A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.
We're closed, folks!
Doug Nebeker ("Doug")
The general consensus seems to be that code signing is essential to avoid UAC prompts. The issue with unsigned code seems to be getting worse and worse with progressive versions of Windows. Windows 8.1 make it very hard to run unsigned apps. So much so that users of limited ability probably won't be able to install them.
It not all bad though. A code signing certificate represent a barrier to entry. I.E. there is less chance of malware being distributed by individuals if they have to pay in order to sign apps. The trouble is that there does seem to be complete lack of understanding about code signing at the user level.
Sunday, May 03, 2015
Yes, we sign both the installer and the applications main exe with a cert from digicert.
The cost for the cert was 500 USD for three years so 166 a year is negligible in our opinion.
Our decision to sign out distributables was:
* Professionalism, we are a small company compeating against several larger ones, we don't want to look like amateurs. Code signing is one of several steps we take too be as professional as we can.
* Integrity, code signing our installer and main exe offers end users trust on the integrity of what they run which sone of our users find important.
* security, our applications auto update feature will not automatically install an update that is not signed with our cert. This prevents an attacker compromising our update server and pushing out a malicious update to our customers.
* licensing, we use the fact that our main exec should have a valid signature to help detect if the exe has been patched. this is a small part of our license protection. while we don't trust license protection to prevent piracy, we do want to keep honest customers honest.
I see no reason not to sign your installer/exe as long as you can afford the cost of a cert.
I sign my software on both Windows and Mac. Of course MS and Apple don't recognize the same certificates, so I have to pay for 2. I believe it is a good investment, but I haven't done an A/B test so I can't prove it.
Are you sure it is an authenticode certificate for signing code and not a certificate for signing a website? The latter won't be recognized by Windows.
Sunday, May 03, 2015
Sign the installer and all .exe that get installed. We have one business customer that needed this (we were already doing it) because they have some sort of app firewall that will only allow signed apps to launch. Considering the issues of malware that big companies are trying to deal with, it seems like a good idea.
We watermark all downloads. This is sort of the same thing you mention, but not as secure or what not. Easy to defeat by someone capable, but 100% of those doing naughty stuff didn't bother, and why would they! Make it easy to defeat, and guess what! You also make it easy to track back to the origin.
> But what do you do if you do not own a company and do not want that your private name will be in the Cert details when user install your software?
In some countries, an individual who is registered with their state as being self employed may also register a business name to trade under which is different from their own name. The cost of this should not be prohibitive. You don't get the same legal protection compared with trading as a limited liability company, but you do get to trade under a name that is not your own personal name.
Couple this with a cheap virtual office solution for a postal address that is not your home address, and there is no reason to have any of your personal information on the code signing cert, while still trading legally in your country.
If there is a small business helpline in your location, give them a call and they should be able to guide you through the available options. Alternatively, arrange a quick meeting with a local accountant and they can advise you.
>there is not much difference with signed and non signed apps
I disagree. You avoid various scary messages on Windows. On Mac the default is now not to allow unsigned apps to be installed. However I can't tell you what difference signing makes to conversion rates. Maybe someone has done an A/B test? I couldn't find anything with a couple of minutes Googling.
>many signed apps still have unknown publisher messages.
Not if they are done correctly with a valid authenticode certificate (in my experience).
Tuesday, May 05, 2015
Just to bust a myth: signing doesn't actually prevent UAC prompts -- you'll get a prompt either way that the user still has to acknowledge to allow the app to install (I get prompts for well-known apps and brands). The only difference is one prompt says the publisher is unknown, and the other says known.
Does such publisher information matter for end users? I doubt it. It's just another "click to continue" step when installing a product. I made another sale last night and that app isn't signed, so that buyer obviously didn't care about the unsigned prompt that UAC threw at him.
My website does explain in its FAQ how to install my apps, and it mentions to allow any warnings or prompts to continue. Perhaps that's good enough for them? Seems so. I've seen similar explanations on other product sites, too.
I'm with Zka on this one. I'll only start signing when it becomes mandatory.
Yep. I didn't go into details, didn't perform A/B tests, but I saw no effect of signing.
My product hasn't been signed for ~1 year, then it has been signed for 1 year, then once again it's unsigned since last summer. Conversion ratio never seemed to be affected, I only see seasonal changes. I'm sure there is an effect but it's negligible in my market. Of course as always, your market could behave differently, but my B2C Windows productivity tool seems to be unaffected by signing.
Just sign the product. I've bought the comodo certificate for 300$ or so, for three years (as I remember). The problem is: very often there is no possibility to install unsigned software. I have cases when customer (from big corporation) contacted and ask the question: why the software is not signed? The average user have no permission to install unsigned software, it's prohibited by rules. As I remember on Windows 8 it's not only dialog which says the software is not signed and you can skip this, but the button "Run Anyway" is hidden or so. Very often AV's just point to unsigned software as suspicious, I have those support cases too. So why do you need this headache? To save couple hundreds $ ? Believe me, it's not worth it.
I just sing up for commodo certificiate and they ask me to go to local attorney to stamb all my personal documents, phone bills and send them that from attorneys fax, Do they know how much that costs, certificate by it self is not cheap? I think I will call it commodo-s paranoya??
Last year I've bought certificate from comodo and what they needed:
* DUNS number
* Phone number (they make a call to check first/last name, company name, email). Email must be the same as in whois of your domain.
That's all. Maybe something changed since last year...
so far comodo verification is the most unpleasant one, they must call my notary to verify me, documents and stambs are not enough maybe they should call my goverment as well, they are asking to much, I am just a individual developer, I doubt that microsoft allow this verification torture.
I am on ksoftware also but verification procedure is the same, if you are indepedent developer you must send them required documents notarized then they call your notary to confirm your identity, that can take up to few days and numerous calls which is my case at the moment, still in procedure.
This topic is archived. No further replies will be accepted.Other recent topics
Powered by FogBugz