Skip to content

Code signing (SignPath): consolidated AV/trust cost — 4 fronts, with measured 40s→13ms evidence #515

Description

@githubrobbi

Shipping the Windows binaries unsigned now has hard, measured costs across four independent fronts. This issue consolidates them as the business case for obtaining an Authenticode certificate — the SignPath Foundation free OSS program is the target.

The measurement that settles it

uffs-broker --install timing on a real Norton box (elevated), isolating each step:

step Norton ON Norton OFF ratio
sc create (register auto-start service) 40,022 ms 13 ms ~3,000×
sc start 33 ms
service → RUNNING (exe launch scan) ~10 s

Registering a new auto-start LocalSystem service pointing at an unsigned binary is the textbook malware-persistence signal, so Norton deep-scans it synchronously. Signed binaries with established reputation are not gated this way.

The four fronts a signature fixes

  1. Broker WinVerifyTrust is inert. The Access Broker verifies the daemon's Authenticode before vending elevated volume handles — the zero-UAC path's client authentication. Unsigned = the check can't do its job.
  2. Defender false-positive (Trojan:Win32/Sprisky.U!cl) blocked winget PR #395548; needed a manual WDSI submission to clear. Recurs per release on unsigned, low-prevalence binaries.
  3. Norton scan on --uninstall — every downloaded binary re-scanned; painful UX (reported live).
  4. Norton 40s gate on sc create — the measurement above. A one-time install cost today, but a concrete, quantified example of the unsigned tax.

Cost of NOT signing (recurring, per release, forever)

  • Each release ships new unknown hashes → no prevalence → repeated AV scans / FPs / gates on every user machine.
  • The zero-UAC broker security model is weaker than designed.
  • winget submissions risk re-blocking on Defender FPs.

Recommendation

Apply to SignPath Foundation (free code signing for OSS). Then wire signing into release.yml (sign the Windows binaries before packaging/upload). Once signed + prevalence builds, all four fronts resolve. The 40s→13ms number above is a clean before/after for the application.

Related

  • Broker install narration/spinner fix (the silence during the 40s): PR to land shortly. The 40s itself is AV/trust, not fixable in code.
  • Prior context: winget FP (#395548 / WDSI d08a4830, cleared), broker Authenticode design.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions