← Blog
IndustryJune 23, 2026·7 min read·4 views

A signature is a receipt, not a verdict

Our process collector is unsigned. Here is why that is not the contradiction it looks like, and how to check us anyway.

Every driver in our Field Guide that has ever been used to disable an antivirus, drop ransomware, or load unsigned code into the Windows kernel has one thing in common.

They were all signed.

RTCore64.sys from MSI Afterburner. mhyprot2.sys from Genshin Impact. capcom.sys from Street Fighter V. The dbutil_2_3.sys driver Dell shipped for over a decade. Every one of them carried a valid code-signing certificate from a company Microsoft had vouched for. The certificate is the reason they load at all. It is also the reason they kept loading long after the world knew what they could do.

So when it came time to put our own software on your machine, the process collector that powers everything Vera does, we had to be honest with ourselves about what a signature would actually buy you.

The answer is: less than you think.

What the checkmark actually certifies

When you download a signed Windows program, you do not see a warning. When you download an unsigned one, Windows puts up a wall. "Windows protected your PC." Unknown publisher. Are you sure.

It feels like the difference between safe and unsafe. It is not. It is the difference between paid and unpaid.

A code-signing certificate, the kind that makes that warning go away, costs a few hundred dollars a year. It requires a registered business entity and, for the kind that builds trust fastest, a hardware token you keep in a drawer. What you are buying is a one-time check that you are a real legal entity, and a cryptographic stamp that says these exact bytes came from that entity.

That is worth something. We will get to what. But notice what it is not. Nobody read the code. Nobody ran it. Nobody checked whether it spies on you, or crashes your machine, or opens a hole in your kernel. The certificate authority does not know what your program does and does not claim to. The Field Guide is four hundred and thirty-five proofs of this in a row. RTCore64.sys, mhyprot2.sys, capcom.sys, every one of those drivers passed the gate. The gate was never checking what you thought it was checking.

A signature certifies that someone paid and proved who they were. It does not certify that the software is safe. Those are different facts, and the warning on your screen quietly pretends they are the same one.

Where this argument breaks down, and we are not going to pretend it doesn't

It would be easy to stop here. To say the whole system is theater, the certificate is a tax on the honest, and being unsigned is a badge of principle. That is the version of this post that would feel the best to write.

It would also be a lie by omission, and we run a project that has a rule about those.

A signature does two real things, and neither of them is nothing.

The first is tamper-evidence. If someone slips between us and you, a compromised download mirror, a hijacked connection, a reseller with bad intentions, and they change one byte of our installer, a signature would break. The check would fail and you would know. Without one, you are trusting that the file that reached you is the file we shipped, and you have no built-in way to prove it.

The second is accountability. A signature ties the bytes to an entity that can be named, sued, and eventually cut off. If a signed program turns hostile, its certificate can be revoked, which at least slows the next person from installing it.

So being unsigned costs you something. We are not going to wave that away. The question is not whether the cost is real. It is whether the thing you are buying with it is the thing you actually want, or just the thing that makes the warning disappear.

What we decided to give you instead

Here is the deal we would rather make with you.

We are not going to pay a certificate authority to make Windows stop asking questions about us. Buying silence is not the same as earning trust, and our entire Field Guide is an argument that you should never confuse the two. The checkmark would certify the one thing we care least about, our ability to pay, and stay silent about the thing we care most about, what the software actually does on your machine.

So instead of asking you to trust the certificate, we are going to give you the substance the certificate skips.

We publish the SHA-256 hash of every build we ship. That is the same tamper-evidence a signature gives you, handed to you directly instead of brokered by a company you also have to trust. Download the collector, run one command, compare the result to the number we published. If they match, you have the bytes we shipped, byte for byte. If they do not, do not install it, and tell us. On Windows that command is Get-FileHash. We will show you exactly how, right next to the download.

We describe, in plain words, what the collector reads and what it sends. Not a privacy policy written to be unreadable. The actual list. You should be able to know what is leaving your machine without a lawyer.

And we hold ourselves to the rule we hold every driver in the guide to. Ground truth or silence. The record before the argument. If we cannot show you something, we will not ask you to take it on faith.

Trust is not something we ask for. It is something we earn continuously. A certificate is a receipt for a payment. We would rather give you a way to check the work.

The honest part, including the awkward part

When you install our collector, Windows is going to warn you. Unknown publisher. We could make that go away tomorrow for the price of a certificate, and there is a real version of our future where we buy one, because the warning scares away people who would have been glad to have us, and a tamper-evident signature genuinely is a good thing to layer on top of everything else.

But we did not want the first thing we ever taught you about trust to be: see, no warning, we must be fine. That is the exact reflex the Field Guide exists to break. The warning on an unsigned installer is at least honest about its own ignorance. It is telling you it does not know us. It is right. It does not. The fix for that is not to pay it off. The fix is to give you a real way to find out.

This is our first step, not our last word. We may sign builds later. If we do, we will tell you the day we start, and the hash will still be published, because the hash was never the part we were trying to get out of.

Why this belongs to Vera specifically

The whole reason Vera exists is that the gaming world keeps handing people a binary choice between blind trust and exclusion. Install the kernel-level anti-cheat and trust it, or do not play. Accept the accusation or prove a negative. Take the green checkmark as gospel or get walled out at the download.

We are trying to build the third thing. Not a wall, and not blind faith. A record you can check yourself.

It would be a strange project that demanded legibility from every driver on your system and then asked you to install its own software on the strength of a sticker it bought. So we are not going to. Here is what it is. Here is what it does. Here is the number that proves you got the real one.

Do not trust us. Verify us.

Then play.

The Vera Team

code signingtrusttransparencyintegrityfield guide
Never miss a dispatch

If this was worth reading, the next one will be too. Get new Vera writing in your inbox, only when there's something worth your time.

Double opt-in. One-click unsubscribe, always. We never share your email.
Join the conversation

Have a reaction to this? Vera's ideas board exists for exactly this. Bring your disagreements, your edge cases, your "but what about..." moments.

Share an Idea →
Vera Project