Code Sign certificates

DSP, Plug-in and Host development discussion.
User avatar
discoDSP
KVRAF
3867 posts since 18 Jul, 2002

Post Mon Mar 19, 2018 12:16 am

FabienTDR wrote: No. The certificate will remain valid for eternity.

You "lease" a signing certificate, allowing you to sign stuff. It's a toolkit, a small console app
Thanks, then it's very likely to be purchasing one :)

joshb
KVRist
85 posts since 13 Apr, 2016

Re: Code Sign certificates

Post Fri Apr 06, 2018 5:38 pm

Help me get this right...because I definitely don't understand signing.

My certificate is on my Mac in my Keychain. To sign my installer, I would do something like this:

Code: Select all

productsign --sign "Developer ID Installer: MyCompany" MyInstaller.pkg" MySignedInstaller.pkg"
That's it?


And, did I read that correctly, that I can sign my Windows installer using my Mac certificate? Running the same thing but with my Windows installer that has been copied to my Mac? Would that get rid of the annoying "unknown publisher" Windows warning?

Am I missing anything?

User avatar
discoDSP
KVRAF
3867 posts since 18 Jul, 2002

Re: Code Sign certificates

Post Sat Apr 07, 2018 12:01 am

joshb wrote:Help me get this right...because I definitely don't understand signing.

My certificate is on my Mac in my Keychain. To sign my installer, I would do something like this:

Code: Select all

productsign --sign "Developer ID Installer: MyCompany" MyInstaller.pkg" MySignedInstaller.pkg"
That's it?
Should work fine yes.
And, did I read that correctly, that I can sign my Windows installer using my Mac certificate? Running the same thing but with my Windows installer that has been copied to my Mac? Would that get rid of the annoying "unknown publisher" Windows warning?
No. Microsoft has only certain CAs installed by default and Apple is not among these.

I found a useful how-to article http://luminaryapps.com/blog/code-signi ... -on-a-mac/

Ivan_C
KVRian
1075 posts since 11 Aug, 2004 from Breuillet, France

Re: Code Sign certificates

Post Thu May 03, 2018 8:19 am

Quick question : does someone know if there is any use to have an Extended Validation (EV) Code Signing certificate ? A regular one is enough to prevent any of the annoying Windows warnings ?

User avatar
discoDSP
KVRAF
3867 posts since 18 Jul, 2002

Re: Code Sign certificates

Post Thu May 03, 2018 8:29 am

AFAIK Windows warnings still appear but when you use code signing it will display your publisher name instead Unknown.

User avatar
lorcan
KVRist
136 posts since 26 Sep, 2001 from Paris, France

Re: Code Sign certificates

Post Thu May 03, 2018 10:07 am

With a non-EV code signing cert., you have to 'build up your reputation' every time you release a new build, meaning the first people who download your software will get the pesky alert boxes.
I've got ~80 downloads of my latest build and still get the warnings :x

EV is supposed to give you instant reputation, at least that what they advertise here https://www.digicert.com/code-signing/e ... mpared.htm
But the price and paperwork is not comparable ... $84 vs $349 here http://codesigning.ksoftware.net/ :o

keithwood
KVRist
59 posts since 24 Dec, 2015 from Bristol, UK

Re: Code Sign certificates

Post Thu May 03, 2018 12:44 pm

Don't forget to timestamp - it stops the signature expiring on the expiry date of the certificate. The parameter is --timestamp for both codesign and productsign. I think you can use codesign nowadays and not bother with productsign, although it used not to be the case.

User avatar
discoDSP
KVRAF
3867 posts since 18 Jul, 2002

Re: Code Sign certificates

Post Thu May 03, 2018 11:17 pm

lorcan wrote:EV is supposed to give you instant reputation, at least that what they advertise here https://www.digicert.com/code-signing/e ... mpared.htm
But the price and paperwork is not comparable ... $84 vs $349 here http://codesigning.ksoftware.net/ :o
:? I think getting a $84 certificate is almost pointless if you can't get all the advantages of a real code sign certificate. It makes Apple Developer certificates very cheap in comparison!

User avatar
lorcan
KVRist
136 posts since 26 Sep, 2001 from Paris, France

Re: Code Sign certificates

Post Fri May 04, 2018 4:50 am

discoDSP wrote: :? I think getting a $84 certificate is almost pointless if you can't get all the advantages of a real code sign certificate. It makes Apple Developer certificates very cheap in comparison!
Apple buys them in bulk and they're not EV ...
It is a real code signing certificate, it's just that MS decided that either you need to build up reputation manually or verify your brand credentials, which means more paperwork = more expensive.
If you don't sign at all you get 3 very intimidating warnings instead of one/none.

User avatar
discoDSP
KVRAF
3867 posts since 18 Jul, 2002

Re: Code Sign certificates

Post Fri May 04, 2018 9:45 am

lorcan wrote:If you don't sign at all you get 3 very intimidating warnings instead of one/none.
Are you sure? I'm getting just one right now without any code sign on Windows 7 (no idea about 10).

User avatar
lorcan
KVRist
136 posts since 26 Sep, 2001 from Paris, France

Re: Code Sign certificates

Post Fri May 04, 2018 9:51 am

discoDSP wrote: Are you sure? I'm getting just one right now without any code sign on Windows 7 (no idea about 10).
You definitely get at least two on 10 and 7 ( 99.99% sure). Theses will only trigger if you download a fresh copy from the web, as Windows is clever enough to remember you clicked 'yes' before. Of course that's with default UAC policies.

User avatar
discoDSP
KVRAF
3867 posts since 18 Jul, 2002

Re: Code Sign certificates

Post Fri May 04, 2018 9:52 am

Yep, two warnings using Win10 here.

User avatar
discoDSP
KVRAF
3867 posts since 18 Jul, 2002

Re: Code Sign certificates

Post Mon May 07, 2018 12:47 am

Well, it looks like you have to get an Authenticode certificate from a Microsoft approved certificate authority to sign AAX plugins so no choices here.

Ivan_C
KVRian
1075 posts since 11 Aug, 2004 from Breuillet, France

Re: Code Sign certificates

Post Thu Oct 04, 2018 2:02 am

So, everybody here has acquired a Microsoft approved certificate which is not EV to remove the need for the extra paperwork, meaning that a few users are getting the error message in installers at early release times only ?

User avatar
discoDSP
KVRAF
3867 posts since 18 Jul, 2002

Re: Code Sign certificates

Post Thu Oct 04, 2018 2:12 am

I haven't purchased it yet, but I'd likely have to if AAX is released.

Return to “DSP and Plug-in Development”