2

I work as a developer for a young company, and I also develop personal projects. These are mainly C# and python apps. Our company purchased a code-signing certificate from a CA to avoid the "unknown publisher" warnings and some antivirus protection issues, but I wanted to avoid that cost for personal projects.

From my understanding, the only way to accomplish this is using a certificate from a trusted CA, but then why would one use a self-signed certificate? I know that they exist, but since most users aren't going to edit their trust stores, what do they realistically accomplish?

note: I'm asking specifically about code-signing certs, not SSL or otherwise

Improve this question
2
  • 1
    Probably better suited to ServerFault or Security.SE? Commented Dec 2, 2019 at 18:16
  • Agreed that this should probably be on security.stackexchange.com. Commented Dec 2, 2019 at 20:18

3 Answers 3

Reset to default
1

Self signed certificates are best suited for development , test and learning environments.

No where else you should be thinking about them

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

The Verisign root certificates (for example VeriSign Class 1 Public Primary Certification Authority - G3) are all "self-signed." They're very useful. All root certificates are self-signed. In any case that you are the trusted root, you will create a self-signed cert. When dealing with browsers, that's uncommon, but when dealing with other kinds of systems, it's very common and best practice to be your own root.
1

Your question is mixing several issues, and I think that's what's causing the trouble. A commercial CA is useful in exactly one, and only one, situation: where you need a third-party that everyone trusts. They are useless, and actually a determent, in cases where you do not want that.

So a commercial code-signing CA is useful for signing public web sites. A commercial CA is less useful for signing private API certificates (though on some platforms, particularly iOS, there are reasons to use one anyway).

Similarly, a commercial CA is useful if you have an OS that trusts that CA for code-signing. If you're on a recent version of macOS, however, then you really need one that's signed specifically by Apple.

But if you control the platform yourself, for example in an embedded system or a plugin engine, it is completely appropriate to self-sign the binaries. "Self-sign" just means "using the root certificate." There's nothing magical about commercial roots. They're "self-signed." It's just that others trust them. If you don't need anyone's trust but yourself, then using your own root is better than a commercial one.

(There are some details I'm glossing over here to get to the core point. In particular, often "self-signed" are really secondary certificates that are rooted to some self-signed cert. That's something that's normal for commercial certs, and good practice even if you create your own root. But the basic intuitions are the same.)

If the question is specifically "why would I use a self-signed cert for signing Windows binaries outside of a controlled environment like an enterprise," then the answer is you probably shouldn't, and why do you think you should? But for the general problem of "code signing" across all possible platforms, there are many cases where using your own root is ideal. And inside an enterprise, signing your own binaries is very normal.

Improve this answer

Comments

0

Certificates establish trust. It is impossible to trust a certificate that anyone can create because anyone else can also create one, e.g., a self signed certificate allows a man in the middle attack.

Improve this answer

4 Comments

The security issues behind self-signed certs make sense. I'm more curious about cases where self-signed certs are actually useful. Considering the body of knowledge and tutorials on how to make them, I assumed that there was some logical use, but I can't seem to find any situations recommending them from searching.
In that regard, I'd say a self signed certificate is better than no certificate. Maybe if you want to try out a new web server app for a while and would not have a wild cart SSL to cover it. Also might be helpful if you are already using a VPN which should limit outside viewers but you still do not want the inside people to easily see your traffic.
SSL certificates can be converted and/or generated for ftps and email certificates too. It is another a self signed certificate is better than no certificate.
Also I believe if the private key were shared instead of the public key, you could validate traffic.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.