Ok, maybe the title came across a bit too strong. I actually really like the idea of executable packages being signed so I know where/who they came from. And for device drivers I can see why they have effectively made it mandatory.
But this last week I ran into a major road block with the Windows 8 smart screen filtering. Supposedly this is to keep me safe. I can even buy that requiring an installer to be signed so you know where it comes from implies a greater degree of reliability.
I have a software package that has been shipping for years, has always been signed, and now our digital certificate has expired and been renewed. For some reason, Microsoft has decided that this must mean that our software is untrustworthy. They have conveniently provided us with the opportunity to purchase a more expensive certificate for signing (EV code signing) that will let us me immediately trustworthy.
But when we tried to go down that road, we ran into all kinds of road blocks. The EV certificate has to be on a hardware token, cannot be used on an Amazon EC2 instance (or any other cloud based machine), and it also cannot be used on a VM of any kind (they informed me that this was a “security feature”). So my only option is to purchase dedicated hardware for the relatively rare situation where I need to perform a publically released build.
It feels like so-called security companies don’t have a clue about usability. The down side of this is that the more they make security unusable, the less it will be used. There is a huge human factor to security that they just don’t want to admit exists.
It also feels like Microsoft is just trying to help generate revenue for signing certificate providers. If we have proven our identity, and created a reputation for our existing certificate, then the fact that we have to renew our certificate shouldn’t be a cause for lowering our reputation. Rather, Microsoft needs to provide a way for our reputation to migrate to the renewed certificate.