Knowledge Base

Digital Signatures

About digital signatures | How to check a digital signature | How to get a certificate | In summary | How Tarma Installer creates digital signatures | For further information

Digital signatures are used to verify the integrity and authenticity of digital messages, including software such as Setup packages. Assuming that the recipient has the means and the know-how, no modification to the message goes undetected and the recipient also knows who signed the message. This is why digital signatures are so important in the world of electronic software distribution.

Actually using digital signatures, either as a signer or as a recipient, takes some effort. It is up to you to decide whether the result is worth the trouble. If you decide that you do want to use digital signatures for your Setup packages, then Tarma Installer tries hard to make that as painless as possible – refer to Digitally Signing the Setup Package to see how. Meanwhile, the following information might help you to come to grips with the concept of digital signatures. Be sure to check the references in For further information as well – ours is not the final word on digital signatures.

About digital signatures

As mentioned above, digital signatures are used as integrity checks and to identify the person or organization who signed the message. Whether or not the signer is the same entity as the author of the message is a different matter, which we'll leave out of consideration here.

In theory, a digitally signed electronic message (or software package) cannot be modified without the recipient noticing, although the nature of the change is generally not known. By the same theory, the signer of the message cannot deny that he signed the message, or if he does, the recipient can prove otherwise.

In practice, things are not quite so simple and clear-cut.

  1. First and foremost, many recipients do not bother or know how to check digitally signed software. The Tarma Installer distribution is digitally signed by Tarma Software Research – did you check our signature before installing Tarma Installer on your computer? If a recipient doesn't check the signature, then it might as well not have been there in the first place. Fortunately, recent web browsers automatically check for the presence of a digital signature if you try to download and run a program from the Internet, which is a good first line of defense. However, Windows itself does not, so once the software is on your computer it is implicitly trusted and no one will check the signature if you don't.
  2. Second, even if the recipient did remember to check the signature and even if it appears to be good, how do you know that the signer of the message or software package is really the person or organization that he claims to be? This depends on the information in the signature certificate (see step 6 in the procedure above), which in turn is signed by yet another party to vouch for that information. Clearly, this introduces a chicken-and-egg problem, which in practice is resolved by having a limited number of implicitly trusted Certification Authorities (CA) at the top of the signature chain. Their certificates are not countersigned, but are distributed in a (presumably) secure way and are for all practical purposes "built into the system".
  3. Third, a digital signature, even if deemed "OK", is no guarantee the the message or software package won't harm your computer. Even bonafide developers can make mistakes, but worse still, an unscrupulous person can fairly easily create his own certificate and use it to sign some piece of malicious software. Although the certificate will probably not be countersigned by a trusted Certification Authority, chances are that a good number of recipients will fall for the ruse and assume that everything is OK if the signature is – what do they know or care about Certification Authorities and other intricacies of digital signatures after all?

How to check a digital signature

Here is how to check the Tarma Installer distribution signature.

  1. In Windows Explorer, navigate to the Tarma Installer distribution package. That is not the Tin.exe file or any of the other files in the Tarma Installer program folder; it's the tin3.exe file that you downloaded from our web site.
  2. Select the file, then press Alt+Enter to open its Properties dialog.
  3. Click on the tab Digital Signatures, then see if Tarma Software Research Pty Ltd appears in the Signature list (it should be the only name in the list).
  4. Select our name, then click the Details button to open the Digital Signature Details dialog.
  5. Underneath the heading Digital Signature Information, it should say: This digital signature is OK. If it does not, someone has tampered with the file, or it has become damaged at some point between leaving our development system and arriving on your computer, or even while sitting on your computer.
  6. If you are curious, click the View Certificate button for further details.

Note: If you followed the above procedure but did not see a Digital Signatures tab, then either someone removed the signature from our distribution file, or your version of Windows doesn't have the required security updates installed. In either case, you're none the wiser.

How to get a certificate

To attach a digital signature to an electronic message or software package, you need an electronic certificate that confirms who you are, plus a few other things. Tarma Software Research obtained its certificate from Thawte Consulting CC, a Certification Authority with its headquarters in South Africa. They in turn verified our business credentials and identity, then generated and signed a certificate for us. Because Thawte is a top-level CA, their root certificate is distributed with Windows and Windows updates, which in turn allows you to double-check everything. That is, if you remember to...

If you just need a certificate for testing or gaining experience with digital signatures, you can generate your own certificates with tools that Microsoft provides. They are not countersigned and should not be used for software publishing, but can serve for in-house experiments. See For further information below for the details.

In summary

Digital signatures do not solve any major software problems and introduce a few of their own. Whether or not you want to use them, is up to you to decide, or maybe the organization you work for doesn't leave you any choice in the matter. In any case, Tarma Software Research signs its public software distributions on the ground that it probably will increase customer confidence. And to make our own life a bit easier, we have added digital signature support to Tarma Installer – now all we have to remember is our private key password...

How Tarma Installer creates digital signatures

Tarma Installer relies on a number of Microsoft tools to sign your Setup package. Specifically, it runs the SignCode program to do the actual signing. SignCode in turn requires the presence of several security libraries on your computer, which are distributed with recent versions of Windows. For older versions, the security libraries are often installed with Internet Explorer updates. However, the details are a bit messy and tend to change over time; see For further information for web addresses that should give you up to date information.

Assuming that SignCode is present on your computer, Tarma Installer runs it as part of the project build process or upon request. Manual use of SignCode is fairly involved, so Tarma Installer tries to make things easier by feeding it the information it needs without your explicit involvement. The only point at which your input is required, is when SignCode needs your private key password – for security reasons, Tarma Installer never deals with that part of the signing process.

The information that Tarma Installer communicates to SignCode can be subdivided into two broad categories.

The following command line arguments are passed to SignCode:

To sum up then, once you have set the SignCode options in Tarma Installer, the rest is automatic. When SignCode runs, Tarma Installer captures the output messages from SignCode and redirects them to a file called SignCode.log in the configuration's folder. The messages are also sent to the Diagnostic Messages Area and the log file, so they form part of your project's audit trail. Finally, Tarma Installer checks the exit code that SignCode returns, in order to determine if the signing process was successful.

For further information

Microsoft's implementation of digital signatures on Windows is updated regularly. Therefore, your first port of call should be the Microsoft developer's web site if you want to know more about digital signatures under Windows, or need to download their tools. Because their web site also changes with some regularity, your best bet is to use Microsoft's or other web search facilities to locate the information that you are after.

Go to http://msdn.microsoft.com or use an independent web search engine to search for keywords and phrases like:

Authenticode, Code signing, Digital signatures, SignCode, MakeCert

The SignCode tool is one of a number of tools that Microsoft distributes with its Internet Explorer updates and as part of the Platform SDK. Again, use the web search facilities mentioned above for further information. Before you do so, however, it might be worthwhile to let Windows Explorer search your computer for SignCode.exe; you might already have a copy on your computer.

Note: Tarma Installer requires the SignCode version distributed with Internet Explorer 4.0 or later; it won't work with earlier versions.

To obtain a certificate suitable for software publishing, contact a Certification Authority. Again, the easiest method to find one might be to use a web search engine to search for one or more of the following phrases:

Certification Authority, SPC, Software Publishing Certificate

Documentation Home | Using Tarma Workshop | Knowledge Base
Tarma Installer 5 User's Manual - Topic last modified on 2/07/08 15:29
Copyright © 1990-2008 Tarma Software Research. All rights reserved.