* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Do you digitally sign your products?

Does this digital certificate from the authority affect sales, is that important to sign product this days to avoid Windows UAC messages?
Damjan Send private email
Sunday, May 03, 2015
 
 
The general consensus seems to be that code signing is essential to avoid UAC prompts. The issue with unsigned code seems to be getting worse and worse with progressive versions of Windows.  Windows 8.1 make it very hard to run unsigned apps. So much so that users of limited ability probably won't be able to install them.

It not all bad though. A code signing certificate represent a barrier to entry. I.E. there is less chance of malware being distributed by individuals if they have to pay in order to sign apps.  The trouble is that there does seem to be complete lack of understanding about code signing at the user level.
Andrew Gibson Send private email
Sunday, May 03, 2015
 
 
Yes, we sign both the installer and the applications main exe with a cert from digicert.

The cost for the cert was 500 USD for three years so 166 a year is negligible in our opinion.

Our decision to sign out distributables was:

* Professionalism, we are a small company compeating against several larger ones, we don't want to look like amateurs. Code signing is one of several steps we take too be as professional as we can.

* Integrity, code signing our installer and main exe offers end users trust on the integrity of what they run which sone of our users find important.

* security, our applications auto update feature will not automatically install an update that is not signed with our cert. This prevents an attacker compromising our update server and pushing out a malicious update to our customers.

* licensing, we use the fact that our main exec should have a valid signature to help detect if the exe has been patched. this is a small part of our license protection. while we don't trust license protection to prevent piracy, we do want to keep honest customers honest.

I see no reason not to sign your installer/exe as long as you can afford the cost of a cert.
maxr Send private email
Sunday, May 03, 2015
 
 
yep a have signed my apps but there isstill message unknown publisher and SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
Damjan Send private email
Sunday, May 03, 2015
 
 
Who did you purchase the code signing cert from?
maxr Send private email
Sunday, May 03, 2015
 
 
comodo
Damjan Send private email
Sunday, May 03, 2015
 
 
I used to sign it then I no longer do it. I see absolutely no difference.  Looks like a waste of money.
Zka Send private email
Sunday, May 03, 2015
 
 
I sign my software on both Windows and Mac. Of course MS and Apple don't recognize the same certificates, so I have to pay for 2. I believe it is a good investment, but I haven't done an A/B test so I can't prove it.

@Damjan
Are you sure it is an authenticode certificate for signing code and not a certificate for signing a website? The latter won't be recognized by Windows.
Andy Brice Send private email
Sunday, May 03, 2015
 
 
Sign the installer and all .exe that get installed.  We have one business customer that needed this (we were already doing it) because they have some sort of app firewall that will only allow signed apps to launch.  Considering the issues of malware that big companies are trying to deal with, it seems like a good idea.
Doug Send private email
Monday, May 04, 2015
 
 
But what do you do if you do not own a company and do not want that  your private name will be in the Cert details when user install your software?
mb12 Send private email
Monday, May 04, 2015
 
 
We watermark all downloads. This is sort of the same thing you mention, but not as secure or what not. Easy to defeat by someone capable, but 100% of those doing naughty stuff didn't bother, and why would they! Make it easy to defeat, and guess what! You also make it easy to track back to the origin.
Scott Send private email
Monday, May 04, 2015
 
 
I have done little research about this, there is not much difference with signed and non signed apps, many signed apps still have unknown publisher messages.
Damjan Send private email
Tuesday, May 05, 2015
 
 
> But what do you do if you do not own a company and do not want  that  your private name will be in the Cert details when user install your software?

In some countries, an individual who is registered with their state as being self employed may also register a business name to trade under which is different from their own name. The cost of this should not be prohibitive. You don't get the same legal protection compared with trading as a limited liability company, but you do get to trade under a name that is not your own personal name.

Couple this with a cheap virtual office solution for a postal address that is not your home address, and there is no reason to have any of your personal information on the code signing cert, while still trading legally in your country.

If there is a small business helpline in your location, give them a call and they should be able to guide you through the available options. Alternatively, arrange a quick meeting with a local accountant and they can advise you.
maxr Send private email
Tuesday, May 05, 2015
 
 
>there is not much difference with signed and non signed apps

I disagree. You avoid various scary messages on Windows. On Mac the default is now not to allow unsigned apps to be installed. However I can't tell you what difference signing makes to conversion rates. Maybe someone has done an A/B test? I couldn't find anything with a couple of minutes Googling.

