Follow

noob question 

So, signed binaries on Windows... Can/how do you verify them? I mindlessly check them to see that the signer at least superficially matches who I think packaged the program, but looking at the one for Joplin for example it lists Pogopixels Ltd.

About 10 minutes of web sleuthing leads me to believe the signature is probably legit, though the website is a redirect and projects under that name seem abandoned.

If I really cared though, what’s the right way to verify something like that?

re: noob question 

@banjofox @lecramed I think on Windows it is signtool.

signtool verify totally_not_malware.exe

That will determine if it was signed by a cert that is trusted by Microsoft. Microsoft is depending on CAs to verify people/companies are who they say they are. If they don't do that, the CA gets the boot. If the company's cert signs malware, the cert gets the boot.

Sounds like it's as good as you are going to get in this case.

re: noob question 

@lecramed "Trust" is the only thing you can use.

You have to trust that the certificate signer (Microsoft in this case) has your interests at heart, and that they did all the appropriate checks in the first place. The data they provide you outside of the signature is all useless, because you don't have access to the information you need to validate it, as you've found.

Trust is an essential aspect of risk management - you have to extend trust in the real world in order to be able to achieve anything. You have to take risks in order to live. You cannot be 'perfectly safe'.

The trick is to make sure that the payoffs you get from taking risks are worth the potential costs. Otherwise you become bitter and paranoid ...

Sign in to participate in the conversation
hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.