Login / Register 0 items | $0.00 New @ KVR
User avatar
discoDSP
KVRAF
 
3535 posts since 17 Jul, 2002

Postby discoDSP; Fri Mar 16, 2018 1:27 am Code Sign certificates

Hello, any of you have experience with Code Sign certificates?

I'm considering using them for the installers and avoid "Unknown" publisher, but other than that, I don't see any real advantages.

I have found cheap certificates that cost just $79/year at https://codesigncert.com/comodocodesigning however getting some opinions could help to get a better vision.

Cheers,
George.
discoDSP Plug-Ins | Synths | Sampler | Effects
chipnix
KVRist
 
31 posts since 18 Sep, 2011

Postby chipnix; Fri Mar 16, 2018 7:17 am Re: Code Sign certificates

Code-signing is extremely useful, its the only (of course not 100% secure) evidence, the you run actually the binary which the developer has build for you. If someone gets access to your webpage, he may can exchange your software with malware, but because he doesn't has access to your private code-signing certificate, he cannot build software which is signed with your company/name.
Plugin binaries should also be signed.
In a perfect world, DAWs should only load software which is also signed, which would make piracy a little bit harder, of course this is also not a 100% solution.
User avatar
FabienTDR
KVRian
 
973 posts since 23 Feb, 2012

Postby FabienTDR; Fri Mar 16, 2018 7:23 am Re: Code Sign certificates

+1 well worth the costs (you can sign all your stuff with it, not just the installer). Great help for anyone.
Last edited by FabienTDR on Fri Mar 16, 2018 7:25 am, edited 1 time in total.
Fabien from Tokyo Dawn Records

Check out my audio processors over at the Tokyo Dawn Labs!
User avatar
FabienTDR
KVRian
 
973 posts since 23 Feb, 2012

Postby FabienTDR; Fri Mar 16, 2018 7:24 am Re: Code Sign certificates

chipnix wrote:In a perfect world, DAWs should only load software which is also signed, which would make piracy a little bit harder, of course this is also not a 100% solution.


That's the reaaaally great thing about AAX/Protools. I wouldn't wonder if apple would do the same sooner or later. Security wise, anonymous audio plugins have potential for installing nasty stuff in the background.
Fabien from Tokyo Dawn Records

Check out my audio processors over at the Tokyo Dawn Labs!
User avatar
discoDSP
KVRAF
 
3535 posts since 17 Jul, 2002

Postby discoDSP; Sun Mar 18, 2018 1:41 am Re: Code Sign certificates

Okay, do a new certificate has to be purchased and .exe file signed again after it has expired?
discoDSP Plug-Ins | Synths | Sampler | Effects
User avatar
Guillaume Piolat
KVRist
 
162 posts since 21 Sep, 2015, from Grenoble

Postby Guillaume Piolat; Sun Mar 18, 2018 3:42 am Re: Code Sign certificates

Dealing with some certificate provider has been an out of this world experience.

The provider told me to register on a particular registry to check phone numbers. One of those companies listings that send you ads. I did comply of course.
Turns out the phone is hidden behind a paywall, and the provider don't want to pay a single dollar to verify you. They took the phone number of the registry website instead of mine, and told they would verify this one. This was only one event among a sequence of many, the whole process of getting the certificate was about 40 emails. Dealing with the government is much easier.

I long the day where my certificate will expire, so I can pay again for this valuable service.
No_Use
KVRAF
 
2290 posts since 13 Mar, 2004

Postby No_Use; Sun Mar 18, 2018 4:33 am Re: Code Sign certificates

chipnix wrote:In a perfect world, DAWs should only load software which is also signed, which would make piracy a little bit harder, of course this is also not a 100% solution.


This, one the other hand, would probably be the end for spare-time devs giving away their plugins for free no ? (As I can't imagine them willing to spend money for certificates just to make a gift to the community.)
User avatar
Dozius
KVRian
 
849 posts since 26 Oct, 2005, from Canada City

Postby Dozius; Sun Mar 18, 2018 6:03 am Re: Code Sign certificates

No_Use wrote:This, one the other hand, would probably be the end for spare-time devs giving away their plugins for free no ?


