Installing software on most modern operating systems has become so easy that you could probably do it in your sleep. As a result, many people fly through the install process and overlook elements of the process.
The window that appears, prompting you to run the installer, is one of these easily-overlooked aspects. At a glance it contains nothing you’re not already aware of – but it might. One single line of text makes the window worth a second look, and it’s the “signature.”
Installers aren’t signed in the traditional sense like a legal document, but some are signed in their own way. If you’ve ever seen this before and wondered, or if you haven’t taken much notice until now, then we’ll explain just what’s going on.
Microsoft reckons that signing software installers can highlight programs that have been tampered with. If they are signed, then it is clear where they came from, and any issues can be brought to bear on the developers, if necessary.
Peace of mind can also be considered a reason, as many users are going to be more comfortable installing software from a recognisable company or developer. The Mozilla Firefox web browser is signed off by the Mozilla Corporation, which makes sense and provides a degree of legitimacy “Unknown” does not.
Microsoft’s tool for signing software installers, the imaginatively named “SignTool.exe,” works with a large variety of files, including .exe and .msi installers. If you are unsure of the differences in these two installer formats, we covered these in a recent article.
SignTool.exe does work as a standalone piece of software, but Microsoft’s own website demonstrates using it with a Visual Studio command prompt and a pre-existing signing certificate. The certificate is not generated through another Visual Studio command, requiring further steps.
If you are not using Visual Basic, you still need a code signing certificate alongside Microsoft’s SignTool.exe. Companies shown on this Microsoft-maintained list provide certificates in either standard or Extended Validation (EV) formats, which can be used in conjunction with a Microsoft Dev Centre account. Certain actions require an EV certificate, though the majority can be performed with a standard certificate.
A standard certificate requires shorter processing times and as a result costs less to procure. The level of identity validation is not as high as that of an EV certificate, and it does not support LSA or UEFI code signing as stated by Microsoft.
After deciding on a certificate type, the company requires some of your information, such as a photographic ID and documents bearing your name. Certificates are not given out freely, and applications from a company may need bank account statements or other paperwork that is not usually publicly available.
Having received the certificate, developers can begin to sign installers, lending their products an air of greater legitimacy.
As you have seen, there are quite a few more steps to gaining this single line of text than meets the eye. Many programs are still distributed without their code being signed in this manner without endangering your PC, and there is no reason to suspect something amiss with programs lacking a certificate.
Knowing the purpose of publisher names on software warnings is not a bad thing; people should be encouraged to be more aware of what they are choosing to install on their computers. If something seems off, it pays to be that much more cautious.