Id like to better understand the concept of digital signatures with regards to software installers and updates. How exactly does it work. How would I know if a product has been digitally signed by the vendor? I have heard that if the installer is tampered with then the signature wont apply. Is this true? If so what are the signs to look out for? Also is it possible for malware writers to spoof a digital signature? If so what are the different ways in which this can be done? For example can they spoof the exact signature? Or something close like hypothetically the signer is Avira inc, but the malware writers use Avira Ltd instead. Can anyone explain how I can use digital signatures to confirm the authenticity of software, and what are some of the potential pitfalls? Thanks.