Please, help me with decision. Recently I start thinking about buying Authenticode certificate and signing all my assemblies in my .NET desktop app and ClickOnce installation. I've read a little bit and suddenly had realized that runtime signature verification could seriously slow down app loading time. AFAIK, it should hit internet multiple times during this process checking certificates chain and revoked cert list. Am I right? Also, what about closed-down environments at all? So, I scratching my head now - do I need all these troubles in exchange for getting my customer sure that this product is really made by my company? Am I missing some point maybe? Should I sign the ClickOnce install only but not my assemblies? As on now, all the assemblies and CO manifests are just strong-named.
Asked
Active
Viewed 366 times
1 Answers
2
You should if your users could tolerate the slowness. If you do sign it, you should expect revocation checks for the code signing certificate, the time stamping certificate, and quite possibly certificates that have nothing to do with you. Each of the revocation checks could end in a network timeout. My experience of using self-signed certificate and non-commercial timestamping server is that I get random slow program starts that add on 10 seconds or more to the start time while the certificate for Windows itself gets and fails revocation check. Paid-for certificates may work differently, but there is no escaping from the revocation checks and the associated timeouts.
user118708
- 197
- 1
- 13