UAC complains VLC is unsigned.

Discussion in 'other software & services' started by jo3blac1, Mar 15, 2013.

Thread Status:
Not open for further replies.
  1. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    When I try to install VLC Players I get a warning that the publisher is unknown. What's the matter with the VLC team? They can't stand behind their software or something? Can someone explain to me why some largely popular programs are not signed?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It costs money.
     
  3. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Doesn't make sense. VLC Player is huge, one of the biggest out there. On the other hand a tiny video player such as SMPlayer is signed and it looks to be one man team: Ricardo Villalba.
     
  4. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I rarely have UAC not throw up a message at me when I install software, no matter how well known it is. It's one of those unfortunate "boy cries wolf" situations that eventually conditions a person to ignore it. Hungry is right though too, I think it's an expensive endeavor to get things signed.
     
  5. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    The amount of people working on a project doesn't make a project worth more or profitable. Perhaps Ricardo just simply has the cash.
     
  6. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    I found this was asked on VideoLAN forums some years back in "Code sign the installer", and gets a response:
    -https://forum.videolan.org/viewtopic.php?f=7&t=48524&p=154715&hilit=VLC+is+unsigned&sid=174164bb5a8af596eb2330e04ed278e8#p154715-

    Imagine the cost of giving away all that free software, and the cost of keeping everything up and running! :eek: It's a very successful, non-profit open-source project, and deserves support: https://www.videolan.org/videolan/

    Also, don't forget that being 'signed' is no guarantee of anything, necessarily...install the software that works best for you, and you trust (unsigned or otherwise).
    "Malware certified trustworthy": https://www.wilderssecurity.com/showthread.php?t=275695&highlight=Installing unsigned software
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    On the other hand, software not digitally signed won't fit that well within a policy that only allows signed programs to be installed.

    And, regarding the funding, the same way they got funds for a Windows 8 port recently (-http://www.h-online.com/open/news/item/VLC-successfully-crowd-funds-Windows-8-port-1774358.html), couldn0t they start one to get a certificate for VLC? (Just wondering, that's all.)
     
  8. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Exactly what I thought.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah, I really think everyone should get signed.
     
  10. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    They could also self-sign for free, right?
     
  11. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    My point is that it is ridiculous for such a big software not to be signed. The funding is obviously there.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, I agree. We're on the same page. :) I'd understand a small project, not to be digitally signed, if the developer couldn't afford it, but there's no reason why a big project such as VLC won't digitally sign their software. They have the funding, so they should put good use to it. :)
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Probably? (Not sure either.) But, the principle behind a digitally signed software (and websites as well) is trust. But, this trust is not to be put on the developer(s) side, but rather that the CA (certificate authority) did a fine job verifying that who required the certificate are the actual people who required it, and not some bogus people. This way, if something goes bad, you can always travel to the developers country/city and hit them with a bat.

    Being open source means nothing when it comes to trust, unless you can audit the code. And, by auditing, I mean you have to have the skills to understand the code. :)
     
  14. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    A couple comments/questions-
    1. Can anyone verify if other Open Source projects are digitally signed, such as Media Player Classic - Home Cinema?

    2. How much does it cost to acquire a digital signature?

    I agree with others that a digital signature can add some feeling of security to a download/install. But they can give a false sense of security as well. Is a digital certificate really any more useful than a valid md5 hash check?
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    When certificates are issued to companies, who do you hit with the bat?

    WRT code signing certificates, my leaky bucket tells me that they are used for two purposes: 1) a means to verify the source, 2) a means to verify there has been no tampering. The self-signed approach would seem to be less useful for 1 in many cases but remain useful for 2. I'm guessing it wouldn't help with the Unknown Publisher issue though, unless it chained up. Installing arbitrary roots doesn't seem very attractive.
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Why should it be signed?
    You downloaded the file from their site? Good.

    You want to go over the top with security - check the md5 sum.
    Compare to the one on their site. Identical? Good.
    There's your signature.

    Mrk
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Of course, when I meant that we could hit them with a bat, is that if things go bad, and if you have the time and the resources, you can do a legal action against them. But, in theory, this what a certificate is meant for. Not for security, but accountability. In theory, anyway.

    Which makes me agree with the following:

     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Really? o_O Checking the hash value means no security, of whatsoever. What kind of assurance do you have that the software isn't malicious or hasn't been tampered? If someone manages to hack the server where its hosted, why wouldn't they change the hash value as well? Security? Not in my book. Just my opinion.

    Certificates would be the way to go, provided that Certificate Authorities do what they're suppose to do, which is to do a proper job checking the source (who's requiring the certificate), and also a proper job separating the network where the certificate's system is from the rest of the world. They fail at both (there have been examples in a recent past).

    So, regarding open source, if one really wants to go over the top with security, then the best bet is to study the source code and recompile it.

    But, reality is a different beast, and many people and companies have a policy of not allowing unsigned software to run. Of course, to digitally sign a software is up to the developer(s), and whether or not to install it, up to the users (home and companies).
     
  19. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    Yeah, because Certificate Authorities never failed.
     
  20. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Because it is plain annoying
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not sure if your post is meant as a reply to my previous post, but just in case it is, allow me to say that I never mentioned they haven't failed. It's actually the opposite situation. They have failed. I just mentioned that besides a program being open sourced, certificates are the only way to be sure an application is OK, provided that Certificate Authorities did a fine job investigating who is requesting the certificate. So, I just mentioned what it all should be, in theory.

    Hash values do not reassure me one bit when it comes to know whether or not an application is OK to use. An hash value only means the hash is or not the same, but not that the application is OK or not. If nothing else, an hash value is an extra guarantee that all is OK, but not on their own, IMHO.

    I'm afraid we simply cannot trust CAs, hashes... We're doomed. :D
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hash is sufficient, because VLC site lists it + the downloaded file, you have a perfect match. And if their site gets hacked and someone replaces the binaries there, they can do a whole of fun stuff, and you'd be none the wiser.

    Nothing to do with open source, code or compilation.

    Mrk
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Don't do it then. Download the file, install and move on.
    Mrk
     
  24. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,046
    Location:
    USA
    Exactly. I work for a software company and we don't sign due to the expense. We post checksums, should be good enough for anyone to verify the file was downloaded as we posted it. A signature does not guarantee anything else.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Based on my humble experience over the last 16 years of downloading/installing binary files:

    download from trusted source = clean file 100% of the time
     
Loading...
Thread Status:
Not open for further replies.