You could always self-sign a binary and share the public key along with the binary. Users would have to install the key on any machine they use the plugin. Although, knowing how ridiculous audio plugin users are about installing extra things, this probably wouldn't go over well.
User avatar
FabienTDR
KVRian
 
973 posts since 23 Feb, 2012

Postby FabienTDR; Sun Mar 18, 2018 10:40 am Re: Code Sign certificates

discoDSP wrote:Okay, do a new certificate has to be purchased and .exe file signed again after it has expired?


No. The certificate will remain valid for eternity.

You "lease" a signing certificate, allowing you to sign stuff. It's a toolkit, a small console app

About motivations why even freeware devs should sign their stuff: First, it's really cheap. Second, it offers great safety and certainty for your end users. As I said before, it's just too easy to do nasty things with plugins! While signature don't prevent the nasty things, they get sorted out quickly. Further, most OSs now show pretty hefty warnings to the operator when he tries to install an anonymous, unsigned application.
Fabien from Tokyo Dawn Records

Check out my audio processors over at the Tokyo Dawn Labs!
User avatar
Youlean
KVRist
 
178 posts since 11 May, 2016, from Serbia

Postby Youlean; Sun Mar 18, 2018 11:01 am Re: Code Sign certificates

I find code signing a little bit confusing. As far as I understand code sign everything you need to do:

macOS - use developer id certificate to sign AAX, VST, AU and installer.
windows - buy some 3rd party certificate to sign AAX, VST and installer.

But, it seems that you can sign windows AAX with developer id certificate too? Can you sign the installer too?
If not, what certificate provider do you use for windows?
User avatar
FabienTDR
KVRian
 
973 posts since 23 Feb, 2012

Postby FabienTDR; Sun Mar 18, 2018 11:22 am Re: Code Sign certificates

Afaik, macOS code signing is perfectly fine for all other OSs (also installers, and whatever assets like manuals and so on).

We only use a third party authority (digicert) and avoid the apple ID thing, without complains.
Fabien from Tokyo Dawn Records

Check out my audio processors over at the Tokyo Dawn Labs!
User avatar
Youlean
KVRist
 
178 posts since 11 May, 2016, from Serbia

Postby Youlean; Sun Mar 18, 2018 1:17 pm Re: Code Sign certificates

FabienTDR wrote:Afaik, macOS code signing is perfectly fine for all other OSs (also installers, and whatever assets like manuals and so on).

We only use a third party authority (digicert) and avoid the apple ID thing, without complains.

Thanks. Why would you like to avoid apple ID? Does digicert provide certificates that you can use to sign everything including Apple installers? Is digicert apple gatekeeper approved?

Now, I don't understand a thing... :D :D :D

I did apply for Apple developer ID couple of days ago, still no responce, so this might go slow...
User avatar
FabienTDR
KVRian
 
973 posts since 23 Feb, 2012

Postby FabienTDR; Sun Mar 18, 2018 1:36 pm Re: Code Sign certificates

Not gatekeeper approved, sadly.
But the other way around (via apple singing) seems to be universally compatible, definitely a better option if you're using mac on a daily basis anyway.

I don't want to support apple's politics, though, it's a personal thing ;)
Fabien from Tokyo Dawn Records

Check out my audio processors over at the Tokyo Dawn Labs!
User avatar
Youlean
KVRist
 
178 posts since 11 May, 2016, from Serbia

Postby Youlean; Sun Mar 18, 2018 1:42 pm Re: Code Sign certificates

FabienTDR wrote:Not gatekeeper approved, sadly.
But the other way around (via apple singing) seems to be universally compatible, definitely a better option if you're using mac on a daily basis anyway.

I don't want to support apple's politics, though, it's a personal thing ;)

Thanks, that cleared everything I guess... :D :tu:
camsr
KVRAF
 
6820 posts since 16 Feb, 2005

Postby camsr; Sun Mar 18, 2018 2:26 pm Re: Code Sign certificates

I've always been curious, how are software patches done on signed code?
Image
Next

Moderator: Moderators (Main)

Return to DSP and Plug-in Development