Id be interested in what they supplied as evidence of ‘solidarity’.
I code sign my Mac Apps because Apple knows me.
Last time I looked into the Windows options, my business didn’t actually appear to have , use , or need any of the things that they wanted to see as evidence.
(Im not VAT registered… I don’t even have letterheads…)
Being in (the same) business for over 20 years didn’t seem to be enough.
[quote=133143:@Joost Rongen]I agree, but why is that so expensive ? To keep K-Software off the street ? 
Registering companies and independent developers does not add any value if you even don’t know about their integrity, if they have a quality system which can be audited etc.
Since I am involved in the production of electronics I know how important it is to design and proof according to the regulations and have that certified by a competent body before entering the marked with that product.
It seems that every hoby-programmer can build the software for the trafic lights on the most dangerous intersection in town, and by just putting $100 he can proof that software is ok to install.[/quote]
How can you in the same post start by finding expensive what you then say is affordable for a hobbyist ? There are differences between certification bodies, price wise and otherwise. To get the agreement of a client, I had to purchase from Verisign in the past. Today their yearly codesign license is $499, and you have to prove not only that your company is registered, but that it is well known and has a landline phone (how stupid in the 21st Century). An individual must provide ID and proof of residence.
Comodo is just the easiest entry point to protect your executables from modifications, and nasty yellow Windows messages…
Windows has certain CA’s embedded in it who have been granted the privilege of charging for a “digital signature.” While in an enterprise setting dealing with financial transactions its probably a good idea that your Java app did in fact come from Bank Consultants, Inc. However my 2d angry birds rip off using nothing but 8 bit graphics does not require such…
[quote=133143:@Joost Rongen]I agree, but why is that so expensive ? To keep K-Software off the street ? Registering companies and independent developers does not add any value if you even don’t know about their integrity, if they have a quality system which can be audited etc.
Since I am involved in the production of electronics I know how important it is to design and proof according to the regulations and have that certified by a competent body before entering the marked with that product.
It seems that every hoby-programmer can build the software for the trafic lights on the most dangerous intersection in town, and by just putting $100 he can proof that software is ok to install.[/quote]
Joost, that’s the game
To me and some of my customers this is an Indication of Quality and Responsibility. Many of them have Windows policies preventing Installation of any unsigned software by non-privileged users.
Of course everybody can pack software into a ZIP file and just send it to the customer by mail. Or you create an codesigned installer, test it on several windows versions and languages first, add an instructional PDF or you offer installation support by Teamviewer… what a difference, don’t you think so?
I agree Tomas, for this reason I would consider having a certificate too. But I hate the fact that it’s just customer-satisfaction without adding other value.
Just to give some extra info. We just had to code sign our app to prevent false positives in Norton’s anti-virus product.
Every single update we had lots of work restoring our program for certain customers, since Norton seemed to think our updater was a virus, even though it was just updating the other files that belong to our program. As a result the update would always fail for a big group of our customer base, not only overloading our support department, but also alienating a big chunk of our customer base. Signing our app with a certificate seems to have fixed this.
So it’s not just customer satisfaction, it’s unfortunately also needed in some cases.
Hi Dirk, did you share an unsigned exe with Norton AV, since they should fix this false positive in their signature file. Now you’re happy because signing luckily fixes the problem with AV, but you don’t know why etc. , so it can appear again.
Serious, I should figure out with Norton what makes your pure exe being a false positive.
Ive given in and bought a certificate from Comodo.
I bought on a Mac and they sent me a .p7s file.
They said ‘NOTE: Please remember that we strongly advise you to backup your Private Key, because your Certificate is useless without it!’
Problems:
KSign on Windows (which is where I need it) is looking for a PFX file.
And is the p7s file the certificate or the private key, or both?
Certificates are not about “quality” but about assuring users that things came from who they purport to come from.
That the manufacturer is who they say they are.
Counterfeit products are as much a problem in software as they are in other areas.
There are fake Adobe Flash installers that install malware etc.
*I have to love the items counterfeited in that link …
The RCMP has also encountered counterfeit toothpaste, chainsaws, hockey and bicycle helmets, light fixtures, automobile parts, circuit breakers, pharmaceuticals, shampoo, batteries, jewelry, and the list goes on.
