0

I'd like to incorporate security features in my standalone XULRunner app. Specifically, I'd like to use security certificates to validate the app executable as downloaded by a user. From what I've seen, its called code signing. But I'm very green in this area. Any pointers on how to proceed? Thanks in advance.

okello
  • 601
  • 10
  • 27
  • Use certificates for what exactly? Validate downloads? Authenticate users? Encrypt messages? Certificates are a tool, not a goal. Your question should state the goal that you are trying to achieve. – Wladimir Palant May 14 '12 at 09:55
  • I've edited the question to make it more specific. From what I've seen, its code signing, but I'm very green in this area. Any pointers will be appreciated very much. – okello May 14 '12 at 10:09

1 Answers1

1

The certificate functionality built into XULRunner isn't meant to validate signatures of Windows executables - you would need to use Windows functions for that (e.g. via js-ctypes). Not going to be simple however, here you can see how that check works in C++ code.

However, if you are merely downloading an update to your application then maybe using an HTTPS connection would be sufficient - the origin of the executable is verified then (won't help you if that server is hacked however).

Wladimir Palant
  • 56,865
  • 12
  • 98
  • 126
  • Thanks a lot, Palant. I'll try this out and report my findings here. – okello May 14 '12 at 11:02
  • This has been very helpful in helping me understand the process. After several attempts and not getting this right, I realized that code signing functionality is included in Installshield, the utility I'm using to package the application. Along with this article at http://www.installationdeveloper.com/286/using-code-signing-certificates-in-installshield-part-1/, I was able to pull it off. – okello May 14 '12 at 11:49