13

I have a C++ Windows app. I sign our installer and my executable, but I don't currently sign my DLLs (such as zlib1.dll). It is not a big deal to sign those as well, but can someone explain what the benefit is? For instance, will my program appear any different to AV or firewall software if all its dependencies are signed? Will users get any different warnings?

skaffman
  • 398,947
  • 96
  • 818
  • 769
twk
  • 16,760
  • 23
  • 73
  • 97
  • Why not sign them? You've already paid for the certificate - so it only takes another few seconds during the build to sign them. Why skip it? – Tim Jan 17 '11 at 17:30
  • 1
    Tim, I'm probably going to do it anyway, I'm mainly just curious about what the effect is. – twk Jan 17 '11 at 17:33
  • @Tim - You not only need to sign them, you need to timestamp them as well. Currently in 2022-04 signing++timestamping 100 files takes about 70 seconds for us when signtool talks to the digicert TSA server. This is very noticeable, though no deal breaker. – Martin Ba Apr 14 '22 at 17:38
  • @MartinBa - "signing" implies timestamping. Not sure why you're commenting on an 11 year old thread... – Tim Apr 16 '22 at 00:05
  • 1
    @Tim - This is S.O. Either the info present is still accurate, in which case it is appropriate to comment on it regardless of age. Or the info has become outdated/wrong, in which case it would be accurate to comment on *that*. As for timestamping: You can find plenty of posts where ppl were not aware this is necessary. And your "a few seconds" *can* be minutes depending on how your build is structured. – Martin Ba Apr 18 '22 at 18:06

1 Answers1

11

Your program will not appear any different to AV or firewall. They will check for signatures on your executable which you have already signed. Signing your dlls makes most sense when you yourself verify those signatures before loading them. This ensures the integrity of all dlls at runtime. It is a recommended secure practice to sign all binaries that you ship and validate their signatures at runtime. If your dlls are to be used by other products then you must sign them as those products will want to verify their authenticity and integrity.

341008
  • 9,862
  • 11
  • 52
  • 84
  • 5
    What about with implicit linking? Is there a way to verify the signature in that setting, or is it necessary to convert all DLL loads into explicit linking (i.e. LoadLibraryEx calls)? – Brent Arias Jan 17 '11 at 17:43
  • 1
    Great question, Brent. I'd love to know the answer. – twk Jan 17 '11 at 17:46
  • 1
    I don't think it is possible to verify signatures for implicitly linked dlls as the dlls will be loaded before your code kicks in. However, I do know of one product which explicitly loads the dlls it implicitly links with just to verify the signature. – 341008 Jan 17 '11 at 17:49
  • I should mention that I am talking about native apps only. I have no idea if this is possible in managed framework. – 341008 Jan 17 '11 at 17:54