it wasn't a complete disaster (ie the consultant made a profit).

    In one case the client was a jobbing shop using CAM where the machines were paired with design stations. I installed hubs for each pair and set fixed IPs so that as long as there was power the workshop could keep working. A consultant recommended using DHCP as "best practice" even though that could mean the workshop would be inoperable if the power failed and then returned but the servers were still down (which actually did happen, though only once).

  8. Steve Davies 3 Silver badge

    How long before...?

    Developers say, 'can't be bovvered with Windows any more' and stick a finger (or two) up in the general direction of Redmond?

    Next it will be that W10-2018 edition will only let apps be installed via their App store and devs are expected to pay lots of £££ to get their app into the store. Oh, and MS will take no responsibility if apps loaded this way contain Malware etc.

    MS obviously needs the money.

  9. Charles 9 Silver badge

    Re: How long before...?

    Given how irksome things are right now, why can't developers be bothered with doing it ALREADY?

  10. LDS Silver badge
    Devil

    "will only let apps be installed via their App store and devs are expected to pay lots of £££"

    That model is working very well on other devices, and some people even defend it strongly here, so why MS shouldn't adopt it too? <G>

  11. Roland6 Silver badge

    Re: How long before...?

    re: Next it will be that W10-2018 edition will only let apps be installed via their App store and devs are expected to pay lots of £££ to get their app into the store.

    Whilst researching something else I came across this article:

    https://storageservers.wordpress.com/2015/04/18/forget-using-free-ms-office-on-microsofts-windows-10-operating-system/

    Whilst I can find no other site carrying this story and note the dates seem to be out, the general intent, namely MS only permitting users to install the latest edition of MS Office and definitely not Open Office, doesn't sound too far-fetched.

    In this respect it is notable that MS took down their application compatibility checker in late 2015; probably because the update model for W10 would make it highly visible that an application compatible with W10 build 123, is not compatible with W10 build 124...

  12. This post has been deleted by its author

  13. LDS Silver badge

    "Whilst researching something else I came across this article"

    And did you see it happening? While it's quite clear MS likes the store model a lot, that article looks really silly. The calling pirated copies "free ms office" is really bullshit..

    About Office support in Windows 10:

    https://support.office.com/en-us/article/Which-versions-of-Office-work-with-Windows-10-0fc85c97-da69-466e-b2b4-54f7d7275705

    And people are using LibreOffice on it without issues, AFAIK. Don't believe everything you read on the Internet... from clueless sources.

    Then, what Satan Nadella is planning for the future, we don't really know...

  14. Doctor Syntax Silver badge

    Re: How long before...?

    You can buy the dongles on eBay?

  15. Doctor Syntax Silver badge

    Re: How long before...?

    "Whilst researching something else I came across this article:

    https://storageservers.wordpress.com/2015/04/18/forget-using-free-ms-office-on-microsofts-windows-10-operating-system/"

    Hmmm. It also seems mentions "the free upgrade to Windows 10" as if it's a good thing. I'd be suspicious of the whole article.

  16. streaky Silver badge

    Re: "will only let apps be installed via their App store and devs are expected to pay lots of £££"

    some people even defend it strongly here

    Rule 1

    Many things that have worked for other companies that people have thought Microsoft should have copied have turned out to be bad for Microsoft. Hell - that's how windows 8 happened. Doesn't fit microsoft's business model or what made them a very large company in the first place.

  17. bombastic bob Silver badge

    Re: How long before...?

    "You can buy the dongles on eBay?"

    or, worse, CLONES of dongles at rock-bottom prices

  18. Roland6 Silver badge

    Re: How long before...? @LDS & Doctor Syntax

    Yes, I was suspicious of the article, because as I intimated we are in 2017 and have the benefit of hindsight (augmented by Google), I was a little surprised the article wasn't dated 1-April-2015...

