Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should I digitally sign third-party DLLs such as JSON.NET?

I have an application built using a variety of third-party libraries such as JSON.NET.

I would like to ensure that all the DLLs that make up my application are digitally-signed, including the third-party ones. Given that these are not signed by the author, can/should I simply sign the third-party ones myself?

like image 843
Gary McGill Avatar asked Oct 29 '12 14:10

Gary McGill


People also ask

Should dlls be signed?

Signing your dlls makes most sense when you yourself verify those signatures before loading them. This ensures the integrity of all dlls at runtime. It is a recommended secure practice to sign all binaries that you ship and validate their signatures at runtime.

How does assembly signing work?

Each strong-named assembly is digitally signed with a private key corresponding to its public key. This digital signature can be verified by using the public key that is stored in the manifest. You can also further sign an assembly with Authenticode on demand.


2 Answers

Just tried to (unsuccessfully) find an answer to the same question in the Internet.

What I have done as result is checked how Google and Adobe deliver their products and found that every binary in their folders is signed, including third-party ones.

Couple of examples: 1. Google Chrome includes pepflashplayer.dll, which is copyrighted by Adobe, but digitally signed by "Google Inc." 2. Adobe Reader includes icudt40.dll, which is copyrighted by IBM, but digitally signed by "Adobe Systems"

Thus, I would assume the best practice is to sign all the binaries that make up your application, including third-party ones. It makes sense as it helps you to avoid or at least easily detect tampering if it happens on your customer's machine.

like image 142
alexanderb Avatar answered Nov 05 '22 13:11

alexanderb


Are you talking about strong-naming or about authenticode signatures? The problem with the latter ones is when the authenticode-signed assembly is loaded, .NET validates the certificate and in some configurations (eg. when OCSP needs to be checked and it's not reachable) this can take dozens of seconds. We had to stop signing our assemblies with authenticode and X.509 certificates due to this.

Another drawback is that if the signed assembly is used by malware in some way, some not competent wanna-be-specialists in antivirus companies can (a) mark the assembly as a malware and (b) what is worse, complain to Certificate Authority which issued your code signing certificate, and the certificate will be revoked.

.NET strong-naming (with a keypair without certificate) is more or less your private business.

Update: Authenticode is usually applied to PE format files (EXE and DLL), SYS and CAB. strong-naming is pure .NET technique.

The warning message talks about Authenticode signature. Signing the installer is necessary (that's for sure) and is enough to get rid of the message unless system policies are set to allow only running of signed applications (in which case your application's EXE must be signed as well).

like image 43
Eugene Mayevski 'Callback Avatar answered Nov 05 '22 14:11

Eugene Mayevski 'Callback