Digitally Signed Executables
Cantabile’s executable files are now all digitally code signed. When running the installer you should now see a much safe looking User Account Control popup like this:
Compare the above to the older unsigned installers:
What is Code Signing
Code signing ensures that a file hasn’t been tampered with since it was signed.
The process calculates a hash of the file’s contents and attaches that hash to the file in a way that only someone with the original code signing certificate (ie: Topten Software, aka me) can do.
Code signing ensures that the file you’re installing really came from me and hasn’t been tampered with either deliberately by a hacker, or as a side effect of a virus or other malware.
Code Signing Cantabile
Commencing from build 3142 all executable code related to Cantabile is now code signed. This includes:
- The installation package
- The main Cantabile executable
- The CantabileCore.dll audio engine
- The crash report executable
- The plugin scanning executable
You can check the digital signature of any of the above files, by right clicking the file in Windows Explorer, choosing Properties and switching to the Digital Signatures tab which should look like this:
and then if you double click the TOPTEN SOFTWARE entry and then click View Certificate you can see the certificate details which should look like this:
What If the Certificate Is Missing?
For builds before 3142 the certificate will be missing. If you suspect the file may be tampered with or have concerns about using an older installer, let me know and I’ll provide hash results that you can use to manually verify the file.
For build 3142 and later if the file doesn’t have a certificate, or if you get the scarier looking orange warning message shown above then do not continue with the installation — this indicates the package has been tampered with.
Conclusion
Starting with build 3142 all Cantabile installation packages and contained executable code is digitally signed to verify the code hasn’t been tampered with since being built.
If you encounter a non-signed installer after build 3142, don’t install it and please contact me with the details.
Hopefully this will provide some added peace of mind and some real added security to using the Cantabile installation packages.