    I posted it as it seemed an appropriate comment on the gloom of Steve Davies 3's comment (plus I was sure El Reg readers would enjoy a laugh). Namely, at the time (April 2015) it would have been believable by many, however, with hindsight we can see it was simply FUD.

    However, LDS, as you correctly point out "what Satan Nadella is planning for the future, we don't really know..."

  19. LDS Silver badge

    Re: "will only let apps be installed via their App store and devs are expected to pay lots of £££"

    As an ISV, I don't really like the walled store model - and strongly believe it is anti-competitive, regardless if it is Apple, Google or Microsoft. The "services" offered by the store are good for single developers or very small companies, but useless and extremely expensive when you already have the infrastructure yourself, and your applications aren't sold for 1.99. That's why, for example, Adobe deliver its "apps" as free add-ons to software you directly buy from Creative Cloud. Why share the pie with Google or Apple?

    But put yourself in the expensive comfy leather chair of Nadella: you see Google and Facebook making tons of money gathering and re-selling user data and ads. and Google and Apple making tons of money through their app stores - while PC sales and thereby Windows licenses shrinks, and you lost most of the battles in the server space.

    The temptation to aim for the low hanging fruit and copy their business model may be very strong - especially when you are clueless and have no other ideas (but destroying any others' ones), and those business model were not frowned upon but by a minority.

    Will it work for MS? I don't know and I hope it won't. But the risk to see it enforced because it worked so well for others exists. Once again, people in exchange for some easiness of use, and some more "security" (we see how it works well, especially on Android), will lose freedom...

  20. Richard Plinston Silver badge

    Re: "will only let apps be installed via their App store and devs are expected to pay lots of £££"

    > As an ISV, I don't really like the walled store model - and strongly believe it is anti-competitive, regardless if it is Apple, Google or Microsoft.

    I am not sure why you continue to include Google in that group. Is it just dogma because you want them to be seen to be as bad as Microsoft?

    For Android there are dozens of alternate app stores that compete with Google's Play Store, and you can find them by Googling, or even Binging if you prefer.

    https://code.tutsplus.com/articles/10-alternative-android-app-stores--cms-20999

    > but useless and extremely expensive when you already have the infrastructure yourself,

    There is nothing stopping you from having your own Android app store, the software for this can be downloaded and used for free.

  21. patrickstar

    Re: How long before...?

    You can buy HSMs from a lot of vendors - I am sure you can find them on eBay as well. Getting one would not help you one bit in signing something illegitimately. Exactly like how having a harddrive doesn't mean you can sign software as other people today just because they store their private keys on harddrives.

  22. Charles 9 Silver badge

    Re: "will only let apps be installed via their App store and devs are expected to pay lots of £££"

    "For Android there are dozens of alternate app stores that compete with Google's Play Store, and you can find them by Googling, or even Binging if you prefer."

    The trouble being only Google's App Store is trusted by default on Android, meaning the only way to accept installs from the likes of F-Droid is to either root your phone (which can break things) or allow untrusted sources. If Android REALLY were open, we'd have the option of ADDING store certificates so that other app stores can be accepted as trusted. But that isn't even an option: not even under an expert setting.

  23. Richard Plinston Silver badge

    Re: "will only let apps be installed via their App store and devs are expected to pay lots of £££"

    > meaning the only way to accept installs from the likes of F-Droid is to either root your phone (which can break things) or allow untrusted sources.

    So, your criticism is that one must do something really bad and difficult that should only be done by experts and nerds, thus _proving_ that Google is evil and uncompetitive, *OR* tick the check box provided.

    > If Android REALLY were open, we'd have the option of ADDING store certificates so that other app stores can be accepted as trusted.

    It only takes clicking a single checkbox if you want to trust the store. How would Google, or other certificate issuer, know if the store was to be trusted?