>many signed apps still have unknown publisher messages.

Not if they are done correctly with a valid authenticode certificate (in my experience).
Andy Brice Send private email
Tuesday, May 05, 2015
 
 
Just to bust a myth: signing doesn't actually prevent UAC prompts -- you'll get a prompt either way that the user still has to acknowledge to allow the app to install (I get prompts for well-known apps and brands).  The only difference is one prompt says the publisher is unknown, and the other says known.

Does such publisher information matter for end users?  I doubt it.  It's just another "click to continue" step when installing a product.  I made another sale last night and that app isn't signed, so that buyer obviously didn't care about the unsigned prompt that UAC threw at him.

My website does explain in its FAQ how to install my apps, and it mentions to allow any warnings or prompts to continue.  Perhaps that's good enough for them?  Seems so.  I've seen similar explanations on other product sites, too.

I'm with Zka on this one.  I'll only start signing when it becomes mandatory.
PSB136 Send private email
Tuesday, May 05, 2015
 
 
Yep. I didn't go into details, didn't perform A/B tests, but I saw no effect of signing.

My product hasn't been signed for ~1 year, then it has been signed for 1 year, then once again it's unsigned since last summer. Conversion ratio never seemed to be affected, I only see seasonal changes. I'm sure there is an effect but it's negligible in my market. Of course as always, your market could behave differently, but my B2C Windows productivity tool seems to be unaffected by signing.
Zka Send private email
Wednesday, May 06, 2015
 
 
Damjan,

Just sign the product. I've bought the comodo certificate for 300$ or so, for three years (as I remember). The problem is: very often there is no possibility to install unsigned software. I have cases when customer (from big corporation) contacted and ask the question: why the software is not signed? The average user have no permission to install unsigned software, it's prohibited by rules. As I remember on Windows 8 it's not only dialog which says the software is not signed and you can skip this, but the button "Run Anyway" is hidden or so. Very often AV's just point to unsigned software as suspicious, I have those support cases too. So why do you need this headache? To save couple hundreds $ ? Believe me, it's not worth it.
pgrii Send private email
Wednesday, May 06, 2015
 
 
thanks for reply!
Damjan Send private email
Wednesday, May 06, 2015
 
 
I just sing up for commodo certificiate and they ask me to go to local attorney to stamb all my personal documents, phone bills and send them that from attorneys fax, Do they know how much that costs, certificate by it self is not cheap? I think I will call it commodo-s paranoya??
Damjan Send private email
Thursday, May 07, 2015
 
 
Damjan,

Last year I've bought certificate from comodo and what they needed:
* DUNS number
* Phone number (they make a call to check first/last name, company name, email). Email must be the same as in whois of your domain.

That's all. Maybe something changed since last year...
pgrii Send private email
Thursday, May 07, 2015
 
 
hm, problem was to verify my phone number, in my country actually we have few phone companies and my was not in comodos list
Damjan Send private email
Thursday, May 07, 2015
 
 
so far comodo verification is the most unpleasant one, they must call my notary to verify me, documents and stambs are not enough maybe they should call my goverment as well, they are asking to much, I am just a individual developer, I doubt that microsoft allow this verification torture.
Damjan Send private email
Tuesday, May 12, 2015
 
 
I have found http://ksoftware.net/ to be a painless way to get Comodo certificates. Also cheaper than Comodo themselves. However I am in the UK and have a UK registered company, so that might make it easier for me.
Andy Brice Send private email
Wednesday, May 13, 2015
 
 
Question for anyone: on a PC where installing signed software is enforced, what happens if you run the app's unsigned unzipped executable from an archive?  Will it still run?
PSB136 Send private email
Wednesday, May 13, 2015
 
 
I am on ksoftware also but verification procedure is the same, if you are indepedent developer you must send them required documents notarized then they call your notary to confirm your identity, that can take up to few days and numerous calls which is my case at the moment, still in procedure.
Damjan Send private email
Wednesday, May 13, 2015
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz