The WriteLog team has published pgp digital signatures for all its downloadable and installable binaries for many years. As of version 12.10, we now also digitally sign our version 12 downloadable and installable files with a Code Signing Certificate. This technology enables Windows to display the fact that “WriteLog Contesting Software LLC” is the publisher of what you are about to install rather than “unknown publisher.”
As a user of Microsoft Windows, you still have to understand what the signature means and how Microsoft displays its signature checks else the signature provides no security. Ultimately, if you don’t learn how to understand and verify the digital signatures, then you remain vulnerable to hackers compromising the source of your download, even if that source is writelog.com. The good news for using the Code Signing Certificate is that there are fewer steps for you to take than to verify a PGP signature.
When you download a WriteLog installer exe file from writelog.com, look for this text from Windows:
Publisher: ... WriteLog Contesting Software LLC ...
If you don’t see WriteLog Contesting Sofware LLC, then do not run the exe file!
Later, when you try to install, Windows will put up a dialog, when asking for your administrator password
Verified publisher: WriteLog Contesting Software LLC
Again, if you don’t see that
Verified publisher then then do not complete the installation!
What does the presence of those two messages actually mean?
Those messages mean that the WriteLog team has qualified under the terms of Microsoft’s Code Signing Certificate conditions, that WriteLog Contesting Software, LLC exists. Furthermore, the messages mean that someone in possession of WriteLog Contesting Software’s secret key has digitally signed the installer exe (in the first case above) and the installer msi file (in the second case above.)
Those messages mean nothing more and nothing less than the previous paragraph. In particular, they do not imply that any of the above code is somehow safe to run on your PC. All the messages mean is that you can have some confidence that the code you are running actually came from the WriteLog team.
Why do we continue to publish two different signatures?
We take your computer security seriously and provide you multiple means for determining that the code you are installing actually came from us. Verifying our PGP signature is a way to provide a decentralized trust mechanism for you to decide on the trustworthiness of our signature. You obtain our public key from the internet somewhere, and you decide whether it can be trusted. But, as of October, 2016, we also provide a digital signature that is, in turn, signed by a Microsoft-authorized signing authority that has, in turn, verified that WriteLog Contesting Software LLC exists per the criteria that Microsoft has established for such verification. For the Code Signing Certificate, you have to decide whether to trust those authorities (Microsoft, and the companies to whom they delegate signing.) The trust question ultimately resides with you, the end user.
Hoping you will allow me to make a tongue-in-cheek analogy with politics: if you are a voter in the USA and sympathize with the Libertarian party, you don’t trust authority, and the PGP signatures fit your style of thinking (if it worked for me and my friends before, then I’ll trust it like gold in future.) If, on the other hand, you sympathize with the centralization favored especially by Democrats, and to a lesser extent by Republicans, then your style is to trust the authority that signed our Code Signing certificate (if Microsoft set it up, then it must be good.)
And in both cases, PGP signatures and Code Signing signatures, you, the user, must actually confirm that the signature is present and valid. If you don’t verify, then all the above is for naught and your machine will eventually be compromised.