> > One thing that could be done with a new command batch file is to > > digitally sign the OpenSSL DLLs, which you can already do for > > your own customers. > > You're right. All that's required is a batch file. I PGP sign all > my source and binaries. It's required.
Required by whom? Your end users? Other developers? No-one else has asked about PGP or signing source or libraries in the last six years of mailing archives. And none of us here takes any notice of hashes or PGP for source code, we download from trusted servers. Sorry if that breaks your chain of trust, but as Rui says, you really need to build your own OpenSSL DLLs if you want full traceability, otherwise we all need to trust him since he kindly builds the DLLs. When I refer to signing, I'm talking about embedding a signature into that application, to stop the application being modified or corrupted and prove it's origin, and the application itself should be able to do that, as should the OS. Hashes and PGP are separate to the file, so need to be distributed separately, not sure how any of that checking can be automated, don't recall it ever being discussed in any Delphi component forums. > I'm not sure about your authenticode cert and how the user tests > it. I've seen them available and I know they're expensive. I'm > guessing this is for your commercial software. It's probably not > the best choice for this application. Authenticode is the bedrock of Windows application security, almost every executable file in the OS is authenticode digitally signed, as are most of the main executables in Delphi itself. Every serious application developer has their own authenticode code signing certificate, and digitally signs their applications, so their customers can be assured of their origin and integrity. Modern versions of Windows expect executables to be signed, and display warnings if not. Many application developers also include self checks to ensure their applications are correctly signed and not corrupted by third parties, I have a free Delphi component that does this: https://www.magsys.co.uk/delphi/magtrustchk.asp Ideally, all DLLs the application loads should also be checked, this checking is one of the reasons for the slow start up of recent releases of RAD Studio. But my own applications don't currently check the OpenSSL DLLs I use, so I'm breaking my own integrity rules (I also sign the setup application, but files can be changed after install). So we do need the OpenSSL DLLs to be digitally authenticode signed, which will either be with my certificate and/or an open source Overbyte certificate Francois is looking to acquire. I'll then add a demo or something showing how to check the DLLs before loading with my component, could even be built into ICS if others believe it's a step towards better security. OpenSSL functions can also be used to check and create authenticode digital signatures, but it's not really safe to check itself. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
