Code Sign certificates
-
- KVRAF
- Topic Starter
- 5427 posts since 18 Jul, 2002
Hello, any of you have experience with Code Sign certificates?
I'm considering using them for the installers and avoid "Unknown" publisher, but other than that, I don't see any real advantages.
I have found cheap certificates that cost just $79/year at https://codesigncert.com/comodocodesigning however getting some opinions could help to get a better vision.
Cheers,
George.
I'm considering using them for the installers and avoid "Unknown" publisher, but other than that, I don't see any real advantages.
I have found cheap certificates that cost just $79/year at https://codesigncert.com/comodocodesigning however getting some opinions could help to get a better vision.
Cheers,
George.
-
- KVRist
- 37 posts since 18 Sep, 2011
Code-signing is extremely useful, its the only (of course not 100% secure) evidence, the you run actually the binary which the developer has build for you. If someone gets access to your webpage, he may can exchange your software with malware, but because he doesn't has access to your private code-signing certificate, he cannot build software which is signed with your company/name.
Plugin binaries should also be signed.
In a perfect world, DAWs should only load software which is also signed, which would make piracy a little bit harder, of course this is also not a 100% solution.
Plugin binaries should also be signed.
In a perfect world, DAWs should only load software which is also signed, which would make piracy a little bit harder, of course this is also not a 100% solution.
- KVRian
- 1169 posts since 24 Feb, 2012
+1 well worth the costs (you can sign all your stuff with it, not just the installer). Great help for anyone.
Last edited by FabienTDR on Fri Mar 16, 2018 3:25 pm, edited 1 time in total.
Fabien from Tokyo Dawn Records
Check out my audio processors over at the Tokyo Dawn Labs!
Check out my audio processors over at the Tokyo Dawn Labs!
- KVRian
- 1169 posts since 24 Feb, 2012
That's the reaaaally great thing about AAX/Protools. I wouldn't wonder if apple would do the same sooner or later. Security wise, anonymous audio plugins have potential for installing nasty stuff in the background.chipnix wrote:In a perfect world, DAWs should only load software which is also signed, which would make piracy a little bit harder, of course this is also not a 100% solution.
Fabien from Tokyo Dawn Records
Check out my audio processors over at the Tokyo Dawn Labs!
Check out my audio processors over at the Tokyo Dawn Labs!
-
Guillaume Piolat Guillaume Piolat https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=366815
- KVRist
- 279 posts since 21 Sep, 2015 from Grenoble
Dealing with some certificate provider has been an out of this world experience.
The provider told me to register on a particular registry to check phone numbers. One of those companies listings that send you ads. I did comply of course.
Turns out the phone is hidden behind a paywall, and the provider don't want to pay a single dollar to verify you. They took the phone number of the registry website instead of mine, and told they would verify this one. This was only one event among a sequence of many, the whole process of getting the certificate was about 40 emails. Dealing with the government is much easier.
I long the day where my certificate will expire, so I can pay again for this valuable service.
The provider told me to register on a particular registry to check phone numbers. One of those companies listings that send you ads. I did comply of course.
Turns out the phone is hidden behind a paywall, and the provider don't want to pay a single dollar to verify you. They took the phone number of the registry website instead of mine, and told they would verify this one. This was only one event among a sequence of many, the whole process of getting the certificate was about 40 emails. Dealing with the government is much easier.
I long the day where my certificate will expire, so I can pay again for this valuable service.
Checkout our VST3/VST2/AU/AAX/LV2:
Inner Pitch | Lens | Couture | Panagement | Graillon
Inner Pitch | Lens | Couture | Panagement | Graillon
-
- KVRAF
- 2550 posts since 13 Mar, 2004
This, one the other hand, would probably be the end for spare-time devs giving away their plugins for free no ? (As I can't imagine them willing to spend money for certificates just to make a gift to the community.)chipnix wrote: In a perfect world, DAWs should only load software which is also signed, which would make piracy a little bit harder, of course this is also not a 100% solution.
