> > One thing that could be done with a new command batch file is to
> > digitally sign the OpenSSL DLLs, which you can already do for 
> > your own customers.
> You're right. All that's required is a batch file. I PGP sign all 
> my source and binaries. It's required. 

Required by whom?  Your end users?  Other developers? 

No-one else has asked about PGP or signing source or libraries in the
last six years of mailing archives.  And none of us here takes any
notice of hashes or PGP for source code, we download from trusted

Sorry if that breaks your chain of trust, but as Rui says, you really
need to build your own OpenSSL DLLs if you want full traceability,
otherwise we all need to trust him since he kindly builds the DLLs.  

When I refer to signing, I'm talking about embedding a signature into
that application, to stop the application being modified or corrupted
and prove it's origin, and the application itself should be able to do
that, as should the OS.  

Hashes and PGP are separate to the file, so need to be distributed
separately, not sure how any of that checking can be automated, don't
recall it ever being discussed in any Delphi component forums.  

> I'm not sure about your authenticode cert and how the user tests 
> it. I've seen them available and I know they're expensive. I'm 
> guessing this is for your commercial software. It's probably not 
> the best choice for this application.

Authenticode is the bedrock of Windows application security, almost
every executable file in the OS is authenticode digitally signed, as
are most of the main executables in Delphi itself.  Every serious
application developer has their own authenticode code signing
certificate, and digitally signs their applications, so their customers
can be assured of their origin and integrity. 

Modern versions of Windows expect executables to be signed, and display
warnings if not.  

Many application developers also include self checks to ensure their
applications are correctly signed and not corrupted by third parties, I
have a free Delphi component that does this:    


Ideally, all DLLs the application loads should also be checked, this
checking is one of the reasons for the slow start up of recent releases
of RAD Studio.  But my own applications don't currently check the
OpenSSL DLLs I use, so I'm breaking my own integrity rules (I also sign
the setup application, but files can be changed after install). 

So we do need the OpenSSL DLLs to be digitally authenticode signed,
which will either be with my certificate and/or an open source Overbyte
certificate Francois is looking to acquire.  I'll then add a demo or
something showing how to check the DLLs before loading with my
component, could even be built into ICS if others believe it's a step
towards better security.  

OpenSSL functions can also be used to check and create authenticode
digital signatures, but it's not really safe to check itself.   



To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to