IMHO Rene is just kicking up dust.
I agree with Docholiday: Keep the anti malware & virussoftware on your PC up to date and look where you download files from.
There is no way to ensure that even a signed file is really from the author if you don't check where you download it from. If you have malware on your PC which redirects a web request to a different server (this is really easy to do even with secure connections!) then you'll happily download a signed file from a malicious source.
I meant to post this earlier but I got lazy. Nevertheless, I wanted to address your post to help clarify some of your misconceptions.
Two of the main benefits that a modern digital signature provides are:
- It allows you to verify that the file you downloaded originated from a certain publisher.
- It allows you to verify that the file you downloaded has not been tampered with.
If you are using Windows OS, you can view the properties of a file (by right-clicking the file and selecting properties from the context menu). If the file has been digitally signed you will see a tab from where you can get more information about the digital signature (see Picture 1).
If you click on the
Digital Signature tab, you will have aces to all kinds of information regarding the digital signature, but one piece of information that you will find relevant to your post is the digital signature certificate (see picture 2).
Looking at the digital signature certificate (Pciture2), you can be sure of two things:
- The file comes from a publisher named Seagull Scientific, Inc. If this is not the publisher you are expecting then you should not trust the file. In the case of Siglent, you will see Siglent, Inc (or something close to that) instead of Seagull Scientific, Inc
- The file content is exactly the same as what the publisher intended it to be. In other words, the file has not been tampered with. If a malicious person had tampered with the file, the digital signature would have been voided so the file would not appear to be signed.
So to address your comments: You are indeed able to verify that the file is from a certain author by looking at the certificate (with or without redirects). The reason why redirects are not an issue is because it does not matter if you download the file from a malicious website, as long as the file is digitally signed and the digital signature show that it has been published by the expected author, it means that the file is good (this is the whole point of a modern file digital signatures). Your comment about keeping your computer virus protection up to date is obviously valid, but having a digital signature that can prove the file comes from a
trusted source is far more valuable and effective (IMHO).
Finally, all the concerns about private keys vulnerability (lost keys, mismanaged keys, stolen keys, etc) are valid but not realistic in most scenarios that matter. For a careless small time teenager digitally signing files from his or her garage computer this may an issue, but reputable corporations don’t take security lightly, you will have a very, very hard time getting anywhere near those certificates, and even if for some reason you were able to steal the digital signature certificates you would still not be able to use them because they are typically locked down with a strong password and they can be revoked at any time. I should also mentioned that if this was a big issue you should be shaking in your boots as we speak because all your banking transactions and online purchases (at one point or another) involve using the same technology used in digital signatures (asymmetric cryptography).
But do you know what the best part of a digital signature is? That if someone does not give a crap about them they can completely ignore them and move on with their lives. But for those of us who care, it is a very valuable feature.
Cheers.