More code signing mischief

xl2k7sigfail

So I took the general advice and didn’t bother renewing the codematic code signing signature.

The published version of the worksheet unprotector is signed, but the signature expired a while ago. It was valid and in-date when I signed it, although I did not timestamp it. (I hadn’t seen anything to suggest it was (effectively) obligatory)

So I got this screenshot from a potential customer (or maybe not after this farce). (Actually it was the French version – but I thought this would be clearer for most sos readers)

Signing my code effectively timebombs it – Excel 2007 will claim its invalid and refuse to even load it, even from a trusted zone, once the sig has expired.

Not signing my code just gets the user a quick familiar ‘enable macros?’ warning.

It’s not a hard choice is it? even ignoring the rip-off nature of buying a cert.

I’m not totally clear how all of this helps security, as it just makes code signing even less attractive. Is something that was signed but has expired really more of a security risk than something that was never signed? Bearing in mind everything that is signed will expire at some point.

I guess I should test it with something that is signed and timestamped, and expired. Has anyone else done that?

At this stage I’m all set to totally give up on signing. I really want to sign my code, because I think its the right thing to do. Perhaps I should just get over myself – who is going to immitate a codematic tool with some nastyware?

Hmm what shall I spend the 200 quid I have saved by not buying a cert on?

cheers

Simon

Advertisements

22 Responses to “More code signing mischief”

  1. Rob Bruce Says:

    Has anyone actually seen an office macro virus since about 1997? I know I haven’t.

  2. Simon Says:

    Nah – I’ve seen plenty of woefully shitty code that did plenty of bad things – but by accident not design!

  3. Ross Says:

    I’ve never seen one, but then again, if I get an e-mail from Robert I’m gonna Con you @ Spam Hell .com, with my payslip in an excel spread sheet, I dont tend to open it! – I call it the ross AV wear!

    Get an ox1?!

  4. Charles Says:

    Thanks Simon,

    I always thought code signing was useless for our kind of market: now I know its worse than useless.

  5. Bastien Says:

    Hello Simon,

    I have no experience with projects without a timestamp but it is surely bad if Excel then just disables it without leaving the user a choice and actually treats it worse then a project without any certificate at all.

    I have a signed project (with timestamp) and I have a version in which the certificate is now expired.

    In Excel 2003 you get a warning “A certificate (signing or issuer) has expired”.
    Then I can choose to disable or enable the macros.
    It makes not difference if you have previously added the publisher to the publisher in the trusted publishers list.

    In Excel 2007 I get the message: “Warning: The digital signature has expired.”
    But I can still choose to enable or disable the macros.

    In my opinion the key benefit of the certificate is some user friendliness (is that a word?).

    An advantage is because of a “problem” Microsoft created. The warning when you want to install software (especially in Vista). My company name sounds much friendlier in the dialog then the message from Microsoft raising the question about if a users is really sure to install the software and warning for an unknown publisher.
    Another purpose for the certificate is to ensure the user that he/she has the original file. I have seen at least one download site hacking into my setup file and inserting their own adware.
    I don’t think a user would notice the difference between the version with and without a certificate, but at least I can defend myself when they complain about the bundled adware (which I have seen only happen once on site without much traffic fortunately).

  6. Simon Says:

    Thanks Bastien
    Looks like I should have timestamped my app (not so easy when I don’t put my dev box on t’interweb.)

    I think the ‘do you want to trust this publisher’ dialog is much more scary than the more familiar enable/disable macros.

    I have avoided Vista, but I am aware signing helps ease the install burden.

    Your final point, is my big thing too – repudiation – the ability to demonstrate a malware version did not come from me.

    Funnily enough I saw someone asking recently on an NG about hacking into ASAP – someone gave him a slap. That’s the trouble with fame…
    cheers
    Simon

  7. AlexJ Says:

    Simon, re: “200 quid I have saved by not buying a cert”

    Why not spend it on a sign advertizing that you don’t use (digital) signs?

  8. Simon Says:

    Alex – I could, except I’ve just spent it on an acer aspire one.
    http://www.amazon.co.uk/Acer-Aspire-One-Netbook-Sapphire/dp/B001BZ920W/ref=dp_cp_ob_ce_title_3/280-2552587-2760640
    And I have 30 quid change for a few beers

  9. sam Says:

    Simon,

    If you are distribuiting an XLA you dont have to bother either protecting it or signing it… It can be hacked and tampered with any way

    If you are distribuiting a COM, XLL, XLAM (protected) then again you dont have to bother signing it because it cant be hacked (at least I havent heard of any one claiming to do it…) So it depends on what you are distributing….

    ASAP is now partial XLA + COM…so there is a some risk…
    Bastien …change it to pure COM and then there is nothing to worry about….except for the 97 version…

  10. Simon Says:

    Sam
    You can still do COM in xl97. You just need a bunch of VBA wrappers that call out to the dll.

