microsoft, security, software, software development, windows

Gears of War certificate expiry a reminder to developers: always timestamp signed code

Users of the PC version of Gears of War have been unable to run the game since yesterday (29th January 2009). If they try, they get a message:

You cannot run the game with modified executable code

Joe Graf from Epic has acknowledged the problem:

We have been notified of the issue and are working with Microsoft to get it resolved. Sorry for any problems related to this. I’ll post more once we have a resolution.

The workaround is to set back your system clock. An ugly solution. Of course, some users went through the agony of full Windows reinstalls in an effort to get playing again.

So what happened? This looks to me like a code-signing problem, not a DRM problem as such, though the motivation for it may have been to protect against piracy. Code signing is a technique for verifying both the publisher of an executable, and that it has not tampered with. When you sign code, for example using the signwizard utility in the Windows SDK, you have to select a certificate with which to sign, and then you have an option to apply a timestamp. The wizard doesn’t mention it, but the consequences of not applying a timestamp are severe:

Microsoft Authenticode allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired … If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.

Unfortunately, there is no timestamping for Netscape Object Signing and JavaSoft Certificates. Therefore you need to re-sign your code with a new certificate after the old certificate expires.

I don’t know if this is the exact reason for the problems with Gears of War, and I’m surprised that the game refuses to run, as opposed to issuing a warning, but this could be where the anti-piracy measures kick in. Epic’s programmers may have assumed that the only reason the certificate would be invalid is if the code had been modified.

I blogged about a similar problem in February 2006, when a Java certificate expired causing APC’s PowerChute software (a utility for an uninterruptible power supply) to fail. That one caused servers to run slow or refuse to boot.

As far as I know, there is no way of telling whether other not-yet-expired certificates are sitting on our PCs waiting to cause havoc one morning. If there are some examples, I hope it does not affect software running, say, Air Traffic Control systems or nuclear power stations.

If you are a Windows developer, the message is: always timestamp when signing your code.