    In fact, if you buy an Amazon device, then it does trust the Amazon app store. If you buy a Nokia/Microsoft X (Android) phone then it does trust the Microsoft X-app store. If you buy a Samsung then their store is trusted. Similarly with the many Chinese makers who use app stores, and other services, in China.

    Would someone issuing a certificate implying trust be liable if there was malware in the alternate store?

    The Untrusted Sources checkbox is no more nor less that what Windows has with UAC. Perhaps Microsoft should be adding certificates to Windows so that users can randomly download software and be assured that those sites can be trusted without an annoying dialog box (or turning UAC off). Perhaps you should be using UAC and lack of certification of download sites as yet further examples of Microsoft's anti-competitive behaviour.

    The point is that Google cannot be accused of being anti-competitive. This is because is does nothing to prevent other app stores being set up, allows competitors (eg Microsoft) to put their apps in their Play Store, and allows directly competing products.

    If you want to 'prove' anti-competitive behaviour by Google then please do a comparison chart of what Google is doing compared to Microsoft and Apple, and other smartphone systems.

  24. TotallyInfo

    Re: How long before...?

    That article is nearly 2 years old. All it says really is that the free upgrade for W10 finishes when MS says it does (which actually isn't quite true) and that they are going to crack down on pirate versions of Office.

    The article's comment about Open/Libre Office is utter rubbish. If for no other reason that MS are very heavily scrutinised in public sector due to their prominence. Any attempt by them to try and ban or just restrict the use of any rival, let alone public domain rivals would mean disaster for their public sector sales.

    In any case, MS really don't care about open source "rivals" that much, those tools will never be able to catch up with MS Office investment unless a large number of big organisations decide to invest heavily. While those tools are fine for some use, they are very unlikely to ever present real competition to MS Office.

  25. alain williams Silver badge

    and what will that hardware contain ?

    but a bit of software. So: how long before someone reverse engineers it or pulls one to bits and puts it under a microscope to extract the keys ?

  26. Roland6 Silver badge

    Re: and what will that hardware contain ?

    Be my guest:

    http://www.pcworld.com/article/2846653/storage-for-spies-how-the-fips-standard-makes-data-extremely-hard-to-steal.html

  27. Frank Bitterlich

    Re: and what will that hardware contain ?

    It's supposed to be a FIPS-level HSM (Hardware Security Module.) May be possible to break these, but probably a lot of effort (and you have to steal one, too, without the owner noticing.)

  28. Doctor Syntax Silver badge

    Re: and what will that hardware contain ?

    "It's supposed to be a FIPS-level HSM"

    Wasn't it FIPS that was recommending an NSA-sponsored broken by design encryption algorithm?

  29. Charles 9 Silver badge

    Re: and what will that hardware contain ?

    For PUBLIC consumption. Never assume they follow their own recommendations internally.

  30. Doctor Syntax Silver badge

    Re: and what will that hardware contain ?

    "For PUBLIC consumption."

    And these gadgets are being offered for public consumption - or at least that portion of the public that develops S/W for Windows.

  31. Frank Bitterlich
    WTF?

    CA Security Council...

    ... has certainly lost contact with reality. From their site:

    "Stronger protection for private keys: The best practice will be to use a FIPS 140-2 Level 2 HSM or equivalent. Studies show that code signing attacks are split evenly between issuing to bad publishers and issuing to good publishers that unknowingly allow their keys to be compromised. [...] Therefore, companies must either store keys in hardware they keep on premise hardware, or in a new secure cloud-based code signing cloud-based service."

    Aside from the obvious proofreading fail, it says you have to use either a HSM or "a new secure cloud-based code-signing service." Oh, OK then, that probably means that storing the keys in the cloud and let a cloud service sign your code, instead of your local machine, makes it more secure. Figures.

    I wonder what "a new, secure [...] service" means, though. Are they planning to offer one themselves? Or does it mean that OS makers (MS, Apple) may offer that service, as long as it is "new" (and, of course, "secure")?

  32. Ken Hagan Gold badge

    Re: CA Security Council...

    It was the "Therefore, " that puzzled me. The kind of company that unknowingly allows its keys to be compromised is the kind of company that will just stick this dongle in their signing server and give all their devs login rights.

  33. Anonymous Coward
    Anonymous Coward

    Re: CA Security Council...

    I think the thing is that they don't want signing keys exposed. They want them black-boxed, and given they're insisting on FIPS-compliant modules (which are very tamper-resistant, EM-blocking including x-rays, and must include suicide circuits), they seem to be serious about the philosophy that the best way to protect the key is to make sure no one knows what it is.

  34. SoftWiz

    Re: CA Security Council...

    Well, MS for one already has this service for quite a while in their Azure offering.

    But I'm sure Amazon and others will have these too.

    They're verified and certified by external independent companies and really following all security-related best-practices.

    Why are they proposing this? well, a lot of malware and what have you now can be unsigned, or signed with a certificate you got from who knows where, without the need to identify yourself.

    Now, in order to obtain such a code-signing certificate/service, you'll be obliged to identify yourself.

    For using the service in Azure, you'll need to go though a MS partner, for obtaining the 'dongle', which shouldn't be from MS by the way, but any code-signing certificate from any trusted issuer can be used, like GlobalSign or whatever!

    This already is done for signing certificates used for signing CRITICAL documents, and for signing PDF's with the Adobe AATL certificate, for long, having HW dongles was the only way.

    Again, because you needed to identify yourself and physically obtain the dongle from the issuer at their premises.

    So, if they deemed it necessary for signing documents, shouldn't it be wise to use it for signing software, which might have access to all personal data of a user, all bank accounts, too?

    And indeed, then they can start blocking unsigned software, or at least indicate that that software is not signed with a trusted certificate, so it's the end-users responsability.

    This is probably the only way to get rid of malicious software, distributed as safe to install sw, and without any means of identifying who was the creator/distributor of this sw.

  35. Anonymous Coward
    Anonymous Coward

    Re: CA Security Council...

    "Now, in order to obtain such a code-signing certificate/service, you'll be obliged to identify yourself."

    Or just STEAL one like Realtek's key. Recall the malware that got through because it was signed with Realtek's key, which happens to be one you CAN'T easily revoke because of all the sound chip drivers signed by the same key?

  36. Zippy's Sausage Factory
    Facepalm

    Is it me or are MS doing everything in their power to make Windows die? Seriously, they seem to be trying to annoy developers as much as possible, competing directly with their business partners, making Windows 10 annoy its own users...

    I mean I'm not one for conspiracy theories, but I heard a bunch of pigeons the other day whispering "coup, coup"*....

    * Old Bill Hicks joke, not one of mine. Sadly.

  37. WibbleMe

    Why does the world need this product?

    Seriously for day to day task's Ubuntu Desktop is "good enough" for most people for email and document editing along with being a core development platform for developers due to its ease.

  38. Ken Hagan Gold badge

    Re: Why does the world need this product?

    "this product" ??

    The article is talking about code signing. Last I heard, Ubuntu Desktop is not a code signing product. Also, last I heard, Linux distributions in general solve the code signing problem by having each distribution bake its own keys into the distro. This isn't a technique that scales well to several million ISVs, though obviously it works just fine if you can persuade everyone to share their source code so that it can be served up by the One True Repo of each particular distro.

  39. WibbleMe

    Re: Why does the world need this product?

    You missing the point, the customer wants to simply use something that does email or a business APP like a Word processor, they do not car about signing or the OS, they want something easy to use, reliable and does the job if supplying one type of OS is means jumping through lots hoops is not cost effective for the supplier ie IT company then changes will be pushed through or the company dies.

    Just because something is well used once does not mean it can not be replaced.

    Example

    Amazon AWS in the cloud is the big buy because of choice, ease of use and cost.