    I have a VBA obfuscator to slow them down, There is an open source one called invisible VB or something.

    If someone messes with signed code then it loses its sig. Then you can rightfully claim its not from you.

  11. Bob Phillips Says:

    Nothing escapes you does it Simon? I am happy to say that was me giving that slap. To my disgust it was an ’eminent’ member of our Excel community suggesting the hacking.

  12. Rob Bruce Says:

    Heard you the first time ;-)

  13. Bastien Says:

    Hello Sam,

    I have first tried to create a COM only add-in of ASAP Utilities. However I then soon ran into a few problems/limitations.
    Unfortunately a COM add-in cannot do everything a normal XLA can do. I don’t remember it exactly but UDF’s in a COM addin are not available in Excel 2000. Furthermore you cannot use shortcutkeys to call a macro from a COM add-in and the Workbooks.OpenText command works different when called from a COM addin in Excel 2000 than when called directly from Excel via and XLA.
    About hacking, if there is enough to gain and the right amount of resources I guess anything can be hacked. But I think the people with the right skills or amount of money to do this would focus on things such as financial system etc, leaving our Excel products alone.

    @Bob, thank you!

  14. Simon Says:

    Rob
    I wondered what you were on about, now I see – I only tried to change Ssm to Sam and its all gone horribly wrong!

  15. Simon Says:

    Bob I did put your name in at first, then I thought best leave it to you to choose.
    I was a bit surprised by the NG, I should have backed you up.

  16. Harald Staff Says:

    I once encountered severe problems with a signed file that suddenly refused to load, just like the screenshot, except it was Excel 2003 and said “this can only be a caused by a virus”.
    Now this was 50 minutes before a live broadcast where my code was depended on (scoreboard logic for the national Eurovision Song Contest final). I re-coded the last unsigned version those 50 minutes, made it work, and promised myself: I Will Never Sign Anything Again.

    I later found the possible cause of corruption. Having two versions of Excel running simoultaneously (2000 and 2003) with one of them saving a signed file. The damage was incredible.

  17. Rob Bruce Says:

    Harald, it was nothing to do with Excel, it was karma. The Eurovision Song Contest is the work of the dark side.

  18. Simon Says:

    Harald – I bet you are glad you checked!

  19. Tomás Says:

    The subject of certificate expiry is confusing because many people think that once a digital signature is placed in a document or on a binary the signature should be good forever. This is because people draw an parallel between a physical signature and a digital signature. What is forgotten is that a physical signature is subject to forgery and lacks any strong legal standing unless it has been notarized by a third party. This notarization provides attestation that the identities of the signing party and the time and date the signature was applied.
    The date that a binary is signed as reflected in the binary is not trustworthy because the signing time was pulled from an untrusted time source such as a PC clock. As everyone is aware, PC clocks can be manipulated. Even if the PC time is synchronized with the Naval Observatory clock, how does the signer attest to the fact that the time of signing was indeed provided from an accurate time source? Accuracy does not equate to trustworthiness.
    Office and Windows are correctly flagging the code signature as invalid because the certificate associated with the signature has expired. It is the intent of those who design standards for certificate schemas that a certificate has an absolute lifetime to support both legal and business requirements.
    This is true for digital signatures for documents as well as code signing certificates. The lifetime of a code signing certificate is normally from 1 – 3 years depending on the certificate lifetime purchased by the developer.
    The only way to insure that an expired certificate and its associated signature don’t get flagged as “bad” is to have the code signature notarized (signed) by a certified time stamping server. Most certificate vendors have this requirement called out on their code signing product page under FAQ. GoDaddy and most sellers of code signing certificates have also supplied step by step instructions on how to properly sign code for use on the Microsoft platforms. There are similar ceremonies for other platforms.

    For example please read:
    http://help.godaddy.com/article/4778 describes Authenticode signing ceremony with the use of a time stamp authority
    Because Microsoft Authenticode supports time stamped signatures, any code signed using the time stamping signing ceremony will be considered valid even if the certificate associated with the signature has expired.
    The goal of signing a binary is to establish a trust relationship between the vendor of the binary and the user of the binary. This way the user can trust that the software they are installing came from a publisher that they trust and that the binary they are installing has not been modified by any untrusted third party.

  20. Simon Says:

    Hi Tomas
    I’m pretty comfortable with code signing in theory and practice. What I don’t understand and the point of this post was how come office treats a signed and expired piece of code as less trustworthy than a completely unsigned one?. That seems odd to me. And is a big negative to code signing, unlikely to encourage uptake.

  21. jonpeltier Says:

    “how come office treats a signed and expired piece of code as less trustworthy than a completely unsigned one?”

    Excellent question.

  22. Joel Says:

    I have another observation here: if you sign a file and the signature expires, then remove that signature, save the file with a new name and add a new (valid) certificate, you still get the signature expired warning. The only way I have found to fix this is to copy your work into a new workbook and sign again. Very frustrating

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: