digitally sign all avast executables

[brantgurga]

Since the 64-bit drivers need to be signed to run in Vista so you already have a code signing certificate, it seems like it would make sense to sign all of the avast! executables with it which is not currently the case.

[Vlk]

All avast exe files are digitally signed. What makes you think they're not?

[brantgurga]

You seem to be right on the alwil-supplied executables. There are a few that aren't that may be from library providers. The alwil-supplied DLLs aren't digitally signed and DLLs are signable.

[Vlk]

I know, avast DLLs are not currently signed. The original plan was to sign all files but this turned out very impractical for our daily builds as the bloody signing tools actually take VERY long, making the whole build process much slower (the problem is related with the Verisign time server - which is probably overwhelmed with requests and its response times are sometimes ridiculously long).

We may revisit this strategy for the new version (especially for "release" builds). For the time being, I'd say EXE file signing is much more important - and that's what we're doing a.t.m.


Cheers
Vlk

[brantgurga]

The release files are the only ones for which signing is important. Even on Vista x64, you can sign the drivers with a testing certificate (that wouldn't need Verisign's timestamping server) and boot Vista into driver testing mode.

I've not done code signing in native world, but the strong naming of .Net assemblies supports a concept of delayed signing where it is kind-of-signed at build time but the full signature process isn't done till release time. There might be an Authenticode parallel to that.

Thanks for letting me know that it is on your mind though.

[kubecj]

On the side note: avast checks itself anyway. So from the 'integrity' point of view, avast sufficiently protects itself.

[mouniernetwork]

If the Verisign time server than perhaps you should change ?
Comodo is Also a a digital signer  authority and plus you would be helping them develop their firewall 
All the funds from their payed product goes to the developement of free products.

Al968

[igor]

I'm not sure if it would be acceptable for Vista driver signing (but I don't really know much about it).

[mouniernetwork]

Maybe that could investigated as it doesn't require much but would be really useful 

Thanks

Al968

[DavidR]

Comodo is Also a a digital signer  authority and plus you would be helping them develop their firewall 
All the funds from their payed product goes to the developement of free products.

One of those free products being an anti-virus program, so I somehow can't see avast contributing funds to develop another AV

[mouniernetwork]

Well Comodo is not a major player in the market for antiviruses right now and if it becomes I am confident that Alwil will outsmart them 
But even if Alwil and Comodo were to become the two top leaders and rivals a lot of good would come out of it, in competition good comes out for the users mostly, just look an Intel and AMD.

Al968

[Lisandro]

Alwil and Comodo were to become the two top leaders

I wish Alwil team does not give up on a firewall project...