What real use is code signing?

All code signing seems to do is result in Virus tools deciding you app is ‘safe’ and enable certain vendors to get ‘money for nothing’ (to quote the song).

What is to stop me establishing an office &c in order to get a signature for my virus?

Better still, I establish an office, write a neat app and put a virus in it that doesn’t activate until a fixed date a year in the future, just how will a certificate prevent my move for world domination?

I presume the certificate could be revoked, but wouldn’t my dastardly plan already have achieved global domination?

Don’t certificates, simply create a, potentially false, sense of security?

Code signing ensures that authenticity and integrity can be verified upon installation and execution.

It doesn’t stop antivirus software from scanning it - far from it. I’ve been signing my products since around 2005 and still get the odd false positive from antivirus sofware.

Getting a certificate is next to impossible if you don’t have a registered business (which is a problem for open source software) - and if a person is willing to set up a company in order to try and make it eaiser to deliver their virus - well I hope they enjoy their last few days of freedom while law enforcement follows the bread crumbs :smirk:


  1. It’s not necessarily true: I had false positives with my signed EXE’s. The only true positive effect is that when Windows gives the user a prompt, it looks a lot less scary if the EXE is signed. But with SmartScreen, for instance, it could still block it completely (and silently too), i.e.: the user double-clicks on your (signed) EXE and nothing eventuates – no prompt, no nothing. So it’s still not a perfect solution.
  2. What you are saying is true, but a) it’s like showing your drivers license to the bank manager when you are robbing a bank, will probably not pay off in the long run, plus b) certificates can be quickly revoked and then these signed EXE’s will be blacklisted (worse than unsigned).

But yes, overall, like most security measures, it’s not bullet proof.


Alexander Pastuhov

@ap2021 Please remove your mobile number from your email signature - this is a public forum visible to anyone in the world - we are trying to avoid sharing personal information that might make you open to scams etc - this includes mobile numbers and email addresses.

You don’t need a signature for your posts - we can all see who the message is from.

Very true.


Alexander Pastuhov