Code Sign certificates

[discoDSP]

Hello, any of you have experience with Code Sign certificates?

I'm considering using them for the installers and avoid "Unknown" publisher, but other than that, I don't see any real advantages.

I have found cheap certificates that cost just $79/year at https://codesigncert.com/comodocodesigning however getting some opinions could help to get a better vision.

Cheers,
George.

[chipnix]

Code-signing is extremely useful, its the only (of course not 100% secure) evidence, the you run actually the binary which the developer has build for you. If someone gets access to your webpage, he may can exchange your software with malware, but because he doesn't has access to your private code-signing certificate, he cannot build software which is signed with your company/name.
Plugin binaries should also be signed.
In a perfect world, DAWs should only load software which is also signed, which would make piracy a little bit harder, of course this is also not a 100% solution.

[FabienTDR]

+1 well worth the costs (you can sign all your stuff with it, not just the installer). Great help for anyone.

[FabienTDR]

In a perfect world, DAWs should only load software which is also signed, which would make piracy a little bit harder, of course this is also not a 100% solution.

That's the reaaaally great thing about AAX/Protools. I wouldn't wonder if apple would do the same sooner or later. Security wise, anonymous audio plugins have potential for installing nasty stuff in the background.

[discoDSP]

Okay, do a new certificate has to be purchased and .exe file signed again after it has expired?

[Guillaume Piolat]

Dealing with some certificate provider has been an out of this world experience.

The provider told me to register on a particular registry to check phone numbers. One of those companies listings that send you ads. I did comply of course.
Turns out the phone is hidden behind a paywall, and the provider don't want to pay a single dollar to verify you. They took the phone number of the registry website instead of mine, and told they would verify this one. This was only one event among a sequence of many, the whole process of getting the certificate was about 40 emails. Dealing with the government is much easier.

I long the day where my certificate will expire, so I can pay again for this valuable service.

[No_Use]

In a perfect world, DAWs should only load software which is also signed, which would make piracy a little bit harder, of course this is also not a 100% solution.

This, one the other hand, would probably be the end for spare-time devs giving away their plugins for free no ? (As I can't imagine them willing to spend money for certificates just to make a gift to the community.)

[Dozius]

This, one the other hand, would probably be the end for spare-time devs giving away their plugins for free no ?

You could always self-sign a binary and share the public key along with the binary. Users would have to install the key on any machine they use the plugin. Although, knowing how ridiculous audio plugin users are about installing extra things, this probably wouldn't go over well.

[FabienTDR]

Okay, do a new certificate has to be purchased and .exe file signed again after it has expired?

No. The certificate will remain valid for eternity.

You "lease" a signing certificate, allowing you to sign stuff. It's a toolkit, a small console app

About motivations why even freeware devs should sign their stuff: First, it's really cheap. Second, it offers great safety and certainty for your end users. As I said before, it's just too easy to do nasty things with plugins! While signature don't prevent the nasty things, they get sorted out quickly. Further, most OSs now show pretty hefty warnings to the operator when he tries to install an anonymous, unsigned application.

[Youlean]

I find code signing a little bit confusing. As far as I understand code sign everything you need to do:

macOS - use developer id certificate to sign AAX, VST, AU and installer.
windows - buy some 3rd party certificate to sign AAX, VST and installer.

But, it seems that you can sign windows AAX with developer id certificate too? Can you sign the installer too?
If not, what certificate provider do you use for windows?

[FabienTDR]

Afaik, macOS code signing is perfectly fine for all other OSs (also installers, and whatever assets like manuals and so on).

We only use a third party authority (digicert) and avoid the apple ID thing, without complains.

[Youlean]

Afaik, macOS code signing is perfectly fine for all other OSs (also installers, and whatever assets like manuals and so on).

We only use a third party authority (digicert) and avoid the apple ID thing, without complains.

Thanks. Why would you like to avoid apple ID? Does digicert provide certificates that you can use to sign everything including Apple installers? Is digicert apple gatekeeper approved?

Now, I don't understand a thing...

I did apply for Apple developer ID couple of days ago, still no responce, so this might go slow...

[FabienTDR]

Not gatekeeper approved, sadly.
But the other way around (via apple singing) seems to be universally compatible, definitely a better option if you're using mac on a daily basis anyway.

I don't want to support apple's politics, though, it's a personal thing

[Youlean]

Not gatekeeper approved, sadly.
But the other way around (via apple singing) seems to be universally compatible, definitely a better option if you're using mac on a daily basis anyway.

I don't want to support apple's politics, though, it's a personal thing

Thanks, that cleared everything I guess...

[camsr]

I've always been curious, how are software patches done on signed code?