Nearly all the code that comes out of CherSoft is digitally signed. You might reasonably ask ‘So what does that mean and why should I care?’. Well, the signature provides proof that the code came from CherSoft. It also proves that the code has not been tampered with. So, not only can you be sure that you are getting exactly what you think you are getting but also that nothing has been added (like a virus) or taken away or fiddled with. This is actually a pretty strong guarantee. It is also pretty important. In fact it is considered so important that most of the requirements for handling and checking digital signature are built right into the Operating System.
Here is some technical stuff. It is easy to copy and edit files – so how do digital signatures prevent tampering? The clever bit is the use of asymmetric cryptography. Now the math behind this is a bit evil and well beyond me, however the practical upshot is that it is possible to encrypt something with a private key that can only be decrypted with a public key (a key is a string of digits that is used in the encryption algorithms). You can’t use the public key to work out what the private key is (that’s the asymmetry bit). Signing the code involves creating a digest and then encrypting this with the private key. A digest is a summary of the code which will always change if the code changes. Imagine taking every 100th letter from a book. If the book changed then the sequence of letters would change. A digest works (very nearly) like this. It is much shorter than the whole book so it can be encrypted or decrypted quickly.
So if we give you our public key and sign the code using our private key then you can use the public key to be sure it came from us.
How do you get our public key? Easy – we put it into a certificate. This is a file which contains some information about us (CherSoft), an expiry date and our public key. When Windows checks the files before installing them it looks for a signature and checks it against the certificate. The certificate is appended to the code but you can, if you want, download a copy of it here.
Now if you are paying attention then you should be asking ‘ah ha, but how can we tell the certificate is genuine?’. Maybe you have landed with some virus ridden code and they supplied a certificate with it as well. This loophole is closed by digitally signing the certificate. We don’t do this. Verisign do it for us. In fact we pay them quite a lot of money to do it for us. Verisign sign our certificate and then the public key to verify that signature is stored in a Verisign certificate. Verisign are known as a Certificate Authority. They sign a lot of certificates and their public key unlocks all of them. The certificate containing their public key is known as a root certificate. You can trust it because it comes from a well know source and it is ubiquitous. If someone attempted to forge our public key certificate they would not be able to use the Verisign certificate because the private key for that is kept very private. So the certificate chain leading to a trusted root certificate is your guarantee that the code is exactly what it is supposed to be.
The CherSoft certificate is signed by an intermediate certificate which in turn is signed by the root certificate.
This stuff is a bit technical and involved. Fortunately it is also quite effective and, for the most part, handled by the Operating System (Windows) in a way which makes downloading and installing stuff safer. If you ever see a message along the lines of ‘This code comes from an untrusted source’ then you should make sure that you are confident that you know exactly what it is before going any further.
The Verisign certificate needs to be installed on your computer. So how does it get there? Turns out that there are several mechanisms of which the easiest is that the Windows Update service will do it for you. Keep Windows up to date and there will not be any problems (not this sort of problem anyhow). If you do not update your PC then a problem can arise because the one of the root certificates becomes out of date. We do see this occasionally especially on shipboard computers which never get to see the Internet from one year to the next. If your root certificate is out of date you may get to see this:
The solution is to download the missing or out of date certificates. You can get the Verisign intermediate certificate here and the Verisign primary root certificate here.
Copy the information for the Certificates as explained on the web page. Then paste them into plain text files (use notepad) and save it to a file whose extension is .cer. Follow the instructions to create a .cer file for each missing certificate. Copy the certificates to the PC. Right click and choose ‘install certificate’. This requires Admin privileges. Choose ‘Automatically select the certificate store…’ when asked and accept all other defaults.
If you want to check signature on our code manually then download the Nuno Navigator installer and right click on the file (called nunonavigator.exe). Click on the Digital Signatures tab.
Click on the CherSoft Ltd signature and choose details.