TOOTHPASTE ? BATTERIES ? wow …
Massively.
Apple notebook batteries prime example.
Duracell Alkaline batteries are commonly ripped off, which is one reason why they added the ‘testing strip’ a while back…
I don’t have it. KSign says that isn’t needed.
Comodo tell me I should be able to export after opening the file in KeyChain, and save as PFX
But the PFX option is greyed out.
Im starting to think they might have sent me the wrong kind of certificate.
What a pain.
Jeff, I have found both Comodo and kSign to be very helpful and professional. If you are having a problem with the certificate then I don’t doubt they will help to sort it out.
This may help :
https://www.networking4all.com/en/support/ssl+certificates/digital+signing/globalsign/export+from+browser/apple+safari/
Important : P12 and PFX are the same thing.
Thanks Michel.
Those are the instructions I was given.
P12 is not an option for the export.
Its in the list of types, but always greyed out. Im waiting to hear back from them.
I deleted everything that referred to Comodo from KeyChain, and dragged the p7b file back into Keychain. Found my certificate in 'My certificates', and finally exported to P12 Dragged that into my Windows VM, and Ksign happily uses it. Hurrah!I bought this code signing certificate specifically to avoid having people fight with Windows Smartscreen when installing.
(Unsigned apps get a message saying that the software is not commonly downloaded, and are prevented from installing unless they are savvy enough to find the ‘install anyway’ option.)
So I’ve signed my apps and the installers, but I find this has made no difference at all to the user experience.
Isn’t the code signing supposed to quieten Windows down?
I have downloaded my software into a fresh VM , I can see that the certification is in place, yet Smartscreen prevents the install.
Have I wasted my time buying this?
[quote=205895:@Jeff Tullin]I bought this code signing certificate specifically to avoid having people fight with Windows Smartscreen when installing.
(Unsigned apps get a message saying that the software is not commonly downloaded, and are prevented from installing unless they are savvy enough to find the ‘install anyway’ option.)
So I’ve signed my apps and the installers, but I find this has made no difference at all to the user experience.
Isn’t the code signing supposed to quieten Windows down?
I have downloaded my software into a fresh VM , I can see that the certification is in place, yet Smartscreen prevents the install.
Have I wasted my time buying this?[/quote]
I had that issue when I first code sign the app but it is just a warning rather than when you did not codesign the app which will give you a totally different warning altogether.
Over time when your app has been downloaded, the warning will go away when “trust” is created.
[quote=205895:@Jeff Tullin]I bought this code signing certificate specifically to avoid having people fight with Windows Smartscreen when installing.
(Unsigned apps get a message saying that the software is not commonly downloaded, and are prevented from installing unless they are savvy enough to find the ‘install anyway’ option.)
So I’ve signed my apps and the installers, but I find this has made no difference at all to the user experience.
Isn’t the code signing supposed to quieten Windows down?
I have downloaded my software into a fresh VM , I can see that the certification is in place, yet Smartscreen prevents the install.
Have I wasted my time buying this?[/quote]
If the app is not signed, SmartScreen pops up a yellow box with a stern warning.
If the app is signed, you get a blue box just asking permission to install.
Which one do you get ?
I suppose you are using an installer. If you were to try and simply copy the app then launch it, you will get the message everytime the app is launched.
Ouch. Build 10547 of the current beta of Windows 10 has improved SmartScreen. Now instead of the usual blue bar or the yellow box familiar in Windows 7, it shows a red warning when an app is not signed, and requires checking “I understand the risk” to continue and launch the app. The kind that a user will hesitate going on with.
Anybody who is serious about distributing Windows apps should consider code signing IMHO…
I just bot a Ksoftware Comodo Code Sign certificate, install and tested some codesigning successfully.
My software requires two 3rd-party DLLs. There are just flat Win32 DLLs (meaning not ActiveX). I note they are not signed although developers name are shown in Details.
As this is the first time I am code signing, there are questions I would like to ask:
I note that the three DLLs included by Xojo upon build are code-signed by the respective publishers (2 by MS and 1 by Xojo).
Thanks.