Microsoft offers a digital signing technology, called Authenticode, that can be used to guarantee that an executable item comes from the publisher it says it comes from and that it has not been changed, deliberately or otherwise, since it left the publisher's hands. The digital signature verifies each bit of the signed file by comparing it to a hash value; if even a single bit of the file has changed, the comparison fails and the signature is invalid. Windows 7 blocks installation of any code that has an invalid signature—by definition, this indicates that the program file is corrupt (possibly because it was damaged during downloading) or that it has been tampered with .
A digital signature doesn't promise that the signed item is healthy and benevolent. It confirms only that the bits you're about to download are the authentic work of a particular party and haven't been tampered with on their way to you. However, it is prudent to regard an unsigned item, or an item without a valid signature, as a potential threat.
Assuming the signature is valid, you can use the information contained within that signature to make an additional determination—do you trust the person or organization that attached the signature to the file? If the publisher is reputable and the Security Warning message reports that the item has been digitally signed, you must then decide how much confidence you have in the publisher.
Normally, you make choices about whether or not to install a signed item on an individual basis . But you can choose to trust a particular publisher and allow its software to be a installed automatically without any prompting. Or you can decide that the publisher of a particular program is not trustworthy and you do not want any products from that publisher to be installed on your computer, under any circumstances .
Was this article helpful?