• FEATURED
• FEATURED
• FEATURED
• FEATURED
• FEATURED

View more

View more

• ##### Unreal Awards $275k in Latest Round of Unreal Dev Grants • ##### Unreal 4.16 Released • ##### Microsoft's Slim AR Form Factor • ##### YoYo Games Releases GameMaker 2 Education edition View more ### Image of the Day Submit IOTD | Top Screenshots ### The latest, straight to your Inbox. Subscribe to GameDev.net Direct to receive the latest updates and exclusive content. Sign up now # Code signing certificates 8 replies to this topic ### #1bobit Members Posted 13 May 2017 - 10:36 AM Any recommendations on where to obtain a code signing certificate meeting the following requirements: • No more than$100 / year.
• It needs to be for an individual, not a company. I'm based in the UK, if that matters.
• No ridiculous verification processes. e.g. As an independent developer, I don't have a landline and I don't want to offer phone support. When I looked into using Comodo last year, they were requiring me to get a landline and advertise it both in an online directory and in the certificate itself.

Last year I ended up going with StartCom, but that certificate is now expiring and unfortunately, they don't seem to be considered very reputable these days.

Getting a certificate seems to have become a ridiculously expensive and complicated process for legitimate small developers. Ironically, if I was some dodgy malware producer, I could buy a stolen certificate for a fraction of the expense and effort...

### #2Bregma  Members

Posted 13 May 2017 - 07:30 PM

You don't need a certificate. Just post a hashed checksum with your source tarball and make your public key available.  It comes to the same thing as a cert but without the expensive middle-men.

Stephen M. Webb
Professional Free Software Developer

### #3Hodgman  Moderators

Posted 13 May 2017 - 08:14 PM

You don't need a certificate. Just post a hashed checksum with your source tarball and make your public key available. It comes to the same thing as a cert but without the expensive middle-men.

That's only the same thing if your audience is technical linux users. For non-technical Windows users, the goal of signing is to make as many protectionware "are you sure you want to run an exe?" dialogues go away as possible.

There's also big security differences. In theory with signing, the chain of trust goes you, your OS distributor (which includes your ISP if you downloaded your OS), then the certificate authorities, then the software author. With the ad hoc method, the chain goes you, your ISP, the software authors web-hoster, the software author. In cases where you don't trust your internet connection and you use physically delivered OS images, then the first is secure while the second isn't.

### #4NatashaTisk  Members

Posted 16 May 2017 - 02:22 AM

I work in the CA industry and can tell you now you will struggle to find a Code Signing Certificate at that price. Due to new regulations all CA's are required to put the certificate and keys in a hardware token such as a USB which has driven the cost up for many. I recommend GlobalSign as they are the best for vetting and you will get your certificate quickly and efficiently (assuming you have given them all the correct information) alongside great support if you need it...(which is very likely with code signing!)

### #5bobit  Members

Posted 16 May 2017 - 11:00 AM

Natasha, thanks for the recommendation, but GlobalSign is probably out of my budget and it doesn't look like they offer certificates for individuals in any case.

Sadly, it's looking like Windows is no longer viable for small time developers.  Mobile is my main market now, but I started on Windows and have kept a small but loyal fanbase for nearly 20 years.

Microsoft really seems to be doing their best to discourage independent developers with all the over-the-top security warnings, and I'm not even convinced it's done anything for safety.  Half the users are scared to authorize anything, and the rest just blindly click through every warning regardless.

### #6frob  Moderators

Posted 16 May 2017 - 11:45 AM

It doesn't stop being viable, it just means you get a warning when you run the installer.

There is an invisible file attribute flagging the file as downloaded from the Internet or untrusted network. It is fine for that to be on your program's installer, people are used to warnings when installing.  The installer will deploy files, and those won't be marked as untrusted. No signature required for them.

Check out my book, Game Development with Unity, aimed at beginners who want to build fun games fast.

Also check out my personal website at bryanwagstaff.com, where I occasionally write about assorted stuff.

### #7bobit  Members

Posted 16 May 2017 - 03:53 PM

I have tried publishing without a coding certificate in the past, but many of my users aren't especially tech literate. I don't object to Microsoft giving a warning that the program's author can't be verified, but the language used is so overly alarming that many mistake it for a statement that they're installing a virus. Believe me, I've had the emails...

I've never understood why Microsoft can't just allow coding certificates to be linked to the developer's website instead of their business/personal name. It would make verification a doddle, remove the need for certification companies and be virtually cost free.

### #8Cwhizard  Members

Posted Today, 05:14 PM

Sadly, it's looking like Windows is no longer viable for small time developers.  Mobile is my main market now, but I started on Windows and have kept a small but loyal fanbase for nearly 20 years.

Microsoft really seems to be doing their best to discourage independent developers with all the over-the-top security warnings, and I'm not even convinced it's done anything for safety.

Largely it has done nothing for security as far as the end user is concerned.  It has done zero from a developer's standpoint that I have seen.  I am gradually trying to move my code to linux, but that has its own problems, like piss poor webcam support for anything other than literally viewing the webcam.  I need full PTZ and real time decoding to RGB buffers.  but that is such a small niche market they disregard it.

### #9Alberth  Members

Posted Today, 11:00 PM

move my code to linux, but that has its own problems, like piss poor webcam support for anything other than literally viewing the webcam. I need full PTZ and real time decoding to RGB buffers. but that is such a small niche market they disregard it.
The good thing about Linux is that people build everything. Have you considered looking into robotics software? Those devices typically use some video device and do real-time analysis of the images.