Windows Store Metro App signing... just Microsoft, not developer?

Discussion in 'other security issues & news' started by TheWindBringeth, Jun 15, 2012.

Thread Status:
Not open for further replies.
  1. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    While searching for some info on Windows Store distributed Metro Apps I came across several things which suggested that a Metro App downloaded/updated from the Windows Store would be signed by Microsoft and developers don't need a certificate. In the App Developer Agreement I noticed that it says "You grant to Microsoft the worldwide right to... and sign the app (including by removing preexisting signatures) ... ". Remove pre-existing signatures? I figured Windows Store distributed Metro Apps would be signed by Microsoft, but I also figured that security minded developers would sign their Metro Apps as well.

    So I'm confused. How does one verify that the WidgetCo Metro App distributed via the Windows Store is exactly what was submitted to the store by WidgetCo? How does one verify that Microsoft isn't distributing a Metro App in the name of WidgetCo?
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Would most devs even bother signing their apps anyway when MS is doing it for them for free?

    (FYI: I didn't actually know this, I thought devs would have to sign their own apps, do you have a source for that info?
     
  3. guest

    guest Guest

    This is how it works:

    http://blogs.msdn.com/b/windowsstore/archive/2012/02/13/submitting-your-windows-8-apps.aspx

     
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    The "You grant to Microsoft the worldwide right to... sign the app (including by removing preexisting signatures)" was from:

    App Developer Agreement
    http://msdn.microsoft.com/en-us/library/windows/apps/hh694058.aspx.

    Based on the page linked to guest, it sounds to me that the developer uploads a Metro App submission package to Microsoft and then after some checks Microsoft does the signing: "we’ll sign the packages you submitted with a trusted certificate that matches the technical details of your developer account.". It isn't clear to me where this certificate comes from, but the wording about Microsoft doing the signing suggests to me that Microsoft will have that certificate *and* the private key. There being only one signature on the app and Microsoft having the information to execute the one signature isn't a problem? If Microsoft can sign one version of the Metro App (the one the developer submitted) it could sign and distribute an altered version of the Metro App couldn't it?
     
  5. guest

    guest Guest

    I think that's possible. There comes one's trust in Microsoft and its Windows Store again - which in my case is bigger than in any other dev (I mean, my trust in MS is bigger). I'm glad they will be reviewing these Metro apps so extensively.
     
Loading...
Thread Status:
Not open for further replies.