Home

MegaEPG digital signature

Mon, 14/01/2008 - 17:56 — igor

Since version 0.9.10 the MegaEPG package and its executables are digitally signed by the pvr.co.il certificate and timestamped in order to verify its integrity and authenticity. You are advised to install the certificate and let the operating system verify the package and the executables' signature. Follow the instructions on how to install the certificate for Windows Vista or XP/MCE2005. Please use only the Internet Explorer! Other browsers wont do the job.

Read the instructions carefully and then click on the the certificate link. If installing a unknown CA certificate sounds scary to you then: a.) Do NOT continue. Never install or run something you don't trust to! b.) read a short MegaEPG certificate and security FAQ.

Note, all pictures below are clickable and can be enlarged.

Windows Vista

Starting Internet Explorer as administrator 1. Run the Internet Explorer in the "Run as administrator" mode. You must install the certificate as the administrator otherwise the application signature will not be verified! Close the Internet Explorer now and reopen the page with right clicking the mouse on the Internet Explorer icon and choosing Run as administrator. If you are an advanced user and turned the User Access Control (UAC) off, then you may skip this step, but it's better to doublecheck.
2. Click on the certificate link and choose Open. Click on the Install Certificate button.
3. The certificate wizard will start, click on Next

4. Choose Place all certificates in the following store and click on Browse
5. Select Show physical stores checkbox. Under the Trusted Root Certification Authorities select Local Computer. Note, if you do not see the "Local Computer" folder, then you are not running the Explorer as the administrator! Please return to the 1st step.
6. Click "Ok". Ensure once again that the certificate store is Trusted Root Certification Authorities\LocalComputer. Click on Next
7. Click on Finish
8. Ensure the displayed certificate's Thumbprint is B54C7B2E AC2EF095 DD1FD2E9 42DCBC17 E7725B17 and click on Yes.

 

Windows XP and MCE 2005

1. Click on the certificate link and choose Open. Click on Install Certificate button.
2. The certificate wizard will start, click on Next
3. Choose Place all certificates in the following store, click on Browse and choose Trusted Root Certification Authorities. Then click on Next
4. Click on Finish
5. Ensure the displayed certificate's Thumbprint is B54C7B2E AC2EF095 DD1FD2E9 42DCBC17 E7725B17 and click on Yes

 

MegaEPG certificate and security FAQ

Q. What happens when I install the certificate?
A. From the moment the certificate is in your system, it will recoginze the signature of the MegaEPG application (and any other application signed by the certificate) so you will be able to verify the publisher of the application and its integrity. When you run such an application you will see the publisher name (link that provides the complete signature/certificate information) as shown below:

Certificate validation when running an application

Q. Isn't that dangerous?
A. Actually it is. By installing the CA certificate (especially if we are talking about the Root Certification Authorities) you decide to trust any software that is signed by the certificate. If you install a certificate from a bad guy, the system will trust his hazardous software and occasionally may let it accomplish bad things.

Q. How do I know that you are not a bad guy?
A. I am not :-). But if you don't trust me, don't install the certificate, that simple! On the other hand don't overestimate the certificate's security power. You are going to run the MegaEPG setup, aren't you? As almost every Windows application setup, it'll ask for the administrative privilegies and if I was a bad guy, I could do bad things with or without certificate since you run the software I wrote! Therefore if you don't trust me you must not use the MegaEPG application at all. Don't install or run anything from pvr.co.il and the issue is closed.

Q. Okay, I trust your certificate now. Are there other security risks I am not aware of?
A.Certificates do not create backdoors nor they give programs "carte blanche" to do everything. Certificates are not a panacea, they were not designed to be perfect guardians. They just tell you who (probably) the software comes from. Risk considerations and decisions are always yours. I don't believe that additional certificate authority increases the risk except a case when abused or its private key has been accidentally stolen. But then it can be removed from the computer or revoked. The point is to always know what you are doing and what you are running regardless of the signature on the software.

Q. Why not to buy a certificate from a known certification authrity?
A. Because it's too expensive. A code signing certificate would cost more than $100 and the price can reach $300 for a certificate from a leading certification authority. That is obviously unacceptable for a small freeware project. Besides, nobody guarantees that only good guys can purchase a certificate :-).

Q.Can I use the MegaEPG without installing the certificate?
A.It depends. The functionality of the MegaEPG does not count on certificates. In Windows XP and MCE 2005 it will work, in Windows Vista 64 bit all services must be signed and that could be a problem. The question here is WHY not to use this comfortable and standard way to assure you are running exactly the package I produced, that it wasn't broken while downloading, repackaged by a friend or changed intentionally? Installing the certificate will take less time than one md5 checksum verification and will serve you for all further releases.