A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.
We're closed, folks!
Doug Nebeker ("Doug")
1. Do you recommend to purchase it at the present time?
2. And one more thing. How do users refer to such certificates if they are made not on the firm, and on the individual?
For example I have software for servers. Probably administrators in companies will not want to install the software when they will see the person's name instead of company on the Windows notification when clicking to install the program?
PS: sorry for my English.
1. Yes (http://blog.kowalczyk.info/article/lh6f/Buying-a-certificate-for-signing-windows-applica.html)
2. Don't know but that's not the biggest reason you need a certificate. A certificate will decrease number of false positives from anti-virus checkers, online software checkers (like the one built into IE or Chrome) etc. Basically, Microsoft et al. scare users more when there is no certificate.
Friday, August 16, 2013
As someone relatively new to Windows 8 I was nearly unable to install some of my own (unsigned) software recently.
It's warning against running unsigned exe's are so strong it looks like you're blocked from doing it. It took me a while to figure out how to get around it.
Oh and before that Chrome had tried to stop me downloading it. I also got a strongly worded message from my AV software.
After that experience I no longer believe signing is optional these days.
On the own name issue... personally I find it a little off putting, it just feels to personal to me and a tad unprofessional. Opinions may vary on that. But if it's between that and not signing I'd definitely sign with your own name.
Friday, August 16, 2013
I never mentioned Microsoft, but it's interesting to note that they have invested in VeriSign in 1996 (source: http://successfulsoftware.net/2008/02/27/the-great-digital-certificate-ripoff/).
Also, the context in which I used "extortion" was due to price hikes for no valid reason except for the fact that they can (http://smurfonspreadsheets.wordpress.com/2008/08/22/code-signing-certificate-rip-off/).
It's just crazy that we're supposed to pay someone to give the false perception of security/non-tampering. It's like a restaurant having to pay an authority to prove they cooked the food themselves and that it wasn't cooked elsewhere or tampered with before serving it to their patrons.
>>I never mentioned Microsoft, but it's interesting to note that they have invested in VeriSign in 1996 (source: http://successfulsoftware.net/2008/02/27/the-great-digital-certificate-ripoff/).
I think that's implied in the discussion. I still can't see it being anything more than a line item on the MS balance sheet. They have bigger fish to fry.
>>Also, the context in which I used "extortion" was due to price hikes for no valid reason except for the fact that they can (http://smurfonspreadsheets.wordpress.com/2008/08/22/code-signing-certificate-rip-off/).
Shop around, mine cost $73 per year.
>>It's just crazy that we're supposed to pay someone to give the false perception of security/non-tampering.
Is it that false, could you certify an app with my company name? I'm not a security expert but I don't think so.
>> It's like a restaurant having to pay an authority to prove they cooked the food themselves and that it wasn't cooked elsewhere or tampered with before serving it to their patrons.
If food poisoning was as rife as malware then you would be paying much more attention to the certificates on the wall at a restaurant.
Some very simplified maths:
If you're making $100k and 0.1% of your customers won't try because you didn't sign your exe it makes sense to pay the $73 (ignoring costs).
If you're making $100k and 1% of your customers won't try because you didn't sign you just lost $927.
I suspect the number will be higher than 1% in most niches.
Go with the money, signing makes sense for almost any software business which is seeing traction.
Saturday, August 17, 2013
I think the $73 price has gone away now. It used to be Tucows offered that huge discount on Comodo certs, but recently they're way back up in the hundreds on price.
If you are buying a cert, you should buy a three year one. Simply because the process of getting one is so laborious and error prone. Lining up business names, website ownership, website addresses and phone numbers so that everything matches -- real pain.
It's better to only have that headache once every three years.
You can get Comodo certs from http://codesigning.ksoftware.net/ for $95, with discounts for multi-year purchases.
What exactly does the certificate company actually do?
When they sell a certificate what is the process?
Sunday, August 18, 2013
This is becoming a real issue in my business with the number of people contacting me saying they can't get past their anti-virus blocking the download or installation and the number of almost-immediate unsubscribes increasing massively.
I did look into this a while ago and was told that as my business is not a "Company" (I'm in the UK and am not a Limited Company) that I couldn't do it. So I wrote it off but now it's becoming increasingly important and having read more into it I'm not entirely sure that I was told the whole story.
My domain name and virtually everything else is in my personal name and registered at my home address (where I run my business from). On my web-site I use a mailing address which is based at a mail forwarding service (I never get any mail but it's a requirement that I have it and don't want to publish my home address). My phone number I use for the business is also in my own name and my home address. Also as I said earlier it's a business and not a company so effectively it's me Trading As BusinessName.
Under these circumstances (and having read the blog post someone linked to) would it be possible to register a certificate under my business name rather than doing everything under my personal name ie so when the users comes to install the software it says my business name next to Publisher rather than my personal name.
Any advice would be appreciated.
I 've definitely seen people get sigs without a ltd company being involved but I don't know the exact process.
I've used K Software a couple of times, their prices are really good & although they ultimately use Comodo who's customer service during the validation process is in my experience very poor, the owner of K Software (Robert Vincent) comes recommended for giving good support to his customers. I'd ping him an email and ask what the process would be.
Sunday, August 18, 2013
Many thanks for the advice. I'll email the guy at K Software and see if they can help. My users and potential users only know my business name and to see my own name pop-up when they come to install my software may be as bad as having no certificate at all. In my sector credibility is everything and giving off a professional "corporate" image to customers is v important even if they know I run a small business so I really need to have the business name there.
If you don't have a company setup (you should probably do that), then you'll at least need a "trading name" (also called a D.B.A. -- doing business as). You can't just say to these code signing companies that your company name is something without having appropriate documentation to backup the claim. You either form a proper corporation or get a D.B.A.
Registering a D.B.A. differs from state-to-state and country-to-country.
Call someone from you local small business government agency and they'll direct you to the correct forms. Or google it, I'm sure someone from your locale has gone through this exact situation before.
Monday, August 19, 2013
In the UK you can set-up in business with any name you choose - there are some benefits to not setting up a company entity as my accountant has advised me on many occasions. Of course I do have some documentation in my business name such as my business bank account but at this stage I have no intention whatsoever of operating as a (Limited) company.
You can get a certificate in your our name. I've installed software with certs issued to individual developers. ksoftware provides more information on what you'll need for a Comodo cert here:
Many thanks for the link - very helpful.
This is a quote from the link that Nicholas posted :
"DBA (Doing Business As) companies can get a certificate in the business name if the name is registered with your local government, a utility company or a bank."
This should work for me as my bank account is in my business name and is displayed on my bank statements. :)
I will second Nicholas Hebb's recommendation for ksoftware service.
I operate as a DBA and the only hiccup I had when first obtaining my certificate was they required a confirmed phone number. I use a Google phone and I needed to get it "assigned" to me via an online directory.
@Don Pedro: The stereotype "All Russians are X" lives in your own head. I have been using my real Russian name almost everywhere for many years and yet to have a problem with that.
That said, I recall reading a story on LinkedIn about a man who could not get a job interview for months because his name, albeit gender-neutral, was stereotypically female. As soon as he added "Mr." to his name, he'd got several interviews in a row. Now that's a real problem.
Wednesday, August 21, 2013
I have just finished uploading my code cert signed installer. Purchased from KSoft.
I have obtained the cert under my own name as I have no company. (I'm a sole proprietor) I don't even own a phone. My phone belongs to my employer, I could not even list it under my national phone directory. Still, the process wasn't very compicated. I've uploaded a scan of my ID, a bank and a utility bill under my name.
They called me and asked my email address and something else which I didn't understand for I was mildly drunk, standing in the middle of a kids' party, the line was horrible and the guy who rang me had worse accent than me. (When in doubt, just answer OOO-KAY, it works)
Got the cert.
Shall I report back in 1 month with conversion statistics? :)
I've been signing my software with my own name for about 5 years. I think most people don't read the name - it's enough that file is signed.
As any unsigned exe produces warning message - any signature is better than no signature.
Sunday, September 01, 2013
@Don Pedro "because many of people think that russians are hackers and cheaters."
Maybe it was true 10-20 years ago, but not now. I talk personally to many of my customers, including those who represent US Army - no one ever said that they don't trust me bacause I'm Russian...
Sunday, September 01, 2013
Is it just me or the cert can delay the launching of the exe by a fair amount? My installer used to launch instantly (3MB file), now it sometimes takes up to 20 seconds to respond. What is taking so long, does Windows have to load some library and/or contact a cert server to verify it?
After about 2 weeks, I cannot tell anything about the conversion ratio. I'm afraid I'll never be able. I have changed the trial type (watermarks always -> watermarks after 15 files) therefore I have at least 2 factors affecting my CR which I can't separate. Maybe with A/B tests, but as I'm almost sure that the cert won't make it worse, I would just waste some sales for nothing. The CR has started to slowly climb after the signature, but then I made a big change to the trial method, now it's impossible to tell what is driving the CR upwards. My traffic is really low anyway, this is a small niche software. My CR has been greatly fluctuating all the time since launch between 5 and 15%. Sound assumptions are difficult to make under these circumstances.
This topic is archived. No further replies will be accepted.Other recent topics
Powered by FogBugz