PIA code NOT signed - "installer_win.exe" v.47

nevada_joenevada_joe
in General Privacy Discussion

Question: Why does PIA always show "Publisher: Unknown" - during installation and when you run it.

installer_win.exe
pia_manager.exe

I have some coding experience, and so that question, or the lack of an answer, is disturbing.

Is PIA too cheap to get a proper certificate?

Googled that question and couldn't find anything.

Looked in this forum and could not find an answer to my question.

Asked some PIA rep via chat window and he claimed "we do an internal signature."
Almost laughed, but it's not funny - really.

So I did some reading and testing with v46 and v47 on Win7x64, Win8x64, Win8.1x64, Win10x64, etc.

http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/

https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

http://stackoverflow.com/questions/667017/how-to-check-if-a-file-has-a-digital-signature

PIA may remove the links above, so just search for "how to verify the digital signature of a file." Plenty of info and tools available.

The bottom line is that PIA's "installer_win.exe" and "pia_manager.exe" are   NOT signed   - period.

It is fairly simple and inexpensive to sign code in 2015.

So - why is PIA code not signed - at all?
And why do I get a bogus answer from the rep?


Comments

  • SynopsisSynopsis
    Hello!

    Thanks for your concern. We use opensource software to create our program, and we've no interest in CodeSigning as it would require we allow a thirdparty company full access to our code. I apologize for any inconvenience.
  • nevada_joenevada_joe
    edited October 2015
    We use opensource software to create our program, and we've no interest in CodeSigning as it would require we allow a thirdparty company full access to our code.
    Wow !
    That is just NOT true !
    Certificate companies sell you a VALID certificate.
    What your organization signs with it, that is none of their concern.
    Of course you know that, so why would you ... lie?

    Example

    Verisign, bought by Symantec, soon to be spun off as Veritas

    Symantec Code Signing Certificates - all

    Symantec Code Signing Certificates - for Microsoft Authenticode

    1 Year $499
    2 Year $873 Save over $100
    3 Year $1248 Save over $200

      Code Signing   (Example)

    As I am involved with large scale projects, my software venture purchases a Code Signing Certificate from Verisign, now Symantec (they cost $499 a year, and are suitable also for Kernel drivers).

    To sign an executable, I use a tool named kSign by Commodo. 

    image


    The difference between signing your executables and not signing them can be explained by the warning your customer will get when trying to download a non-signed executable.


    image

    and also:

    image


    But if your executable is signed, the user will get this message:

    image

    Which is better?

    Obtaining a Verisign certificate means that your identity (or your company's identity) are fully verified.

    *** End of Example ***

    I will not be renewing unless you apply industry best practices and sign your code - please stop lying and misleading about it also.

    While you contemplate the wisdom of implementing a valid certificate instead telling yourself and your clients that you don't need one, please provide at least the MD5, SHA1, or SHA2 hashes with the files to allow verification of download integrity.

    Some of your clients are in the wilderness and would very much appreciate those.

    Have a nice day and I'm looking forward to a signed v47 or newer in 2015.


    .
  • disgruntleddisgruntled
    edited December 2015
    I agree - I emailed them about this problem and got the same answer. Their excuses are fundamentally false - either they don't actually understand privacy and security (and software development) or they don't mind lying to their users. Either way, it makes me wonder what other dangerous "misunderstandings" they may have. I think I'm done trusting this company.

    (As for the other part of their excuse - that they can't sign it because they use open source software - that's also bizarre. OpenVPN is open-source, and it's signed. I'll be using that to connect to them for now while I'm looking for an alternative VPN provider.)
  • jarbjarb
    Any update from PIA? Will you sign your software that we download?

    It's safer, more secure, and not much trouble or cost for you!
  • MasashevichMasashevich
    I guess this question is on the same line with these very old requests:

    - why current installer is awkward DOS window
    - why we can not install and run PIA from ONE folder, not every time random folder within temp Windows files
  • captainzapcaptainzap
    I am left wondering if there is something wrong with their code.
    This is a question of ignorance and hypothetical so take it for what it is worth:

    If their code made our connections not actually private but accessible and monitorable by a third party, so a government agency or marketing company or someone else interested in our data, would obtaining a code signature reveal this?
    In other words could duplicity be revealed by the code signing process?

    I am thinking of going back to Mullvad over this. It is pretty good, flexible software, and not too expensive.
  • Max-PMax-P
    @captainzap As of v76, the PIA app is signed. This thread is over 2 years old.

    Code signature only matters in the sense that it allows you (well, Windows) to verify that an application was produced by the people you think it does, and verify that it has not been modified by a third-party.

    The security of the connection was never affected unless you were tricked into installing a modified version of the app downloaded from a third-party website. Code signing only has a use for your computer to be able to verify the authenticity of the application. In itself, it doesn't provide any security to the connection, only verifies that the app really comes from PIA and not the NSA.
Sign In or Register to comment.