xusmc

I couldn't resist.... "In public-key cryptography, a public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks. In Microsoft software, "thumbprint" is used instead of "fingerprint." (https://en.wikipedia.org/wiki/Public_key_fingerprint) Hashes can be made from Public Keys or from Signatures. But they are usually used only for the Public Key itself, so that a giant public key can be reduced to a simple and shorter hash sequence. I want CCleaner to post on their webpage the PUBLIC KEY THUMBPRINT they use to sign all the software they write. My research has shown that they use MANY keys to sign their software. Why is this? Nobody uses a mish-mash of different keys like this to sign a limited variety of software. It might have to do with hackers five years ago installing malwared updates on CCleaner's website that millions of people downloaded. But I don't see how. I thought I would try once more....since Wiki seemed to explain things better than I apparently could.

For approximately the third time, an SHA-256 hash is of the SIGNATURE. I need the Thumbprint/Fingerprint of the KEY used to sign to be posted on CCleaner's website. It's OK guys.... I will have to look for a solution elsewhere. Thank you for your time and Happy New Year.

Thanks, Nukecad. I was aware of the steps above, as I outlined them myself higher up in my posts. OK...your steps above, as mine, shows us the UNIQUE THUMBPRINT (or fingerprint, if you use PGP) of the KEY USED TO SIGN THE SOFTWARE. Great. Now how do we know that someone did not detach the signature from the executable file, change the software, sign it using ANOTHER KEY, and then post it on CCleaner's website? Well....your steps above trust the BROWSER or WINDOWS to do the checking for you. That normally works 99% of the time. All I wanted was for CCleaner to post ON THEIR WEBSITE the thumbprint of the key used to sign the software. It should match what you posted above under "Thumbprint"!!!! See here for addtional info: https://knowledge.digicert.com/solution/SO9840.html There may be a hash/thumbprint/fingerprint of the SIGNATURE or the same for the KEY ITSELF. I want the hash/thumbprint/fingerprint of the KEY ITSELF to be posted by CCleaner on their website, in order to further verify what my browser or Windows tells me (as it told you above). I can't be any more clear than that. Thanks....

Thank you to all. But to Nukecad and Hazlenut. Unless I am understanding Public Key encryption entirely wrong (which might be the case, as I am not a techie), the SHA-256 hash that the authors used to publish is simply a "thumbprint" of the digital signature, which will change with every release, since the code is changed with every release. Yes, that would be a good way to check the authenticity of each release. I think going the "virustotal route" is a good idea, as I am taking what many other companies are doing (ensuring the signature was authentic, with respect to the public key) and comparing to the results to my own Win10 browser. What I really want, though, is the Thumbprint of the PUBLIC KEY used to sign each release. That way, if Win10 says the "signature is good", I can then ensure the same Public Key listed there is the same one the company STATED they used. If you publish a public key, you do not have to publish a hash of the digital signature with each new release. Windows verifies the digital signature AND you can verify the public key thumbprint Windows SAYS it used, with the one the company SAYS it used. I may be overthinking this, but without a public key statement on teh comany website, I wont' be able to buy any licenses for my company.

Merry Christmas Everyone, Perhaps I can solve my problem in a "distant second" way.... Does anyone have the Thumbprint of the key used to sign their copy of the installer? 1) CCleaner Pro Trial 6.07. 2) Ccleaner Pro Plus 6.07. 3) CCleaner Business 6.07. You can get his information by Right-Clicking on the Installer and choosing Properties/Digital Signatures/SHA 256 Details/View Certificate/Details/Thumbprint If I can get a consensus of similar Thumbprints, that would be helpful. Thank you in advance!

I don't think I was clear enough. Software is signed using Public Key Cryptography. The company keeps the Secret Key private and uses it to sign software. The Public Key CAN BE made public. Why would I want the Public Key? To verify directly from the company THAT was the key used to sign the software! That Public Key I receive directly from the company when I ask for it, or if it is published on their website, has a Thumbprint that I can use to VERIFY with the Thumbprint obtained by right-clicking on the executables and choosing Properties/Digital Signatures/Details/View Certifiate/Details/Thumbprint. All security-minded companies provide you with their Public Key so that you can verify THAT was the Key Pair used to sign their software. Otherwise, digital signatures can EASILY be removed from executables, changes made to the executable, resigned with the malefactor's key and unless you VERIFY WITH THE COMPANY'S PUBLIC KEY, you will be none the wiser you have a non-authentic version of CCleaner. Surely, considering CCleaner's history and its parent company's history, somebody at the company is reading this and working to make THEIR ONE SIGNING PUBLIC KEY AVAILABLE! Not a mishmash of signing keys, NONE OF WHICH is available. Thank you to everybody that responded....but my question hasn't been answered.

Older versions, different DLLs or executables within the Program Folder, etc., all have DIFFERENT Thumbprints for the Signing Key used to digitally sign. No other company does this, unless they advise that a new Signing Key is being used! What is the Thumbprint of CCleaner's Signing Key??? I emailed their Support email address and those people are improperly trained or stupid. They either didn't know what I was talking about or didn't have an answer. Would appreciate some help on this. I have to have a way to verify Signing Keys before my company will allow me to purchase Business Licenses. Thanks in advance for any help....