Should I sign my DLLs?

About

Asked 17/1, 2011 at 17:28 Answered 17/1, 2011 at 17:40

I have a C++ Windows app. I sign our installer and my executable, but I don't currently sign my DLLs (such as zlib1.dll). It is not a big deal to sign those as well, but can someone explain what the benefit is? For instance, will my program appear any different to AV or firewall software if all its dependencies are signed? Will users get any different warnings?

Waldenses answered 17/1, 2011 at 17:28 Comment(6)

Why not sign them? You've already paid for the certificate - so it only takes another few seconds during the build to sign them. Why skip it? – Groundless 17/1, 2011 at 17:30

Tim, I'm probably going to do it anyway, I'm mainly just curious about what the effect is. – Waldenses 17/1, 2011 at 17:33

@Groundless - You not only need to sign them, you need to timestamp them as well. Currently in 2022-04 signing++timestamping 100 files takes about 70 seconds for us when signtool talks to the digicert TSA server. This is very noticeable, though no deal breaker. – Siloum 14/4, 2022 at 17:38

@MartinBa - "signing" implies timestamping. Not sure why you're commenting on an 11 year old thread... – Groundless 16/4, 2022 at 0:5

@Groundless - This is S.O. Either the info present is still accurate, in which case it is appropriate to comment on it regardless of age. Or the info has become outdated/wrong, in which case it would be accurate to comment on that. As for timestamping: You can find plenty of posts where ppl were not aware this is necessary. And your "a few seconds" can be minutes depending on how your build is structured. – Siloum 18/4, 2022 at 18:6

Signing does not imply timestamping. With Microsoft signtool you have to specify the timestamping distinctly. – Hypotaxis 18/10, 2023 at 12:35

Your program will not appear any different to AV or firewall. They will check for signatures on your executable which you have already signed. Signing your dlls makes most sense when you yourself verify those signatures before loading them. This ensures the integrity of all dlls at runtime. It is a recommended secure practice to sign all binaries that you ship and validate their signatures at runtime. If your dlls are to be used by other products then you must sign them as those products will want to verify their authenticity and integrity.

Velamen answered 17/1, 2011 at 17:40 Comment(4)

What about with implicit linking? Is there a way to verify the signature in that setting, or is it necessary to convert all DLL loads into explicit linking (i.e. LoadLibraryEx calls)? – Nefertiti 17/1, 2011 at 17:43

Great question, Brent. I'd love to know the answer. – Waldenses 17/1, 2011 at 17:46

I don't think it is possible to verify signatures for implicitly linked dlls as the dlls will be loaded before your code kicks in. However, I do know of one product which explicitly loads the dlls it implicitly links with just to verify the signature. – Velamen 17/1, 2011 at 17:49

I should mention that I am talking about native apps only. I have no idea if this is possible in managed framework. – Velamen 17/1, 2011 at 17:54

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags