Authenticode Certificate (Code Signing)

[Mac2]

I use ExifTool from my Windows application via standard CreateProcess()... etc. APIs. For many years.
Today my application reported that It cannot determine the ExifTool version because it cannot longer spawn exiftool.exe 

I then tried to run exiftool.exe from Windows Explorer and a Windows Defender popup window informed me that it has blocked the application from an unknown publisher.
I had downloaded this ExifTool version (10.95) several days ago and used it every day since then. So this was a problem that happened out of the blue.

I've also had occasional reports in the past about anti-virus solutions interfering, blocking ExifTool.exe by some of my users.
Hence I have added corresponding checks and messages to tell my users when this happens and what to do about it.

Long story short:

Would it be possible for you (Phil) to sign exiftool.exe (for Windows) with an Authenticode certificate?
I know it's a pain to get one and moderately expensive too. But once you have it, it's just a small step in your build process and then exiftool.exe is from a "known publisher", which reduces the risk of being flagged and blocked or quarantined.

So many big money companies use ExifTool for their business (from Flickr to Google (VirusTotal) to...) it should be possible to find a sponsor who pays for Phil Harvey's personal Authenticode Certificate.

An alternative would be that I sign exiftool.exe with my Authenticode certificate before including it in the installer. I sign all executables and DLLs and the final .MSI file too.
But that would only solve "my" problem, not the general problem.

[Phil Harvey]

If anyone is willing to do this for ExifTool, please step up.

- Phil

Edit: Question: Would it be necessary to purchase a new certificate for each release?  Do the certificates have an expiration date?  If the answer to either of these questions is yes, then I don't think it is worthwhile even trying.

[Mac2]

Hi, Phil

Certificates are purchased for 1 to four years. You can sign any number of applications any number of times with your certificate. A "timestamping" mechanism ensures that your executables remain valid even after your certificate has expired.

I purchase my Authenticode certificate from http://codesigning.ksoftware.net/ (no affiliations, just a satisfied customer). They are helpful and offer very good rates.

Due to all the security problems in recent years, getting a certificate has become more complicated (not so much for U.S. citizens, though).
The certificate authorize will require several documents (phone bill, utility bills etc. ), they will call you at your phone etc. so they know "you are you".
EV (Extended Validation) certificates are even harder to come by (but not needed for normal software, thankfully).

The cost for a four year certificate is about 300US$ so it would be probably wise to find a sponsor. I think Google is a certificate authority now and since they use your product on their VirusTotal website, they may be willing to send you a certificate for free. Or maybe one of the other big companies utilizing ExifTool are willing to step in.

I would be willing to pay a fair share (up to 50US$). If all the folks here who use ExifTool in a commercial application donate some money, you should be able to pay for a certificate easily.

[Phil Harvey]

I didn't know that the VirusTotal web site used ExifTool.  Thanks for pointing this out.  Sort of ironic since various antivirus software apps have problems with ExifTool.

It sounds like a pain to get a certificate.  That you say is certainly true, but it would take effort on my part to raise the $300 and acquire the certificate every four years.  This is the type of thing I really hate doing.  I would rather spend my time writing code.  I assume that the same effort would be required on the Apple side too, which also complains about ExifTool being from an unidentified developer.

Thanks for the information, but for now I think I'll leave ExifTool unsigned.

- Phil

[Mac2]

I didn't know that the VirusTotal web site used ExifTool.  Thanks for pointing this out.  Sort of ironic since various antivirus software apps have problems with ExifTool.

I also just recently noticed this. ExifTool seems to 'drive' a lot of things  .
I'm really grateful that it exists - because it helps me to make sure the user os my software have the best possible quality of metadata in their files. Standard-compliant, clean and compatible with a wide range of applications, platforms and services. This is really important for me.

It sounds like a pain to get a certificate.  That you say is certainly true, but it would take effort on my part to raise the $300 and acquire the certificate every four years.

Yes. The amount of effort depends. Basically after purchasing the certificate the certificate authority sends you an email, asking for some documents which allow them to verify that you are you (utility bill, phone bill). They lookup your landline (!) in whatever standard phone book you have in your country. Then you get a phone cal from a computer or an agent. Then they send you your certificate and you are set for 4 years. All modern build systems for Linux, Windows etc. support signing binaries and installers out of the box.

But there is no way around a certificate today, a least for standard applications or 'apps'.
Most companies no longer allow installations of unsigned software. Browsers complain. Windows displays creepy warnings during installation, virus-checkers complain a lot more.
And of course a certificate also guarantees that the exiftool.exe I have download from somewhere is the original and unmodified software you have published. Fiddling with the executable (malware) will break the certificate. Broken or incomplete downloads will also break the certificate. So the user knows and Windows will inform them about the invalid certificate when they run the installer or executable.

Its probably the same on Apple, I don't have any Apple device so I don't know.
All app stores require certified installers as a rule.
If Linux becomes more popular they will have to setup something similar. For safety. Hopefully something that is secure and free.

Thanks for the information, but for now I think I'll leave ExifTool unsigned.

Your decision, of course.
I will sign the exiftool.exe with my certificate in the future, before I include it in the installer. This should prevent Windows Defender and most AV software from quarantining it.