* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Signing exes to prove who it came from - why?

I'm tossing up whether to shell out for a cert to sign my exes, but I can't really afford it.  Yes, I'm very poor.  :)

One of the recurring reasons that I see for doing it, is that it proves to the downloader that the file definitely came from the author and hasn't been tampered with before delivery.

Now, considering that the user downloaded it directly my from website, why is such proof even needed?  They know they got it from me.  I don't get it.  Seems to be a scare-mongering scam to me.
Harry Phace Send private email
Friday, February 22, 2013
 
 
And yes, I know they *might* have downloaded it from other than my site, such as an unauthorised mirror site, but then that's not my problem.
Harry Phace Send private email
Friday, February 22, 2013
 
 
http://en.wikipedia.org/wiki/Man-in-the-middle_attack

Or suppose your site gets hacked and your downloads get tampered with.
Dmitry Leskov @Home Send private email
Friday, February 22, 2013
 
 
Both very unlikely, though.
Harry Phace Send private email
Friday, February 22, 2013
 
 
If you're on windows then yes, you should sign executables.

In my experience it greatly reduces number of issues with anti-virus programs etc. They might even forbid a user to run a non-signed executable and without signing false positives abound.
Krzysztof Kowalczyk Send private email
Friday, February 22, 2013
 
 
The thing that sticks about it is most users aren't saavy enough to know about signing.  So if yours isn't signed, is it because you didn't sign it, or because it was tampered with.  Most people will never know.

But yeah, signing is a good idea, especially if selling B2B.
Doug Send private email
Friday, February 22, 2013
 
 
Perhaps you were looking at VeriSign prices? Or $195 for three years is still too much for you at this point?

http://www.excelsior-usa.com/blog/excelsior-jet/cheap-code-signing-certificates/
Dmitry Leskov @Home Send private email
Saturday, February 23, 2013
 
 
I can't afford to sign unless it's about $40 per year.  Yep, I'm man enough to publically admit that I'm almost on the streets.  I've got debts galore and two banks (including my own!) refused to consolidate my loans.  Time are tough.
Harry Phace Send private email
Saturday, February 23, 2013
 
 
Sorry things are so hard for you right now, but if you can't afford $40 or the $200 for a 3 year code signing certificate, then you can't afford to run any kind of business.

Though it *can* cost next to nothing to start an online business these days, that 'next to nothing' is not actually nothing. You will not succeed selling Windows software if it's not signed. Which means you need to sign it.

If you can't afford to sign it ...

Would you cut grass for a living if you couldn't afford even a basic lawnmower? Of course not. There is a cost - in this case a very small one - to doing business.
Marlee Ammon Send private email
Saturday, February 23, 2013
 
 
It is not about knowing that they downloaded it from you, it is about confirming you are the one you say you are.
Goran Burcevski Send private email
Sunday, February 24, 2013
 
 
"Both very unlikely, though."

The chance is basically zero if you're not Firefox Foundation or such high target.

Those who do man in middle to send faux-executables to selected targets, where they also have control of intermediary mores, 100% of those are by intelligence  services who faked the signature anyway.
Scott Send private email
Sunday, February 24, 2013
 
 
> Sorry things are so hard for you right now, but if you can't afford $40 or the $200 for a 3 year code signing certificate, then you can't afford to run any kind of business.

He shouldn't have brought up the cost since it subjects him to this sort of inane criticism. But let's talk cost. The cost is a total scam. Certs are worthless and so are the companies that sell them. The end.
Scott Send private email
Sunday, February 24, 2013
 
 
"You will not succeed selling Windows software if it's not signed."

This is false. Liar liar, pants on fire. What did you say your name and affiliation are again? You with some certs company? Loser.
Scott Send private email
Sunday, February 24, 2013
 
 
Hardly necessary Scott.
Reluctantlyregistered Send private email
Sunday, February 24, 2013
 
 
> It is not about knowing that they downloaded it from you, it is about confirming you are the one you say you are.

And it proves nothing of the sort to the typical buyer.

So I download Firefox and it says the cert is good. Assuming I bother to check. Who does that? No one. Maybe the Firefox cert is signed from the Bolivian Marxist Revolutionary Front. 99.999% of the time no one would notice.
Scott Send private email
Sunday, February 24, 2013
 
 
Windows should check if the cert is good. If Windows recognizes  the Bolivian Marxist Revolutionary Front as a valid certificate authority, there should be no 'scary' warning. If Windows does not recognizes the certificate authority, the warning should be there no matter the file is signed. Hopefully it works that way, I didn't check this.
Goran Burcevski Send private email
Sunday, February 24, 2013
 
 
@Scott: There is an enterprise security feature in Windows called AppLocker, which can in particular block unsigned binaries or only allow those signed by certain publishers:

http://technet.microsoft.com/en-us/library/dd723678%28v=ws.10%29.aspx

You may argue that there are no AppLocker users among your customer base. Prior to signing our installers, we had received no complaints either, nor we expect to receive any in the future, as we are catering to developers. That however does not prove that nobody is using AppLocker. Why Microsoft would spend resources on it? I guess that large financial institutions, defense contractors, and the like must be demanding this sort of protection.

What I know for sure is that some of our customers do sign their natively compiled Java apps. That is why I wrote the above referenced blog post and KB article.
Dmitry Leskov Send private email
Sunday, February 24, 2013
 
 
Certificates are a business necessity nowadays. Who cares if it is fear mongering or the certificate authorities are faceless greedy corporations? The lion's share of the customer base use Windows, and Windows will admonish and tsk tsk to no end your customers if they try to install your unsigned (or self-signed) application.

Buckle up and shell out your  hard-earned groceries money if you believe there is money in distributing your software.
Leonardo Herrera Send private email
Wednesday, February 27, 2013
 
 
"Windows will admonish and tsk tsk to no end your customers if they try to install your unsigned (or self-signed) application"

I gave an unsigned exe to my Facebook-loving sisters to install to try.  They got a warning prompt, and clicked right through it to install the app.  The warnings meant nothing to them.  I assume the general public would react the same way.  It's only people like us who actually know what it means, and cares.
Harry Phace Send private email
Thursday, February 28, 2013
 
 
BTW, they're in their 30s and 40s, not teenagers.
Harry Phace Send private email
Thursday, February 28, 2013
 
 
@Harry - that could be because you gave it to her and she trusts you; anyone got any figures on this?
Jonathan Matthews Send private email
Thursday, February 28, 2013
 
 
I guess that's possible (implied trust) but I doubt it.  They didn't ask "what does this mean" or "what should I do here" when the prompt came up.  They just clicked through it as though it were nothing.
Harry Phace Send private email
Thursday, February 28, 2013
 
 
If you sell to professionals or businesses, sign it. Otherwise, you can probably get away with it.

And are you really doing B2C? Srsly?

Thank god.
Bring back anon Send private email
Thursday, February 28, 2013
 
 
I'm actually going to spend a day soon doing market research about this very subject.  I'm going to ask around 300 random people in the street (or shopping mall) if they've ever installed PC software before.  Those that say yes, I will then show a picture of a warning prompt and ask what they would do when seeing it when installing an app.  Will be interesting.
Harry Phace Send private email
Saturday, March 02, 2013
 
 
I think in the end it just looks more professional to have it signed.
Thomas Oeser Send private email
Friday, March 08, 2013
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz