Runtime and API layer code signing

There seems to be an issue with games with anti-cheat features failing to load runtimes and API layers that don’t have the code digitally signed.

AFAIK there isn’t any requirement or mention in the specification about having the files signed. It might be a good idea if the specification addressed this in some way.

I’m not sure there is a perfect solution for this though. Enforcing signatures would be catastrophic for me. I’m developing an open-source API layer under a pseudonym and without any budget, and it doesn’t seem possible to sign files pseudonomously or without paying for expensive subscription services.

Forcing applications to accept unsigned code would likely be unworkable for anti-cheat software.

Hmm, that’s unfortunate that apps are introducing requirements beyond the spec. It’s really undermining the compatibility piece. (Part of me is curious if you can add a root signature to work around it like Zadig does…) I’ll raise an issue internally to get this in front of the WG. (update: here’s the link for WG members issue 1991 )

Ideally if any signing is needed it could be more like Android (signature matters but no CA required) and less like Windows (pay $$$ to a CA first). I totally hear you on the “very challenging for open source” point, don’t worry. I’ll certainly keep that point of view in the forefront of my mind.

Didn’t think we’d need code signing stuff on non-Android… :woman_facepalming:

1 Like

I don’t think there is any solution to be honest, except to give in and just sign your code. It isn’t that expensive (I pay $70/yr, I hear some services can even be as low as $50/yr). I don’t have a solution for the anonymity though.

I’ve been signing my code since day 1 mostly to avoid Windows Defender and Edge warnings. In the last couple of days I started signing not just the DLL I build but also all the DLLs I depend on (most of them weren’t signed by their respective vendors). Good news is my software is now usable on these games with anti-cheat.

The findings of the last week, however, show how ineffective and unnecessary this signing requirement is. Anybody willing to pay the certificate fees can then sign code, including malicious code.

1 Like

For that price I’m guessing you are receiving a “Standard Verification” certificate. In my experience that does not quiet the Windows Smart Screen warnings when you run the installer. I don’t think the warnings have anything to do with Defender. I don’t know anything about Edge warnings. We had to purchase an “Extended Verification” certificate which cost Khronos just over $2k for a cert valid for 3 years. At least this vendor doesn’t charge per-signing fees like some other purveyors of EV certificates.

1 Like

You’re right that it’s not eliminating all the warnings. It removed 1 and made another one less scary. But I still need to “Keep anyway” the download from Edge.

Thanks for bringing up this issue, Rectus. We’ve discussed some options in the working group and we’ll need to do some experimentation. Our thinking in the near term is that an application should modify their loader (since it’s typically included statically) to perform any checks they need to satisfy anti-cheat programs. Any modifications to the official loader will need lots of scrutiny and a good understanding of the tradeoffs we’re making.

1 Like