A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.
We're closed, folks!
Doug Nebeker ("Doug")
OK, so my (standard) code signing certificate is up for renewal again.
Last time this happened I simply got a new certificate and then went through nearly a month of having my downloads filtered by SmartScreen. If you haven't seen the SmartScreen block, you should know that this is quite an opaque message that pops up - you need to click "more info" (from memory) and then "download anyway", or something similar. Basically it is enough to put many of the less savvy users off completely (even if they can work out how to get around it). Chrome has something similar for "uncommon downloads".
I really, really don't want to go through this again - yet it appears that existing certificates cannot be extended, and a new one is always required when the existing one expires. SmartScreen reputation is apparently built based on a hash of the download file and the certificate. This would imply that when I release an update with the new cert (new file, new cert), I will have zero reputation once more - and all the old problems will surface.
So I just wonder if anyone knows answers to the following:
I get that you need a new cert, but does my existing publisher information carry over in any way? Will this tie in with my old certificate for purposes of reputation, or am I starting from scratch? Ideally I would just get a new standard cert from Comodo (via one of their resellers) which can be done for < $100 p.a.
It looks like you can "buy your way out" of this problem to some extent by using an EV cert from Digicert or Symantec. Costs are high - $449 a year for a single year from Digicert or $795(!) from Symantec. Frankly, I'd pay it if I had to - do I need to?
Thawte certificates are a bit cheaper at around $500 USD for 2 years.
Tuesday, August 18, 2015
Thanks for the response, but I am not really (that) worried about the price - my main concern here is to avoid the complete loss of reputation when I switch certificates and the attendant loss of business.
The cert I use now is a Comodo one purchased via ksoftware, and cost only $80 per year (two years). Of course, I should have a bought a 5 year and I wouldn't be worrying about this (for another 3 years, at least!).
A bit more Googling and it doesn't look too promising.
From a question on SO:
"We just went through the whole process of moving from an old Authenticode certificate to a new one (not an EV certificate, just a plain certificate that can be used in our automated build process).
Microsoft is no longer providing any means of transferring reputation from an existing certificate to a new one. So don't try to call their support. You'll just waste a lot of time and energy. And they won't be able to help.
Microsoft is claiming that if the old and new certificates have the same textual content, the reputation gets established faster. More specifically, here is the reply I got from the SmartScreen® Filter's Application Reputation feature support team:
Please note that whenever you renew a certificate with known reputation, you will likely see some warns during initial downloads of files signed with the renewed certificate. However, known reputation on the renewed certificate is typically established more rapidly than on a new certificate. While a renewed certificate establishes reputation, users can still click through to run or save the download. To do so, they select Actions | More Options | Run Anyway from Download Manager."
It rather sounds like EV certs are the only way to be sure. Surely there should exist some way to transfer reputation since all certs last only a few years - or perhaps that doesn't make enough money for the CAs.
My understanding, as explained to me by Mitch at KSoftware is the signed executable does not expire. However you need a current certificate when you sign a newly compiled application.
So if your app is stable and not updated frequently you're good, you don't need another cert until you recompile.
I bit the bullet (and my lip) and just ordered 3 years of EV from Digicert for just under $1000. What a racket. I did also read that EV certs have some sort of unique identifier that actually can be transferred when renewed, which helps with reputation.
None of this would matter quite so much if the smart screen (and Chrome equivalent) warnings were a little clearer - for example, if they actually explained that this warning could just be an indication that the software hadn't been downloaded commonly since it was updated. But they are not - for the average consumer, they are very scary and I don't blame them at all for abandoning an installation when they see them. The whole thing really is painful for small developers.
It's an interesting point Calvert - I too wonder how much control MS are going to try and exert over the Windows ecosystem. It goes without I suppose that one of the great things about Windows has always been the openness of it, flexibility of system configurations etc.
As an aside - "Extended Validation" my @rse! I just got validated in an hour. Nice business if you can get it - I wonder how one sets up a CA?
Wow, I guess I will have to switch to DigiCert when my cert expires.
I did it last year and it took me weeks with Comodo for a regular cert.
I had to go to my bank and have them notarize and fax a bunch of stuff, and then the idiots at Comodo kept second guessing everything. Even though the notary had signed proof of address and phone, Comodo kept asking me to add my address/phone to some public directory...
On top of that, when they finally delivered the cert, they had not used my PO box address as requested, so I had to issue another request.
It was one of the most annoying and time consuming processes I had to deal with since starting my business. Avoid Comodo if you can.
Anyone did some A/B testing to justify code certs? I have stopped using certs long ago and didn't notice any difference.
Less tech savvy people will be the first to click "download anyway" imho. That's why we have those super obvious facebook viruses spreading like wildfire.
We (my company, so I) have refused to do a lot of this certificate stuff, which is a corporate tax you pay to your competitor.
Certificates prove nothing since many legit apps don't have them, and shitloads of the most nefarious malware imaginable, like Google Chrome, is all certified.
There is no doubt in my mind that our sales have been severely damaged by our refusal to comply with the "new order".
Things have gone to shit and I would not pick this field as a career again, knowing what I now know.
Perhaps I'd be a microbiologist. Or a farmer.
IMO, these particular corporate controlled certs are structured in such a way that they are anticompetitive and amount to criminal racketeering. However, your government agencies are totally in the back pockets of these sociopathic creeps, so there's no way you'll get out from under their thumb short of violent widespread revolution, which will never happen since everyone is swiping left and right for hookups, facebooking, doped to the gills with prozac, and otherwise submitting totally to the authority of the new regime. Enjoy the dystopian police state guys.
>Less tech savvy people will be the first to click "download anyway" imho. That's why we have those super obvious facebook viruses spreading like wildfire.
"Download anyway" isn't available as a top-level option - from memory only something like "Discard" and a very small box for "more info". So it takes a bit of digging and for many users the impression is that the download has simply been blocked. Many of my users are not tech savvy, and simply stop at that point. Much as I don't want to spend $300+ a year on this, the investment will pay for itself in a few days so from a business point of view it is unfortunately a no brainer.
Yes Scott I agree - it is a tax, and not a progressive one since a multimillion $ corp and a micro ISV pay the same.
Calvert - I jumped through a few hoops for Comodo two years ago, got myself on the required directory etc. so I guess everything needed was in place this time - but since those things are rather easy to set up, whatever your status, it does rather suggest that EV is about making more money, not making things more secure (I got one phone call to confirm a few details, which is the same as the standard process I last went through).
When I was renewing our Comodo cert last time, two of their three or four "trusted directories" for our country were in fact illegal Web sites selling stolen (police?) databases...
Thursday, August 20, 2015
This topic is archived. No further replies will be accepted.Other recent topics
Powered by FogBugz