Signing of software

[padjakkels]

Hey,

I have a windows app that I want to sell to the public. I do not want to put it in the Windows Store.

1. Is it worthwile the costs to sign the exe/msi?
2. Will it not be enough to give extra instructions to users how to install it?

Just curious, don't see many comments here about "selling your app to the public".

Thanks.

Regards.

[Thaddy]

For commercial software it will save you a lot of support questions and a codesigning certificate is not very expensive.(From ~$200,- for Microsoft authenticode)
If anything, it looks more professional.

[d4eva]

Here's my experience with the code signing as an individual developer.

Back in a days, when the signing was just introduced, it was cheap and worked fine, e.g. about $60 per year.
You purchased the code, got private key, added it to your build process, signed the app, that stupid warning screen was not shown, all good.

Then they started to increase the prices and the process became more and more complicated.
And all those certificate sellers will allow you to purchase the code and only then will ask you to validate yourself (depending on where you are, the process is less or more painful, like getting notarial approval of docs etc.)

You won't be getting the private key anymore, you will either have to use an online service to sign the exe (it costs per call, not meant for individuals imho).
Or you will have to add the key to the Yubikey and then it will still possible to sign the app from a command line.

There are 2 signing certificates - individual and Extended Validation certificates.
Individual is cheaper. You will able to sign the app, but Windows will still show that warning screen and only after n people (nobody knows the n) will install your app, that warning will go away.
Extended Validation is supposed to be trusted and Windows should not show that warning screen. I've not used it, so I cannot tell.

And even if you decide to use the Windows store, you will still need a certificate and the same applies to both types of certificates.
I tried to submit an app to the Windows store using the individual certificate and every time the store automated validator told me that blah blah, there's a certificate prompt, so please download your app yourself, and then submit it to the Microsoft and then 3 days later it might or might not work.
Maybe it's changed now, but I just gave up.

It's an extortion. And there's nothing much you can do as an individual developer.

Maybe there some more options available, I don't know. My current certificate will expire next year so I will have to do this gain

Apple has it right. You pay $100 a year, get the code, sign your app, submit it and that's it.

[paweld]

Personally, I think it’s a good idea to sign your apps if you make them publicly available, especially if you charge for them. In recent months, I’m aware of two fairly high-profile cases of malicious code being “injected” into popular apps:
- Notepad++: https://notepad-plus-plus.org/news/clarification-security-incident/
- CPU-Z and HWMonitor: https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/

In an age when even the smallest post can ruin your reputation, a signed request allows you to prove that it wasn’t your fault—any change to the signed file invalidates the signature.

[padjakkels]

Thanks for all the replies so far!

Its an expensive decision but your can't go without it if it is commercial software.

Now I have to shop around for the cheapest option out there. At least it seems asif you are not limited to just signing one software program.

Wonder what will happen if you sign other software* also for a small fee, to make up the cost of the signing certificate. This will means the other software will also fall under your "name/brand" and you must trust that developer/code....

[paweld]

As far as I know, you can buy IV/OV certificates at the lowest prices here: https://www.ssl.com/code-signing-certificates/
But when placing your order, be sure to uncheck the “eSigner” service, which is an additional paid subscription. If you already have a Yubikey, you don't need to buy one; if you don't have one, it will be cheaper to purchase it on your own - but it must be the right model.

Wonder what will happen if you sign other software* also for a small fee, to make up the cost of the signing certificate. This will means the other software will also fall under your "name/brand" and you must trust that developer/code....

I advise against it, because if a third-party program you sign causes any damage or introduces a virus, and this is reported, your certificate may be revoked.

[padjakkels]

Thanks. Yeah, its a big risk to your name and reputation if a third-party program is reported.

Thanks for the link - yes, they are the cheapest. Think I might go with the eSigner and not the Yubikey, I do not have one.

[d4eva]

Thanks for the link - yes, they are the cheapest. Think I might go with the eSigner and not the Yubikey, I do not have one.

You will run out of tokens pretty fast (speaking from experience) as you will be building and testing your app a lot and each sign uses a token. Yubikey costs 70 EUR form the official site, which is much cheaper than the ssl are charging and then you will be able to sing as many times as you like.

[Xenno]

I do not want to put it in the Windows Store.

Is there any specific reason? Just like other stores, WS has common features such as submission validation/testing, rollout mechanism, and rating/review.

[LeP]

I make only commercial software, in reality software that I don't sell but I put in my machines (industrial).
I have an EV certiicate (USB token) and I sign all code, and in my software I test the sign of all others libraries I load (esplicity) at runtime.

Signs is needed 'cause my customers want that everything is connected to a network (or use it) should be identify.