    Google Android or iphone OS is used on mobile because of ease of use.

    I do not care about signing I want to make a profit, the customer does not care about signing they want to make a profit.

    The reason you do not care about signing is that you probably do not see the bill, but whoever does will ask questions, why what if and how.

  40. Anonymous Coward
    Anonymous Coward

    Re: Why does the world need this product?

    "I do not care about signing I want to make a profit, the customer does not care about signing they want to make a profit."

    Then they'll want to care about signing because it helps to make sure the app they're using is genuine and not some trojan designed to steal their secrets.

  41. Anonymous Coward
    Anonymous Coward

    H/W vs S/W vs cloud

    Changes that mean signing certificates for Windows can only be sold in hardware form

    I can see the sense in that, something physical is usually more secure than something ephemeral like software...

    or from an as-yet undefined cloud-based "service”

    which feels to me like it almost has vulnerability built in from the get-go.

    So...with one approach that's more secure, and one that could be a bit s**t, I suppose that on average we're about where we were to begin with.

  42. Anonymous Coward
    Anonymous Coward

    Re: H/W vs S/W vs cloud

    > which feels to me like it almost has vulnerability built in from the get-go.

    Not intrinsically: a cloud service can be built to be much more secure than most people can build their own.

    The weakness will be in how you authenticate to the cloud service, to get it to sign something. And as long as that has some sensible approach (e.g. U2F token) then it should be pretty good.

    Basically it means you push the cheap U2F token to the end user, and the expensive HSM module into a centrally managed service.

  43. patrickstar

    Re: H/W vs S/W vs cloud

    Doing this in the clown can actually be secure. Kind of, atleast. The trick is to have the HSM that keeps the keys also authenticate the user. Presumably with some sort of OTP/token scheme - presenting one OTP to the HSM means you get it to sign one hash for you.

  44. Colin Critch
    Happy

    Re: H/W vs S/W vs cloud

    I think the clown would object!

  45. doke

    Re: H/W vs S/W vs cloud

    "a cloud service can be built to be much more secure than most people can build their own."

    "can be built", "has been built", and "has been maintained" are all very different. I've seen several cloud services that were designed with good intentions, built with the best safeguards available, but then turned over to morons to operate and maintain. After a couple years, they're worse than useless.

  46. Doctor Syntax Silver badge

    Re: H/W vs S/W vs cloud

    "Not intrinsically: a cloud service can be built to be much more secure than most people can build their own."

    That may be true from a vendor's point of view. From the user's point of view the vendor has to be added to the risks to be considered. However trustworthy the vendor might be in the first place ownership, management and staffing can change and, depending on data sovereignty, the cloud could be suborned by TPTB along with a gag order.

    It's somebody else's computer. You don't know what's happening there.

  47. Anonymous Coward
    Anonymous Coward

    Re: H/W vs S/W vs cloud

    "It's somebody else's computer. You don't know what's happening there."

    You didn't construct the chips in your own machine. You don't know what's happening there, either. If you're that paranoid, you're better off abandoning everything electric and living in the mountains.

  48. Anonymous Coward
    Anonymous Coward

    Where can the details be found on the MS Site?

    I just tried searching on the MSDN site and didn't find anything about a change to code signing, can someone point me in the right direction.

    Tks

  49. Ken Moorhouse Silver badge

    Hardware Dongles

    Might hit corporates big-time - having locked down pc's so that USB slots are disabled they are now going to have to allow a dongle to be plugged in.

  50. Electron Shepherd

    Re: Hardware Dongles

    But you only get one dongle, surely? In that case, it needs to be permanently put into the build server, assuming you have only one. Multiple build servers might mean multiple dongles, unless you now have a single "signing server" that just does the signing.

    Life may get interesting if the machine that does the building and signing is a VM. Getting a VM to access a physical USB slot directly can be a bit tricky at the best of times, and it somewhat messes up the ability to migrate the machine to another host.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018