In SuperOffice we strive to do everything within our means to ensure the safety and security of our product. One aspect of this security is X509 signatures on the binaries we provide our customers.
Rest assured that all SuperOffice code is signed with X509 Verisign Class 3 code-signing certificates at compile-time, with time-stamping enabled. It has been signed with a “normal” certificate, which can be verified through regular certificate trust via Verisign. This certificate is not something a customer should need to install, nor need to update.
Each and every DLL or EXE file which is part of the SuperOffice product-suite can be verified to have been signed and made by us and that it has not been altered. This can be verified in Windows Explorer by right-clicking a file and selecting properties on any DLL or EXE part of SuperOffice:
On top of that all our installers which contains these X509-signed binaries are themselves X509-signed. This also applies to the Sales & Marketing web-installer, which in turn contains the SuperOffice WebTools-installer, etc etc.
On top of that all Office-integration components (like Outlook Mail Link) is required to contain a Addin-“manifest”. For security reasons the manifest is required to:
- Contain the crypto-hash of each file involved in the integration, ensuring that no file has been tampered with exchange for another.
- Contain a compounded crypto hash of this manifest, ensuring that the manifest itself has not been altered.
- itself, with all crypto-hashes, to also be signed with a X509 Verisign Class 3 code-signing certificate, ensuring that the manifest you have was created by us.
This means that if any part of this trust-chain fails, or that any DLL/EXE has been altered, Outlook Mail Link will not load.
Unfortunately this is not enough to make Microsoft Outlook display our signatures clearly in the AddIn-window. We have investigated this, but haven’t found any documentation on how to resolve this issue.
Despite that we want you to know that absolutely no code gets out of our build-system unsigned. Running Outlook Mail Link should not in any way be considered a security risk.