Skip to main content
Topic: foobar 1.3.10 Invalid Signature (Read 10361 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Re: foobar 1.3.10 Invalid Signature

Reply #25
A couple comments;
Security vendors do not blindly trust any certificate, or certificate issuers, the reputation of the certificate owner and certificate issuers are considered, e.g. use of certs in signing malware, PUA, adware, etc., be this via direct use, other certs issued by the issuing authority, or stolen certs.

I could not verify the cert as the current download is not signed, but from the screenshot it looks like it was not cross signed with a timestamp authority, this means that the binary would only be valid while the signing cert is valid, typically a year, by cross signing with a timestamp cert, the binary will be valid as long as the timestamp and cert issuer trees are valid, even if the signing cert is no longer valid. It also means it is not properly signed per standard signing guidelines, something security vendors will take into account.

By not signing the binary you are bound to run into trouble every time it is updated.
By signing the installer with a class 3 cert obtained from the trustworthy cert authority, and yes sometimes this means more $$$, and timestamp signing it, and keeping the signing cert safe, you are in much better position.

Seeing people swearing at Msft is fun, but there is a reason people, and security software, distrust unsigned or improperly signed binaries.
If you are not going to try and sign again, please publish hashes so the binary's integrity can be verified.

My 2c's :)

Re: foobar 1.3.10 Invalid Signature

Reply #26
I could not verify the cert as the current download is not signed
You can download the signed version from http://filehippo.com/ if you want to check the cert.

If you are not going to try and sign again, please publish hashes so the binary's integrity can be verified.
+1

As i said before as well, MD5/SHA hashes or PGP signature if you're really not going to bother signing new binaries from now on is a must.

Re: foobar 1.3.10 Invalid Signature

Reply #27
I have advised Peter of Keybase and PGP, and should be able to walk him through signing his downloads, maybe.


Re: foobar 1.3.10 Invalid Signature

Reply #29
Hi! Thank you for developing such a awesome software!MS always make some mistakes,and it's sensible to throw sign!
Surely,we trust you and we like the software.
But we don't know if it has been modified when we download the installer.
Use some tech(such as DCM horse system use by China government), hackers can trade the installer with a fake one.
So I advice you to leave a sha256-checksum on the website alone with the installer.

Re: foobar 1.3.10 Invalid Signature

Reply #30
My official response.

I presume that SmartScreen will shut the hell up after enough downloads of an unsigned binary.

Even the tool I used to remove signature from the installer did not trip SmartScreen, even though it had no signature and certainly gets downloaded less.
Hi Peter, would you mind providing some SHA-2 checksum of the installation package on the download page? Because in some area it may be attacked by the government or the ISP while downloading.

Re: foobar 1.3.10 Invalid Signature

Reply #31
Wouldn't these same parties be able to alter the displayed checksum on the page?

Re: foobar 1.3.10 Invalid Signature

Reply #32
There's also the idea of GPG signing the binaries and including the signature files for download. But who do you trust to verify that Peter produced the signatures you downloaded? Do you get them from the GPG repository? Keybase? And what's to stop your state actors from altering what you get from those signature authorities?

Re: foobar 1.3.10 Invalid Signature

Reply #33
Agree with prt727 - looking at the 1.3.10 installer EXE it's missing two things:

  • Intermediate (and root) certs are using SHA1 signature - needs SHA256 for the whole chain (or at least leaf + intermediate, minimum).
  • Needs the signature validated by a timestamp server.

Ditch StartCom. The cheapest "real" CA around that provides Authenticode certs is Comodo, and the cheapest provider I've found for their certs is usually GoGetSSL - roughly USD 70 per year for a 3 year cert:

https://www.gogetssl.com/code-signing-certificates/comodo-codesigning-ssl/
https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server

Regards,

Jacob

Re: foobar 1.3.10 Invalid Signature

Reply #34
I'll be losing the ability to sign things starting in February. Unless one or more of you community users wants to contribute the $210 or so to get that 3 year certificate, since my income doesn't leave me room for expenses that large at once, and I already cancelled my credit cards due to lack of ability to manage my debt responsibly.

Re: foobar 1.3.10 Invalid Signature

Reply #35
If you want to round up donations I'm happy to throw in USD 20 to start with. I know it's not much - but I've used foobar2000 on and off for years and think it would be good if you can continue to sign it so we users can trust the source. Hopefully others will feel similarly.

Let know via PM of your details (PayPal preferably) and I'll make a start.

Regards,

Jacob

Re: foobar 1.3.10 Invalid Signature

Reply #36
Peter had PayPal set up for donations years ago but there were some issues. They froze his account and took the money hostage and apparently no one can be contacted to sort things out. So I don't think he'll be very willing to try PayPal again.

Re: foobar 1.3.10 Invalid Signature

Reply #37
Peter had PayPal set up for donations years ago but there were some issues. They froze his account and took the money hostage and apparently no one can be contacted to sort things out. So I don't think he'll be very willing to try PayPal again.
Yea, restoring PayPal account after it has become frozen is nearly impossible. Their position on this is similar to Google, i.e. they won't give you any good explanation why your account was frozen, they won't give your money back, and all your e-mails will be answered by auto-reply bot :\

Regretfully, I don't know any good alternatives to donate (bitcoin? direct b2b transfer? compensate with pizza delivery?).

 
SimplePortal 1.0.0 RC1 © 2008-2018