Jump to content

View more

Image of the Day

Adding some finishing touches...
Follow us for more
#screenshotsaturday #indiedev... by #MakeGoodGames https://t.co/Otbwywbm3a
IOTD | Top Screenshots

The latest, straight to your Inbox.

Subscribe to GameDev.net Direct to receive the latest updates and exclusive content.


Sign up now

Code signing certificates

4: Adsense
  • You cannot reply to this topic
8 replies to this topic

#1 bobit   Members   

106
Like
0Likes
Like

Posted 13 May 2017 - 10:36 AM

Any recommendations on where to obtain a code signing certificate meeting the following requirements:

  • No more than $100 / year.
  • It needs to be for an individual, not a company. I'm based in the UK, if that matters.
  • No ridiculous verification processes. e.g. As an independent developer, I don't have a landline and I don't want to offer phone support. When I looked into using Comodo last year, they were requiring me to get a landline and advertise it both in an online directory and in the certificate itself.

Last year I ended up going with StartCom, but that certificate is now expiring and unfortunately, they don't seem to be considered very reputable these days.

Getting a certificate seems to have become a ridiculously expensive and complicated process for legitimate small developers. Ironically, if I was some dodgy malware producer, I could buy a stolen certificate for a fraction of the expense and effort...



#2 Bregma   Members   

9110
Like
-2Likes
Like

Posted 13 May 2017 - 07:30 PM

You don't need a certificate. Just post a hashed checksum with your source tarball and make your public key available.  It comes to the same thing as a cert but without the expensive middle-men.


Stephen M. Webb
Professional Free Software Developer

#3 Hodgman   Moderators   

50872
Like
4Likes
Like

Posted 13 May 2017 - 08:14 PM

You don't need a certificate. Just post a hashed checksum with your source tarball and make your public key available. It comes to the same thing as a cert but without the expensive middle-men.

That's only the same thing if your audience is technical linux users. For non-technical Windows users, the goal of signing is to make as many protectionware "are you sure you want to run an exe?" dialogues go away as possible.

There's also big security differences. In theory with signing, the chain of trust goes you, your OS distributor (which includes your ISP if you downloaded your OS), then the certificate authorities, then the software author. With the ad hoc method, the chain goes you, your ISP, the software authors web-hoster, the software author. In cases where you don't trust your internet connection and you use physically delivered OS images, then the first is secure while the second isn't.

#4 NatashaTisk   Members   

105
Like
1Likes
Like

Posted 16 May 2017 - 02:22 AM

I work in the CA industry and can tell you now you will struggle to find a Code Signing Certificate at that price. Due to new regulations all CA's are required to put the certificate and keys in a hardware token such as a USB which has driven the cost up for many. I recommend GlobalSign as they are the best for vetting and you will get your certificate quickly and efficiently (assuming you have given them all the correct information) alongside great support if you need it...(which is very likely with code signing!)



#5 bobit   Members   

106
Like
0Likes
Like

Posted 16 May 2017 - 11:00 AM

Natasha, thanks for the recommendation, but GlobalSign is probably out of my budget and it doesn't look like they offer certificates for individuals in any case.

Sadly, it's looking like Windows is no longer viable for small time developers.  Mobile is my main market now, but I started on Windows and have kept a small but loyal fanbase for nearly 20 years.

Microsoft really seems to be doing their best to discourage independent developers with all the over-the-top security warnings, and I'm not even convinced it's done anything for safety.  Half the users are scared to authorize anything, and the rest just blindly click through every warning regardless.



#6 frob   Moderators   

44366
Like
2Likes
Like

Posted 16 May 2017 - 11:45 AM

It doesn't stop being viable, it just means you get a warning when you run the installer.

There is an invisible file attribute flagging the file as downloaded from the Internet or untrusted network. It is fine for that to be on your program's installer, people are used to warnings when installing.  The installer will deploy files, and those won't be marked as untrusted. No signature required for them.


Check out my book, Game Development with Unity, aimed at beginners who want to build fun games fast.

Also check out my personal website at bryanwagstaff.com, where I occasionally write about assorted stuff.


#7 bobit   Members   

106
Like
0Likes
Like

Posted 16 May 2017 - 03:53 PM

I have tried publishing without a coding certificate in the past, but many of my users aren't especially tech literate. I don't object to Microsoft giving a warning that the program's author can't be verified, but the language used is so overly alarming that many mistake it for a statement that they're installing a virus. Believe me, I've had the emails...

I've never understood why Microsoft can't just allow coding certificates to be linked to the developer's website instead of their business/personal name. It would make verification a doddle, remove the need for certification companies and be virtually cost free.



#8 Cwhizard   Members   

99
Like
0Likes
Like

Posted Today, 05:14 PM

Sadly, it's looking like Windows is no longer viable for small time developers.  Mobile is my main market now, but I started on Windows and have kept a small but loyal fanbase for nearly 20 years.

Microsoft really seems to be doing their best to discourage independent developers with all the over-the-top security warnings, and I'm not even convinced it's done anything for safety. 

Largely it has done nothing for security as far as the end user is concerned.  It has done zero from a developer's standpoint that I have seen.  I am gradually trying to move my code to linux, but that has its own problems, like piss poor webcam support for anything other than literally viewing the webcam.  I need full PTZ and real time decoding to RGB buffers.  but that is such a small niche market they disregard it.



#9 Alberth   Members   

9192
Like
0Likes
Like

Posted Today, 11:00 PM

move my code to linux, but that has its own problems, like piss poor webcam support for anything other than literally viewing the webcam. I need full PTZ and real time decoding to RGB buffers. but that is such a small niche market they disregard it.
The good thing about Linux is that people build everything. Have you considered looking into robotics software? Those devices typically use some video device and do real-time analysis of the images.