* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Code Signing Certificate is still relevant or has already useles

1. Do you recommend to purchase it at the present time?
2. And one more thing. How do users refer to such certificates if they are made not on the firm, and on the individual?
For example I have software for servers. Probably administrators in companies will not want to install the software when they will see the person's name instead of company on the Windows notification when clicking to install the program?

PS: sorry for my English.
Don Pedro Send private email
Friday, August 16, 2013
 
 
1. Yes (http://blog.kowalczyk.info/article/lh6f/Buying-a-certificate-for-signing-windows-applica.html)

2. Don't know but that's not the biggest reason you need a certificate. A certificate will decrease number of false positives from anti-virus checkers, online software checkers (like the one built into IE or Chrome) etc. Basically, Microsoft et al. scare users more when there is no certificate.
Krzysztof Kowalczyk Send private email
Friday, August 16, 2013
 
 
As someone relatively new to Windows 8 I was nearly unable to install some of my own (unsigned) software recently.

It's warning against running unsigned exe's are so strong it looks like you're blocked from doing it. It took me a while to figure out how to get around it.

Oh and before that Chrome had tried to stop me downloading it. I also got a strongly worded message from my AV software.

After that experience I no longer believe signing is optional these days.

On the own name issue... personally I find it a little off putting, it just feels to personal to me and a tad unprofessional. Opinions may vary on that. But if it's between that and not signing I'd definitely sign with your own name.
Jonathan Matthews Send private email
Friday, August 16, 2013
 
 
"After that experience I no longer believe signing is optional these days."

Yep, extortion has won.  It's a shame.  It's like asking shops in a shopping mall to pay the mall owner to prove they're not selling drugs behind the counter.
PSB136 Send private email
Friday, August 16, 2013
 
 
>>Yep, extortion has won.

This implies some profit motive on Microsoft's part. I doubt they are getting excited about certificate revenue, especially since they don't issue the certificates.
Ducknald Don Send private email
Saturday, August 17, 2013
 
 
I never mentioned Microsoft, but it's interesting to note that they have invested in VeriSign in 1996 (source: http://successfulsoftware.net/2008/02/27/the-great-digital-certificate-ripoff/).

Also, the context in which I used "extortion" was due to price hikes for no valid reason except for the fact that they can (http://smurfonspreadsheets.wordpress.com/2008/08/22/code-signing-certificate-rip-off/).

It's just crazy that we're supposed to pay someone to give the false perception of security/non-tampering.  It's like a restaurant having to pay an authority to prove they cooked the food themselves and that it wasn't cooked elsewhere or tampered with before serving it to their patrons.
PSB136 Send private email
Saturday, August 17, 2013
 
 
>>I never mentioned Microsoft, but it's interesting to note that they have invested in VeriSign in 1996 (source: http://successfulsoftware.net/2008/02/27/the-great-digital-certificate-ripoff/).

I think that's implied in the discussion. I still can't see it being anything more than a line item on the MS balance sheet. They have bigger fish to fry.

>>Also, the context in which I used "extortion" was due to price hikes for no valid reason except for the fact that they can (http://smurfonspreadsheets.wordpress.com/2008/08/22/code-signing-certificate-rip-off/).

Shop around, mine cost $73 per year.

>>It's just crazy that we're supposed to pay someone to give the false perception of security/non-tampering.

Is it that false, could you certify an app with my company name? I'm not a security expert but I don't think so.

>> It's like a restaurant having to pay an authority to prove they cooked the food themselves and that it wasn't cooked elsewhere or tampered with before serving it to their patrons.

If food poisoning was as rife as malware then you would be paying much more attention to the certificates on the wall at a restaurant.
Ducknald Don Send private email
Saturday, August 17, 2013
 
 
That's okay, you keep paying kickbacks to the Internet Police and I'll just keep my money from my customers in the bank.  Each to his own.
PSB136 Send private email
Saturday, August 17, 2013
 
 
Because, sarcasm aside, you'll find a lot of customers don't give two hoots about warnings.  In my experience, anyway.  I'm not paying until I absolutely have to, such as the OS flat-out refusing to run an unsigned exe.
PSB136 Send private email
Saturday, August 17, 2013
 
 
It depends on your target. If your business is mom & pop B2C, no one cares. If your business is hobbyist B2C, they tend to care "a bit more". B2B seems to care a lot, especially those annoying Mac users.
Bring back anon Send private email
Saturday, August 17, 2013
 
 
Some very simplified maths:

If you're making $100k and 0.1% of your customers won't try because you didn't sign your exe it makes sense to pay the $73 (ignoring costs).

If you're making $100k and 1% of your customers won't try because you didn't sign you just lost $927.

I suspect the number will be higher than 1% in most niches.

Go with the money, signing makes sense for almost any software business which is seeing traction.
Jonathan Matthews Send private email
Saturday, August 17, 2013
 
 
I think the $73 price has gone away now. It used to be Tucows offered that huge discount on Comodo certs, but recently they're way back up in the hundreds on price.

If you are buying a cert, you should buy a three year one. Simply because the process of getting one is so laborious and error prone. Lining up business names, website ownership, website addresses and phone numbers so that everything matches -- real pain.

It's better to only have that headache once every three years.
Marlee Ammon Send private email
Saturday, August 17, 2013
 
 
You can get Comodo certs from http://codesigning.ksoftware.net/ for $95, with discounts for multi-year purchases.
Nicholas Hebb Send private email
Saturday, August 17, 2013
 
 
What exactly does the certificate company actually do?

When they sell a certificate what is the process?





AC
Reluctantlyregistered Send private email
Sunday, August 18, 2013
 
 
This is becoming a real issue in my business with the number of people contacting me saying they can't get past their anti-virus blocking the download or installation and the number of almost-immediate unsubscribes increasing massively.

I did look into this a while ago and was told that as my business is not a "Company" (I'm in the UK and am not a Limited Company) that I couldn't do it. So I wrote it off but now it's becoming increasingly important and having read more into it I'm not entirely sure that I was told the whole story.

My domain name and virtually everything else is in my personal name and registered at my home address (where I run my business from). On my web-site I use a mailing address which is based at a mail forwarding service (I never get any mail but it's a requirement that I have it and don't want to publish my home address). My phone number  I use for the business is also in my own name and my home address. Also as I said earlier it's a business and not a company so effectively it's me Trading As BusinessName.

Under these circumstances (and having read the blog post someone linked to) would it be possible to register a certificate under my business name rather than doing everything under my personal name ie so when the users comes to install the software it says my business name next to Publisher rather than my personal name.

Any advice would be appreciated.
Gazinhio Send private email
Sunday, August 18, 2013
 
 
Which is better, a certificate with a personal name or absence of certificate? For B2B, for example.
Don Pedro Send private email
Sunday, August 18, 2013
 
 
Re TUCOWS, the Code Signing Certificates banner is still at the top of https://author.tucows.com/. Renewed for $195 for three years back in June.
Dmitry Leskov @Home Send private email
Sunday, August 18, 2013
 
 
@Gazinhio

I 've definitely seen people get sigs without a ltd company being involved but I don't know the exact process.

I've used K Software a couple of times, their prices are really good & although they ultimately use Comodo who's customer service during the validation process is in my experience very poor, the owner of K Software (Robert Vincent) comes recommended for giving good support to his customers. I'd ping him an email and ask what the process would be.
Jonathan Matthews Send private email
Sunday, August 18, 2013
 
 
@Jonathan
Many thanks for the advice. I'll email the guy at K Software and see if they can help. My users and potential users only know my business name and to see my own name pop-up when they come to install my software may be as bad as having no certificate at all. In my sector credibility is everything and giving off a professional "corporate" image to customers is v important even if they know I run a small business so I really need to have the business name there.

Cheers
Gazinhio Send private email
Monday, August 19, 2013
 
 
If you don't have a company setup (you should probably do that), then you'll at least need a "trading name" (also called a D.B.A. -- doing business as). You can't just say to these code signing companies that your company name is something without having appropriate documentation to backup the claim. You either form a proper corporation or get a D.B.A.


Registering a D.B.A. differs from state-to-state and country-to-country.

Call someone from you local small business government agency and they'll direct you to the correct forms. Or google it, I'm sure someone from your locale has gone through this exact situation before.
Wyatt O'Day Send private email
Monday, August 19, 2013
 
 
@Wyatt
In the UK you can set-up in business with any name you choose - there are some benefits to not setting up a company entity as my accountant has advised me on many occasions. Of course I do have some documentation in my business name such as my business bank account but at this stage I have no intention whatsoever of operating as a (Limited) company.
Gazinhio Send private email
Monday, August 19, 2013
 
 
You can get a certificate in your our name. I've installed software with certs issued to individual developers. ksoftware provides more information on what you'll need for a Comodo cert here:

http://certhelp.ksoftware.net/support/solutions/articles/35844-what-are-the-requirements-to-obtain-a-code-signing-certificate-
Nicholas Hebb Send private email
Monday, August 19, 2013
 
 
If "trading name" (also called a D.B.A. -- doing business as) is cannot be presented on utility bill or phone bill then comodo will not allow to place this name on certificate . They want to have the name on the submitted documents.
Don Pedro Send private email
Monday, August 19, 2013
 
 
Again, read the link I just posted. You can get a cert in your name without having to file as a DBA.
Nicholas Hebb Send private email
Monday, August 19, 2013
 
 
As noted above by Jonathan Matthews, using personal name is looks unprofessional. We must try to avoid it.
Don Pedro Send private email
Monday, August 19, 2013
 
 
For example, if I have a russian name and if someone sees it when he launched the installation file, he can change his mind to install the program, because many of people think that russians are hackers and cheaters.
Don Pedro Send private email
Monday, August 19, 2013
 
 
@Nicholas
Many thanks for the link - very helpful.

@Don Pedro
This is a quote from the link that Nicholas posted  :

"DBA (Doing Business As) companies can get a certificate in the business name if the name is registered with your local government, a utility company or a bank."

This should work for me as my bank account is in my business name and is displayed on my bank statements. :)
Gazinhio Send private email
Tuesday, August 20, 2013
 
 
I will second Nicholas Hebb's recommendation for ksoftware service.

I operate as a DBA and the only hiccup I had when first obtaining my certificate was they required a confirmed phone number. I use a Google phone and I needed to get it "assigned" to me via an online directory.
Patrick Hughes Send private email
Tuesday, August 20, 2013
 
 
@Don Pedro: The stereotype "All Russians are X" lives in your own head. I have been using my real Russian name almost everywhere for many years and yet to have a problem with that.

That said, I recall reading a story on LinkedIn about a man who could not get a job interview for months because his name, albeit gender-neutral, was stereotypically female. As soon as he added "Mr." to his name, he'd got several interviews in a row. Now that's a real problem.
Dmitry Leskov Send private email
Wednesday, August 21, 2013
 
 
If a stereotype exists, then by definition it can't be neutral. :)
PSB136 Send private email
Thursday, August 22, 2013
 
 
I have just finished uploading my code cert signed installer. Purchased from KSoft.

I have obtained the cert under my own name as I have no company. (I'm a sole proprietor) I don't even own a phone. My phone belongs to my employer, I could not even list it under my national phone directory. Still, the process wasn't very compicated. I've uploaded a scan of my ID, a bank and a utility bill under my name.
They called me and asked my email address and something else which I didn't understand for I was mildly drunk, standing in the middle of a kids' party, the line was horrible and the guy who rang me had worse accent than me. (When in doubt, just answer OOO-KAY, it works)
Got the cert.

Shall I report back in 1 month with conversion statistics? :)
Zka Send private email
Thursday, August 22, 2013
 
 
> Shall I report back in 1 month with conversion statistics? :)

Please do.  Seriously.  I need to know if it's truly worthwhile.
PSB136 Send private email
Friday, August 23, 2013
 
 
I recommend getting it. I got Comodo and it surpassed all those warning messages about programs not being safe.

I'm debating whether I should upgrade it to VeriSign because I would like to get "Works on Windows 7/8 Logo".
John Senar Send private email
Friday, August 30, 2013
 
 
I've been signing my software with my own name for about 5 years. I think most people don't read the name - it's enough that file is signed.

As any unsigned exe produces warning message - any signature is better than no signature.
Kuzmitskiy Dmitry Send private email
Sunday, September 01, 2013
 
 
@Don Pedro "because many of people think that russians are hackers and cheaters."
Maybe it was true 10-20 years ago, but not now. I talk personally to many of my customers, including those who represent US Army - no one ever said that they don't trust me bacause I'm Russian...
Kuzmitskiy Dmitry Send private email
Sunday, September 01, 2013
 
 
Is it just me or the cert can delay the launching of the exe by a fair amount? My installer used to launch instantly (3MB file), now it sometimes takes up to 20 seconds to respond. What is taking so long, does Windows have to load some library and/or contact a cert server to verify it?

After about 2 weeks, I cannot tell anything about the conversion ratio. I'm afraid I'll never be able. I have changed the trial type (watermarks always -> watermarks after 15 files) therefore I have at least 2 factors affecting my CR which I can't separate. Maybe with A/B tests, but as I'm almost sure that the cert won't make it worse, I would just waste some sales for nothing. The CR has started to slowly climb after the signature, but then I made a big change to the trial method, now it's impossible to tell what is driving the CR upwards. My traffic is really low anyway, this is a small niche software. My CR has been greatly fluctuating all the time since launch between 5 and 15%. Sound assumptions are difficult to make under these circumstances.
Zka Send private email
Wednesday, September 04, 2013
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz