Thanks, then it's very likely to be purchasing oneFabienTDR wrote: No. The certificate will remain valid for eternity.
You "lease" a signing certificate, allowing you to sign stuff. It's a toolkit, a small console app
Code Sign certificates
-
- KVRAF
- Topic Starter
- 5419 posts since 18 Jul, 2002
-
- KVRist
- 134 posts since 13 Apr, 2016
Help me get this right...because I definitely don't understand signing.
My certificate is on my Mac in my Keychain. To sign my installer, I would do something like this:
That's it?
And, did I read that correctly, that I can sign my Windows installer using my Mac certificate? Running the same thing but with my Windows installer that has been copied to my Mac? Would that get rid of the annoying "unknown publisher" Windows warning?
Am I missing anything?
My certificate is on my Mac in my Keychain. To sign my installer, I would do something like this:
Code: Select all
productsign --sign "Developer ID Installer: MyCompany" MyInstaller.pkg" MySignedInstaller.pkg"
And, did I read that correctly, that I can sign my Windows installer using my Mac certificate? Running the same thing but with my Windows installer that has been copied to my Mac? Would that get rid of the annoying "unknown publisher" Windows warning?
Am I missing anything?
-
- KVRAF
- Topic Starter
- 5419 posts since 18 Jul, 2002
Should work fine yes.joshb wrote:Help me get this right...because I definitely don't understand signing.
My certificate is on my Mac in my Keychain. To sign my installer, I would do something like this:
That's it?Code: Select all
productsign --sign "Developer ID Installer: MyCompany" MyInstaller.pkg" MySignedInstaller.pkg"
No. Microsoft has only certain CAs installed by default and Apple is not among these.And, did I read that correctly, that I can sign my Windows installer using my Mac certificate? Running the same thing but with my Windows installer that has been copied to my Mac? Would that get rid of the annoying "unknown publisher" Windows warning?
I found a useful how-to article http://luminaryapps.com/blog/code-signi ... -on-a-mac/
-
- KVRian
- 1153 posts since 11 Aug, 2004 from Breuillet, France
Quick question : does someone know if there is any use to have an Extended Validation (EV) Code Signing certificate ? A regular one is enough to prevent any of the annoying Windows warnings ?
- KVRist
- 160 posts since 26 Sep, 2001 from Paris, France
With a non-EV code signing cert., you have to 'build up your reputation' every time you release a new build, meaning the first people who download your software will get the pesky alert boxes.
I've got ~80 downloads of my latest build and still get the warnings
EV is supposed to give you instant reputation, at least that what they advertise here https://www.digicert.com/code-signing/e ... mpared.htm
But the price and paperwork is not comparable ... $84 vs $349 here http://codesigning.ksoftware.net/
I've got ~80 downloads of my latest build and still get the warnings
EV is supposed to give you instant reputation, at least that what they advertise here https://www.digicert.com/code-signing/e ... mpared.htm
But the price and paperwork is not comparable ... $84 vs $349 here http://codesigning.ksoftware.net/
Lorcan | lmdsp audio plug-ins
- KVRist
- 91 posts since 24 Dec, 2015 from Bristol, UK
Don't forget to timestamp - it stops the signature expiring on the expiry date of the certificate. The parameter is --timestamp for both codesign and productsign. I think you can use codesign nowadays and not bother with productsign, although it used not to be the case.
-
- KVRAF
- Topic Starter
- 5419 posts since 18 Jul, 2002
I think getting a $84 certificate is almost pointless if you can't get all the advantages of a real code sign certificate. It makes Apple Developer certificates very cheap in comparison!lorcan wrote:EV is supposed to give you instant reputation, at least that what they advertise here https://www.digicert.com/code-signing/e ... mpared.htm
But the price and paperwork is not comparable ... $84 vs $349 here http://codesigning.ksoftware.net/
- KVRist
- 160 posts since 26 Sep, 2001 from Paris, France
Apple buys them in bulk and they're not EV ...discoDSP wrote: I think getting a $84 certificate is almost pointless if you can't get all the advantages of a real code sign certificate. It makes Apple Developer certificates very cheap in comparison!
It is a real code signing certificate, it's just that MS decided that either you need to build up reputation manually or verify your brand credentials, which means more paperwork = more expensive.
If you don't sign at all you get 3 very intimidating warnings instead of one/none.
Lorcan | lmdsp audio plug-ins
-
- KVRAF
- Topic Starter
- 5419 posts since 18 Jul, 2002
Are you sure? I'm getting just one right now without any code sign on Windows 7 (no idea about 10).lorcan wrote:If you don't sign at all you get 3 very intimidating warnings instead of one/none.
- KVRist
- 160 posts since 26 Sep, 2001 from Paris, France
You definitely get at least two on 10 and 7 ( 99.99% sure). Theses will only trigger if you download a fresh copy from the web, as Windows is clever enough to remember you clicked 'yes' before. Of course that's with default UAC policies.discoDSP wrote: Are you sure? I'm getting just one right now without any code sign on Windows 7 (no idea about 10).
Lorcan | lmdsp audio plug-ins
-
- KVRian
- 1153 posts since 11 Aug, 2004 from Breuillet, France
So, everybody here has acquired a Microsoft approved certificate which is not EV to remove the need for the extra paperwork, meaning that a few users are getting the error message in installers at early release times only ?