Home/ Questions/Q 3634526
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T00:47:24+00:00

I am implementing an automatic update feature and need some advice on how to

  • 0

I am implementing an automatic update feature and need some advice on how to do this securely using best practices. I would like to use the downloaded file’s Authenticode signature to verify that it is safe to run (i.e. originates from our company and hasn’t been tampered with). My question is very similar to question #2008519.

The bottom-line question: what’s the best, most secure way to check Authenticode signatures for an automatic update feature? What fields in the certificate should be checked? Requirements being: (1) check signature is valid, (2) check it’s my signature, (3) old clients can still update when my certificate expires and I get a new one.

Here’s some background information / ideas from my research: I believe this could be broken into two steps:

  1. Verify that the signature is valid. I believe this should be easy using WinVerifyTrust as outlined in http://msdn.microsoft.com/en-us/library/aa382384(VS.85).aspx – I don’t expect problems here.

  2. Verify that the signature corresponds to our company, and not another company. This seems to be a more difficult question to answer:

One possibility is to check some of the strings in the signature. Could be obtained via code at MS KB article #323809, but this article doesn’t make recommendations on what fields should be checked for this type of application (or any other, for that matter). Question #1072540 also illustrates how to get some certificate info, but again doesn’t recommend what fields to actually check. My concern is that the strings might not be the best check: what if another person is able to obtain a certificate with the same name, for example? Or if there’s a valid reason for us to change the strings in the future?

The person at question #2008519 has a very similar requirement. His need for a “TrustedByUs” function is identical to mine. However, he goes about doing the check by comparing public keys. While this would work in the short-term, it seems like it won’t work for an automatic update feature. This is because code signing certificates are only valid for 2 – 3 years max. Therefore, in the future, when we buy a new certificate in 2 years, the old clients wouldn’t be able to update any more due to the change in public key.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The person at question #2008519 has a
    very similar requirement. His need for
    a “TrustedByUs” function is identical
    to mine. However, he goes about doing
    the check by comparing public keys.
    While this would work in the
    short-term, it seems like it won’t
    work for an automatic update feature.
    This is because code signing
    certificates are only valid for 2 – 3
    years max. Therefore, in the future,
    when we buy a new certificate in 2
    years, the old clients wouldn’t be
    able to update any more due to the
    change in public key.

    Since the concern is that the application trusts you rather than that a person trusts you, you could just use self-signing and embed any public keys needed in the applications themselves. This gives you much more control over the process. This is inappropriate when asking a user or application not under your control to give trust, but in this case the application is under your control, so it will work fine. This allows you to very easily avoid the concern of mistaking someone else’s similar-looking certificate for your own.

    • 0