UAC complains VLC is unsigned.

When I try to install VLC Players I get a warning that the publisher is unknown. What's the matter with the VLC team? They can't stand behind their software or something? Can someone explain to me why some largely popular programs are not signed?

 

It costs money.

 

Doesn't make sense. VLC Player is huge, one of the biggest out there. On the other hand a tiny video player such as SMPlayer is signed and it looks to be one man team: Ricardo Villalba.

 

I rarely have UAC not throw up a message at me when I install software, no matter how well known it is. It's one of those unfortunate "boy cries wolf" situations that eventually conditions a person to ignore it. Hungry is right though too, I think it's an expensive endeavor to get things signed.

 

The amount of people working on a project doesn't make a project worth more or profitable. Perhaps Ricardo just simply has the cash.

 

I found this was asked on VideoLAN forums some years back in "Code sign the installer", and gets a response:
-https://forum.videolan.org/viewtopic.php?f=7&t=48524&p=154715&hilit=VLC+is+unsigned&sid=174164bb5a8af596eb2330e04ed278e8#p154715-

Imagine the cost of giving away all that free software, and the cost of keeping everything up and running! It's a very successful, non-profit open-source project, and deserves support: https://www.videolan.org/videolan/

Also, don't forget that being 'signed' is no guarantee of anything, necessarily...install the software that works best for you, and you trust (unsigned or otherwise).
"Malware certified trustworthy": https://www.wilderssecurity.com/showthread.php?t=275695&highlight=Installing unsigned software

 

On the other hand, software not digitally signed won't fit that well within a policy that only allows signed programs to be installed.

And, regarding the funding, the same way they got funds for a Windows 8 port recently (-http://www.h-online.com/open/news/item/VLC-successfully-crowd-funds-Windows-8-port-1774358.html), couldn0t they start one to get a certificate for VLC? (Just wondering, that's all.)

 

Exactly what I thought.

 

Yeah, I really think everyone should get signed.

 

They could also self-sign for free, right?

 

My point is that it is ridiculous for such a big software not to be signed. The funding is obviously there.

 

Yes, I agree. We're on the same page. I'd understand a small project, not to be digitally signed, if the developer couldn't afford it, but there's no reason why a big project such as VLC won't digitally sign their software. They have the funding, so they should put good use to it.

 

Probably? (Not sure either.) But, the principle behind a digitally signed software (and websites as well) is trust. But, this trust is not to be put on the developer(s) side, but rather that the CA (certificate authority) did a fine job verifying that who required the certificate are the actual people who required it, and not some bogus people. This way, if something goes bad, you can always travel to the developers country/city and hit them with a bat.

Being open source means nothing when it comes to trust, unless you can audit the code. And, by auditing, I mean you have to have the skills to understand the code.

 

A couple comments/questions-
1. Can anyone verify if other Open Source projects are digitally signed, such as Media Player Classic - Home Cinema?

2. How much does it cost to acquire a digital signature?

I agree with others that a digital signature can add some feeling of security to a download/install. But they can give a false sense of security as well. Is a digital certificate really any more useful than a valid md5 hash check?

 

When certificates are issued to companies, who do you hit with the bat?

WRT code signing certificates, my leaky bucket tells me that they are used for two purposes: 1) a means to verify the source, 2) a means to verify there has been no tampering. The self-signed approach would seem to be less useful for 1 in many cases but remain useful for 2. I'm guessing it wouldn't help with the Unknown Publisher issue though, unless it chained up. Installing arbitrary roots doesn't seem very attractive.

 

Why should it be signed?
You downloaded the file from their site? Good.

You want to go over the top with security - check the md5 sum.
Compare to the one on their site. Identical? Good.
There's your signature.

Mrk

 

Of course, when I meant that we could hit them with a bat, is that if things go bad, and if you have the time and the resources, you can do a legal action against them. But, in theory, this what a certificate is meant for. Not for security, but accountability. In theory, anyway.

Which makes me agree with the following:

 

Really? Checking the hash value means no security, of whatsoever. What kind of assurance do you have that the software isn't malicious or hasn't been tampered? If someone manages to hack the server where its hosted, why wouldn't they change the hash value as well? Security? Not in my book. Just my opinion.

Certificates would be the way to go, provided that Certificate Authorities do what they're suppose to do, which is to do a proper job checking the source (who's requiring the certificate), and also a proper job separating the network where the certificate's system is from the rest of the world. They fail at both (there have been examples in a recent past).

So, regarding open source, if one really wants to go over the top with security, then the best bet is to study the source code and recompile it.

But, reality is a different beast, and many people and companies have a policy of not allowing unsigned software to run. Of course, to digitally sign a software is up to the developer(s), and whether or not to install it, up to the users (home and companies).

 

Yeah, because Certificate Authorities never failed.

 

Because it is plain annoying

 

Not sure if your post is meant as a reply to my previous post, but just in case it is, allow me to say that I never mentioned they haven't failed. It's actually the opposite situation. They have failed. I just mentioned that besides a program being open sourced, certificates are the only way to be sure an application is OK, provided that Certificate Authorities did a fine job investigating who is requesting the certificate. So, I just mentioned what it all should be, in theory.

Hash values do not reassure me one bit when it comes to know whether or not an application is OK to use. An hash value only means the hash is or not the same, but not that the application is OK or not. If nothing else, an hash value is an extra guarantee that all is OK, but not on their own, IMHO.

I'm afraid we simply cannot trust CAs, hashes... We're doomed.

 

Hash is sufficient, because VLC site lists it + the downloaded file, you have a perfect match. And if their site gets hacked and someone replaces the binaries there, they can do a whole of fun stuff, and you'd be none the wiser.

Nothing to do with open source, code or compilation.

Mrk

 

Don't do it then. Download the file, install and move on.
Mrk

 

Exactly. I work for a software company and we don't sign due to the expense. We post checksums, should be good enough for anyone to verify the file was downloaded as we posted it. A signature does not guarantee anything else.

 

Based on my humble experience over the last 16 years of downloading/installing binary files:

download from trusted source = clean file 100% of the time