- KVRian
- 927 posts since 26 Oct, 2005 from Canada City
You could always self-sign a binary and share the public key along with the binary. Users would have to install the key on any machine they use the plugin. Although, knowing how ridiculous audio plugin users are about installing extra things, this probably wouldn't go over well.No_Use wrote:This, one the other hand, would probably be the end for spare-time devs giving away their plugins for free no ?
- KVRian
- 1169 posts since 24 Feb, 2012
No. The certificate will remain valid for eternity.discoDSP wrote:Okay, do a new certificate has to be purchased and .exe file signed again after it has expired?
You "lease" a signing certificate, allowing you to sign stuff. It's a toolkit, a small console app
About motivations why even freeware devs should sign their stuff: First, it's really cheap. Second, it offers great safety and certainty for your end users. As I said before, it's just too easy to do nasty things with plugins! While signature don't prevent the nasty things, they get sorted out quickly. Further, most OSs now show pretty hefty warnings to the operator when he tries to install an anonymous, unsigned application.
Fabien from Tokyo Dawn Records
Check out my audio processors over at the Tokyo Dawn Labs!
Check out my audio processors over at the Tokyo Dawn Labs!
- KVRist
- 444 posts since 11 May, 2016 from Serbia
I find code signing a little bit confusing. As far as I understand code sign everything you need to do:
macOS - use developer id certificate to sign AAX, VST, AU and installer.
windows - buy some 3rd party certificate to sign AAX, VST and installer.
But, it seems that you can sign windows AAX with developer id certificate too? Can you sign the installer too?
If not, what certificate provider do you use for windows?
macOS - use developer id certificate to sign AAX, VST, AU and installer.
windows - buy some 3rd party certificate to sign AAX, VST and installer.
But, it seems that you can sign windows AAX with developer id certificate too? Can you sign the installer too?
If not, what certificate provider do you use for windows?
Website: https://youlean.co/
- KVRian
- 1169 posts since 24 Feb, 2012
Afaik, macOS code signing is perfectly fine for all other OSs (also installers, and whatever assets like manuals and so on).
We only use a third party authority (digicert) and avoid the apple ID thing, without complains.
We only use a third party authority (digicert) and avoid the apple ID thing, without complains.
Fabien from Tokyo Dawn Records
Check out my audio processors over at the Tokyo Dawn Labs!
Check out my audio processors over at the Tokyo Dawn Labs!
- KVRist
- 444 posts since 11 May, 2016 from Serbia
Thanks. Why would you like to avoid apple ID? Does digicert provide certificates that you can use to sign everything including Apple installers? Is digicert apple gatekeeper approved?FabienTDR wrote:Afaik, macOS code signing is perfectly fine for all other OSs (also installers, and whatever assets like manuals and so on).
We only use a third party authority (digicert) and avoid the apple ID thing, without complains.
Now, I don't understand a thing...
I did apply for Apple developer ID couple of days ago, still no responce, so this might go slow...
Website: https://youlean.co/
- KVRian
- 1169 posts since 24 Feb, 2012
Not gatekeeper approved, sadly.
But the other way around (via apple singing) seems to be universally compatible, definitely a better option if you're using mac on a daily basis anyway.
I don't want to support apple's politics, though, it's a personal thing
But the other way around (via apple singing) seems to be universally compatible, definitely a better option if you're using mac on a daily basis anyway.
I don't want to support apple's politics, though, it's a personal thing
Fabien from Tokyo Dawn Records
Check out my audio processors over at the Tokyo Dawn Labs!
Check out my audio processors over at the Tokyo Dawn Labs!
- KVRist
- 444 posts since 11 May, 2016 from Serbia
Thanks, that cleared everything I guess...FabienTDR wrote:Not gatekeeper approved, sadly.
But the other way around (via apple singing) seems to be universally compatible, definitely a better option if you're using mac on a daily basis anyway.
I don't want to support apple's politics, though, it's a personal thing
Website: https://youlean.co/