Forum Thread: Why no digital signature on Adobe Air 3.5.0.880 update??

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
micus Why no digital signature on Adobe Air 3.5.0.880 update??
Member 17th Dec, 2012 06:00
Ranking: 0
Posts: 2
User Since: 17th Dec, 2012
System Score: N/A
Location: US
PSI displayed a link to what it claims to be the latest Adobe Air update on my Win7 box. I clicked to download, then clicked to install. Win7 warns about an unknown publisher. By contrast Adobe Air's own installer is digitally signed by Adobe.

Would somebody know why PSI offers unsigned executables for installation? The file properties box does not show any signature at all. Not good.
-Micus

This user no longer exists RE: Why no digital signature on Adobe Air 3.5.0.880 update??
Secunia Official 17th Dec, 2012 12:21
Last edited on 17th Dec, 2012 12:22 Nice observation. The installers offered via the PSI are not digitally signed due to how we offer our SPS packages. It would require a lot of resources for us to sign each and every package we offer. Please see our FAQ for details regarding SPS packages.
http://secunia.com/vulnerability_scanning/personal...

You are of course free to update your programs any way you prefer. As for Adobe Air you can also get the latest version from www.adobe.com.
micus RE: Why no digital signature on Adobe Air 3.5.0.880 update??
Member 18th Dec, 2012 02:43
Score: 0
Posts: 2
User Since: 17th Dec 2012
System Score: N/A
Location: US
> It would require a lot of resources for us to sign each and every package we offer.
> Please see our FAQ for details regarding SPS packages.

Thanks; that clears things up. Having an Authenticode signing cert (SPC) on a dedicated signing server need not be expensive. A problem with leaving executables unsigned is that you are training PSI users to ignore Windows warnings about unsigned executables that generally should be heeded. Also, if your SPS-package distribution service is ever compromised and starts serving malicious executables, the user won't see any difference. So, you may want to consider signing. Regards,
-Micus
Was this reply relevant?
+0
-0

This thread has been marked as locked.