Signing Windows aescrypt.exe

[s.sec]

Hi, any plans to sign aescrypt.exe for Windows with a certificate? This would ensure that the file we are using is the correct file and also let us run the program when policy to only run signed files is in place. thanks!

[paulej]

We have no plans. It's an open source package with no revenue to support it. So buying a cert every year does not make financial sense.

I am personally not a fan of the current system for certificates, either. I suppose they are useful to thwart the inexperienced hacker, but they absolutely will not stop a government entity or an experienced hacker from manipulating the binary. Thus, to some extent, they provide a false sense of security. Granted, better than nothing, but still not truly secure.

People have also requested digest information for the binaries. That would be better, but only if there was a secure way of ensuring the values were not manipulated. I'm thinking there is no perfect way to do that, but perhaps putting the hash values on different sites on the internet might help.

[s.sec]

Hi, on many servers there's the restriction to only run signed software.... signing is probably not perfect but at least you know where the software is coming from, it's better than nothing I think

[paulej]

Code certificates are a pain. I agree it's better than nothing, but not better than me proving an OpenPGP signed message with the SHA-1 hash of the valid file.

In any case, I might consider this again in the future, but there's simply little reason to rebuild the code just to sign it. (And to waste my time on those darn code signing certs.)

I know I sound a bit cranky, but I've not had a good day. That, and I hate certificates in general and code-signing certificates even more.