[valdir.marcos]

Hey,

I have a windows app that I want to sell to the public. I do not want to put it in the Windows Store.

1. Is it worthwile the costs to sign the exe/msi?
2. Will it not be enough to give extra instructions to users how to install it?

Just curious, don't see many comments here about "selling your app to the public".

Thanks.

Regards.

Here's my experience with the code signing as an individual developer.

Back in a days, when the signing was just introduced, it was cheap and worked fine, e.g. about $60 per year.
You purchased the code, got private key, added it to your build process, signed the app, that stupid warning screen was not shown, all good.

Then they started to increase the prices and the process became more and more complicated.
And all those certificate sellers will allow you to purchase the code and only then will ask you to validate yourself (depending on where you are, the process is less or more painful, like getting notarial approval of docs etc.)

You won't be getting the private key anymore, you will either have to use an online service to sign the exe (it costs per call, not meant for individuals imho).
Or you will have to add the key to the Yubikey and then it will still possible to sign the app from a command line.

There are 2 signing certificates - individual and Extended Validation certificates.
Individual is cheaper. You will able to sign the app, but Windows will still show that warning screen and only after n people (nobody knows the n) will install your app, that warning will go away.
Extended Validation is supposed to be trusted and Windows should not show that warning screen. I've not used it, so I cannot tell.

And even if you decide to use the Windows store, you will still need a certificate and the same applies to both types of certificates.
I tried to submit an app to the Windows store using the individual certificate and every time the store automated validator told me that blah blah, there's a certificate prompt, so please download your app yourself, and then submit it to the Microsoft and then 3 days later it might or might not work.
Maybe it's changed now, but I just gave up.

It's an extortion. And there's nothing much you can do as an individual developer.

Maybe there some more options available, I don't know. My current certificate will expire next year so I will have to do this gain

Apple has it right. You pay $100 a year, get the code, sign your app, submit it and that's it.

Personally, I think it’s a good idea to sign your apps if you make them publicly available, especially if you charge for them. In recent months, I’m aware of two fairly high-profile cases of malicious code being “injected” into popular apps:
- Notepad++: https://notepad-plus-plus.org/news/clarification-security-incident/
- CPU-Z and HWMonitor: https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/

In an age when even the smallest post can ruin your reputation, a signed request allows you to prove that it wasn’t your fault—any change to the signed file invalidates the signature.

As far as I know, you can buy IV/OV certificates at the lowest prices here: https://www.ssl.com/code-signing-certificates/
But when placing your order, be sure to uncheck the “eSigner” service, which is an additional paid subscription. If you already have a Yubikey, you don't need to buy one; if you don't have one, it will be cheaper to purchase it on your own - but it must be the right model.

Wonder what will happen if you sign other software* also for a small fee, to make up the cost of the signing certificate. This will means the other software will also fall under your "name/brand" and you must trust that developer/code...

I advise against it, because if a third-party program you sign causes any damage or introduces a virus, and this is reported, your certificate may be revoked.

Thanks for the link - yes, they are the cheapest. Think I might go with the eSigner and not the Yubikey, I do not have one.

You will run out of tokens pretty fast (speaking from experience) as you will be building and testing your app a lot and each sign uses a token. Yubikey costs 70 EUR form the official site, which is much cheaper than the ssl are charging and then you will be able to sing as many times as you like.

I make only commercial software, in reality software that I don't sell but I put in my machines (industrial).
I have an EV certiicate (USB token) and I sign all code, and in my software I test the sign of all others libraries I load (esplicity) at runtime.

Signs is needed 'cause my customers want that everything is connected to a network (or use it) should be identify.

Thank you all!

[Boleeman]

I came across some free Delphi bulk signing code on GitHub quite a while ago at https://github.com/DeveloppeurPascal/ExeBulkSigning (but need to pay for signing service). Now moved to https://codeberg.org/OlfSoftware/ExeBulkSigning

You need a code signing certificate (PFX file and its password or a token). If you don't have any, buy one from an authority like Sectigo, Digicert, Certum or other authority recognized by Microsoft for Authenticode and Windows Smart Screen system.

Just thought I would mention it.

[LeP]

You need a code signing certificate (PFX file and its password or  ...........

No more certificate on file is valid to sign (so that it has a "value" and is recognized as a real signature).
They must have the private key in a token (non-exportable) or stored on a cloud service (always provided by recognized certifiers, Like the ones that @Boleeman listed).

Warning: Using the signature improperly (for example, sharing it) exposes you to significant risks, such as revocation and the potential possibility that the provider will not issue a new certificate.
Signing malicious programs exposes you to the same risks.

[Boleeman]

Thanks Lep, that's good to know.
I didn't know much about signing of software.