What is CCleaner's Signing Key Thumbprint???

[xusmc]

Older versions, different DLLs or executables within the Program Folder, etc., all have DIFFERENT Thumbprints for the Signing Key used to digitally sign.  No other company does this, unless they advise that a new Signing Key is being used!  What is the Thumbprint of CCleaner's Signing Key???

I emailed their Support email address and those people are improperly trained or stupid.  They either didn't know what I was talking about or didn't have an answer.

Would appreciate some help on this.  I have to have a way to verify Signing Keys before my company will allow me to purchase Business Licenses.

Thanks in advance for any help....

[nukecad]

The MD5 and SHA-256 file hashes for verification purposes used to be published with each new release announcement of a CCleaner update.

Each new version/update of software has a different file hash.
Both the Home version and Business version hashes were provided.

For some reason though that appears to have stopped happening?

For example here is the last set I can find published, although it's obviously of no use except for that version.
https://community.ccleaner.com/topic/59664-ccleaner-v5758238/#comment-325532

I'll flag this up to the staff to ask why they are no longer being provided.

In the meantime I suggest that you email support again asking specifically for "The CCleaner v6.07.10191 buisness version MD5 and SHA-256 file hashes for verification purposes".
Note from that link above that you will have to be specific about which buisness edition/version you have, - and if you want the installer or application hashes or both.

[hazelnut]

Just upload it to VirusTotal and select the details tab.

https://www.virustotal.com/gui/file/aa384cca3764b1e84cf464d7cc4069abb931733ec4940071ff311dbf57f142ca/details

[anushreejit]

CCleaner is a utility software program that is designed to optimize and clean up a computer's system by removing temporary files, cookies, and other unnecessary data. The signing key thumbprint is a unique identification code that is associated with the digital certificate used to sign the CCleaner software. This thumbprint can be used to verify the authenticity and integrity of the software, as it ensures that the software has not been tampered with or modified in any way.

To find the signing key thumbprint for CCleaner, you can follow these steps:

1. Download and install CCleaner on your computer.
2. Right-click on the CCleaner icon and select "Properties" from the context menu.
3. Go to the "Digital Signatures" tab.
4. Select the digital signature from the list, and then click on the "Details" button.
5. Click on the "View Certificate" button.
6. Go to the "Details" tab, and then scroll down to the "Thumbprint" field.

The thumbprint will be displayed as a series of hexadecimal digits, which should match the thumbprint listed on the CCleaner website or other official sources. You can use this thumbprint to verify the authenticity and integrity of the CCleaner software.

[xusmc]

I don't think I was clear enough.

Software is signed using Public Key Cryptography.  The company keeps the Secret Key private and uses it to sign software.  The Public Key CAN BE made public.  Why would I want the Public Key?  To verify directly from the company THAT was the key used to sign the software!  That Public Key I receive directly from the company when I ask for it, or if it is published on their website, has a Thumbprint that I can use to VERIFY with the Thumbprint obtained by right-clicking on the executables and choosing Properties/Digital Signatures/Details/View Certifiate/Details/Thumbprint.

All security-minded companies provide you with their Public Key so that you can verify THAT was the Key Pair used to sign their software.

Otherwise, digital signatures can EASILY be removed from executables, changes made to the executable, resigned with the malefactor's key and unless you VERIFY WITH THE COMPANY'S PUBLIC KEY, you will be none the wiser you have a non-authentic version of CCleaner. 

Surely, considering CCleaner's history and its parent company's history, somebody at the company is reading this and working to make THEIR ONE SIGNING PUBLIC KEY AVAILABLE!  Not a mishmash of signing keys, NONE OF WHICH is available.

Thank you to everybody that responded....but my question hasn't been answered.

[xusmc]

Merry Christmas Everyone,

Perhaps I can solve my problem in a "distant second" way....

Does anyone have the Thumbprint of the key used to sign their copy of the installer?

1) CCleaner Pro Trial 6.07.

2) Ccleaner Pro Plus 6.07.

3) CCleaner Business 6.07.

You can get his information by Right-Clicking on the Installer and choosing Properties/Digital Signatures/SHA 256 Details/View Certificate/Details/Thumbprint

If I can get a consensus of similar Thumbprints, that would be helpful.

Thank you in advance!

[nukecad]

As I said above - the SHA-256 hashes used to be routinely published with each new version release.

I have asked the staff why this is no longer being done.

[hazelnut]

@xusmc

See here

https://docs.precisely.com/docs/sftw/spectrum/ProductUpdateSummary/ProductUpdateSummary/source/about_sha256.html

Follow the steps and you will get the SHA-256 of your installer.

Now go to Virus Total

https://www.virustotal.com/gui/home/upload

Click upload file (the installer you want to check)

When it computes then click on the details tab.

Look at the SHA-256 and you will see that 62 virus/malware companies have already done it and the file is good (green)

https://www.virustotal.com/gui/file/d961bf347c05b32848b3481250e95c485aebfa2761fae765bb9e00c55a6e8985/details

The screenshot I am pasting now it what the file shows on my machine after following the steps I outlined in my first link of the post.

It is the same Sha-256 as VirusTotal shows.

Give it a try 

 

 

 

[xusmc]

Thank you to all.  But to Nukecad and Hazlenut.

Unless I am understanding Public Key encryption entirely wrong (which might be the case, as I am not a techie), the SHA-256 hash that the authors used to publish is simply a "thumbprint" of the digital signature, which will change with every release, since the code is changed with every release.  Yes, that would be a good way to check the authenticity of each release.

I think going the "virustotal route" is a good idea, as I am taking what many other companies are doing (ensuring the signature was authentic, with respect to the public key) and comparing to the results to my own Win10 browser. 

What I really want, though, is the Thumbprint of the PUBLIC KEY used to sign each release.  That way, if Win10 says the "signature is good", I can then ensure the same Public Key listed there is the same one the company STATED they used.  If you publish a public key, you do not have to publish a hash of the digital signature with each new release.  Windows verifies the digital signature AND you can verify the public key thumbprint Windows SAYS it used, with the one the company SAYS it used. 

I may be overthinking this, but without a public key statement on teh comany website, I wont' be able to buy any licenses for my company.

[nukecad]

There is obviously some confusion about just what it is that you are looking for here.

It appears to be a terminology problem, possibly because old terms and old security measures get replaced by new ones?
(And sometimes using the old terms confuses people, particularly those support people who are young enough never to have used them).

I believe that the 'Thumbprint' you are meaning here is embeded in the SHA-256 hash nowadays, and so if the 256 hash matches then that match includes the thumbprint and much more.

Is this what you are looking for? (this is the CCleaner v6.07 Slim installer)
Right click the installer exe file and select Properties.
On the Digital Signatures tab select the SHA-256 signature and select Details.
On the General tab select 'View Certificate'.
On the Details tab scroll down to Thumbprint.

[xusmc]

Thanks, Nukecad.  I was aware of the steps above, as I outlined them myself higher up in my posts.

OK...your steps above, as mine, shows us the UNIQUE THUMBPRINT (or fingerprint, if you use PGP) of the KEY USED TO SIGN THE SOFTWARE.

Great.  Now how do we know that someone did not detach the signature from the executable file, change the software, sign it using ANOTHER KEY, and then post it on CCleaner's website?  Well....your steps above trust the BROWSER or WINDOWS to do the checking for you.  That normally works 99% of the time.

All I wanted was for CCleaner to post ON THEIR WEBSITE the thumbprint of the key used to sign the software.  It should match what you posted above under "Thumbprint"!!!!

See here for addtional info:  https://knowledge.digicert.com/solution/SO9840.html

There may be a hash/thumbprint/fingerprint of the SIGNATURE or the same for the KEY ITSELF.  I want the hash/thumbprint/fingerprint of the KEY ITSELF to be posted by CCleaner on their website, in order to further verify what my browser or Windows tells me (as it told you above).

I can't be any more clear than that.

Thanks....

[Andavari]

PGP is rare to see used nowadays, it used to be commonplace however. For example downloading some antivirus say like 20+ years ago like F-PROT where people downloading the software could also download the key to verify the antivirus had not been tampered with.

Piriform ("CCleaner") to my knowledge has never used PGP. In recent years they were however publishing the MD5 and SHA-256 of the downloads that people could use to verify a download was authentic using a free third party hashing tool such as with HashTab, Nirsoft HashMyFiles, or from some portable hash verification tools hosted by PortableApps.com, etc,. Typically in the Announcements area of the forum when a new version was released they used to post the MD5 and SHA-256 hashes, however they haven't been doing that for awhile now.

[xusmc]

For approximately the third time, an SHA-256 hash is of the SIGNATURE.

I need the Thumbprint/Fingerprint of the KEY used to sign to be posted on CCleaner's website.

It's OK guys.... I will have to look for a solution elsewhere.

Thank you for your time and Happy New Year.

[xusmc]

I couldn't resist....

"In public-key cryptography, a public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks. In Microsoft software, "thumbprint" is used instead of "fingerprint."  (https://en.wikipedia.org/wiki/Public_key_fingerprint)

Hashes can be made from Public Keys or from Signatures.  But they are usually used only for the Public Key itself, so that a giant public key can be reduced to a simple and shorter hash sequence.

I want CCleaner to post on their webpage the PUBLIC KEY THUMBPRINT they use to sign all the software they write.  My research has shown that they use MANY keys to sign their software.  Why is this?  Nobody uses a mish-mash of different keys like this to sign a limited variety of software.

It might have to do with hackers five years ago installing malwared updates on CCleaner's website that millions of people downloaded.  But I don't see how.

I thought I would try once more....since Wiki seemed to explain things better than I apparently could.

[hazelnut]

We moderators are just ordinary users like yourself and cannot give you what you want.

As you do not seems to feel that 60+ security companies on VirusTotal can give you enough reassurance, I suggest you email CCleaner, enclosing your last post (and perhaps a link to this thread) telling them that you wish to become a business user and can they escalate your question to management.

support@ccleaner.com

Or use the business enquiry webpage.

https://www.ccleaner.com/contact/business-enquiry