Code Sign certificates

DSP, Plugin and Host development discussion.
RELATED
PRODUCTS

Post

FabienTDR wrote: No. The certificate will remain valid for eternity.

You "lease" a signing certificate, allowing you to sign stuff. It's a toolkit, a small console app
Thanks, then it's very likely to be purchasing one :)

Post

Help me get this right...because I definitely don't understand signing.

My certificate is on my Mac in my Keychain. To sign my installer, I would do something like this:

Code: Select all

productsign --sign "Developer ID Installer: MyCompany" MyInstaller.pkg" MySignedInstaller.pkg"
That's it?


And, did I read that correctly, that I can sign my Windows installer using my Mac certificate? Running the same thing but with my Windows installer that has been copied to my Mac? Would that get rid of the annoying "unknown publisher" Windows warning?

Am I missing anything?

Post

joshb wrote:Help me get this right...because I definitely don't understand signing.

My certificate is on my Mac in my Keychain. To sign my installer, I would do something like this:

Code: Select all

productsign --sign "Developer ID Installer: MyCompany" MyInstaller.pkg" MySignedInstaller.pkg"
That's it?
Should work fine yes.
And, did I read that correctly, that I can sign my Windows installer using my Mac certificate? Running the same thing but with my Windows installer that has been copied to my Mac? Would that get rid of the annoying "unknown publisher" Windows warning?
No. Microsoft has only certain CAs installed by default and Apple is not among these.

I found a useful how-to article http://luminaryapps.com/blog/code-signi ... -on-a-mac/

Post

Quick question : does someone know if there is any use to have an Extended Validation (EV) Code Signing certificate ? A regular one is enough to prevent any of the annoying Windows warnings ?

Post

AFAIK Windows warnings still appear but when you use code signing it will display your publisher name instead Unknown.

Post

With a non-EV code signing cert., you have to 'build up your reputation' every time you release a new build, meaning the first people who download your software will get the pesky alert boxes.
I've got ~80 downloads of my latest build and still get the warnings :x

EV is supposed to give you instant reputation, at least that what they advertise here https://www.digicert.com/code-signing/e ... mpared.htm
But the price and paperwork is not comparable ... $84 vs $349 here http://codesigning.ksoftware.net/ :o

Post

Don't forget to timestamp - it stops the signature expiring on the expiry date of the certificate. The parameter is --timestamp for both codesign and productsign. I think you can use codesign nowadays and not bother with productsign, although it used not to be the case.

Post

lorcan wrote:EV is supposed to give you instant reputation, at least that what they advertise here https://www.digicert.com/code-signing/e ... mpared.htm
But the price and paperwork is not comparable ... $84 vs $349 here http://codesigning.ksoftware.net/ :o
:? I think getting a $84 certificate is almost pointless if you can't get all the advantages of a real code sign certificate. It makes Apple Developer certificates very cheap in comparison!

Post

discoDSP wrote: :? I think getting a $84 certificate is almost pointless if you can't get all the advantages of a real code sign certificate. It makes Apple Developer certificates very cheap in comparison!
Apple buys them in bulk and they're not EV ...
It is a real code signing certificate, it's just that MS decided that either you need to build up reputation manually or verify your brand credentials, which means more paperwork = more expensive.
If you don't sign at all you get 3 very intimidating warnings instead of one/none.

Post

lorcan wrote:If you don't sign at all you get 3 very intimidating warnings instead of one/none.
Are you sure? I'm getting just one right now without any code sign on Windows 7 (no idea about 10).

Post

discoDSP wrote: Are you sure? I'm getting just one right now without any code sign on Windows 7 (no idea about 10).
You definitely get at least two on 10 and 7 ( 99.99% sure). Theses will only trigger if you download a fresh copy from the web, as Windows is clever enough to remember you clicked 'yes' before. Of course that's with default UAC policies.

Post

Yep, two warnings using Win10 here.

Post

Well, it looks like you have to get an Authenticode certificate from a Microsoft approved certificate authority to sign AAX plugins so no choices here.

Post

So, everybody here has acquired a Microsoft approved certificate which is not EV to remove the need for the extra paperwork, meaning that a few users are getting the error message in installers at early release times only ?

Post

I haven't purchased it yet, but I'd likely have to if AAX is released.

Post Reply

Return to “DSP and Plugin Development”