CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 5 of 5

Thread: sign my app

  1. #1
    Join Date
    Sep 2012
    Posts
    1

    sign my app

    Hello

    I know how signtool work, but whenever i search for certificate I get always payed certificates from Thawte, verisign and so one. I need to sign my application but i really don't care a lot about the certificate owner, just something to prove that I am the owner of my software and my app do not throw the dialog box about unknown publisher with windows programs. Do someone here knows how to sign apps for free ? is there any certificate that anyone can use to sign its program appart from the paid ones ?

    Regards

  2. #2
    Join Date
    Apr 1999
    Posts
    27,449

    Re: sign my app

    Quote Originally Posted by SKOO View Post
    Hello

    I know how signtool work, but whenever i search for certificate I get always payed certificates from Thawte, verisign and so one. I need to sign my application but i really don't care a lot about the certificate owner,
    You may not care, but the ones using your software will care. The users want to make sure they are not getting software from a suspicious source. In other words, getting a code signing certificate is serious business, and the companies that issue these certificates treat it as serious business.

    Even if you paid money, you have to be vetted by the certificate company -- you need to verify who you are when you apply for the certificate. This means incorporation information, business phone number, other legal documents, etc. It isn't just "pay money and you get a certificate". There are many who pay money, but can't pass the vetting process, thus they get their money refunded. If getting a certificate were so simple, then you would practically never see the dialog box stating that the author is "unknown".

    Regards,

    Paul McKenzie
    Last edited by Paul McKenzie; January 27th, 2013 at 07:33 PM.

  3. #3
    Join Date
    Jun 2010
    Location
    Germany
    Posts
    2,675

    Re: sign my app

    Quote Originally Posted by Paul McKenzie View Post
    [...] If getting a certificate were so simple, then you would practically never see the dialog box stating that the author is "unknown".
    ... and it would enable just any criminal malware author or prank to sign their stuff so Windows considers it harmless, eventually rendering the signing mechanism as such completely useless...
    I was thrown out of college for cheating on the metaphysics exam; I looked into the soul of the boy sitting next to me.

    This is a snakeskin jacket! And for me it's a symbol of my individuality, and my belief... in personal freedom.

  4. #4
    Join Date
    Nov 2000
    Location
    Voronezh, Russia
    Posts
    6,620

    Re: sign my app

    Quote Originally Posted by SKOO View Post
    Do someone here knows how to sign apps for free ? is there any certificate that anyone can use to sign its program appart from the paid ones ?
    As Paul already said, this is a serious business. Serious not just by fact of paying some money, but mainly the fact of establishing a link of trust between trustee (certificate applicant) and trust authority who issues the certificate, when the latter must be trusted by its own trust chain going up to a root trust authority. So you must prove you're legally trustworthy. Legal stuff always costs, this is the reality.
    Best regards,
    Igor

  5. #5
    Join Date
    Apr 2000
    Location
    Belgium (Europe)
    Posts
    4,626

    Re: sign my app

    YOu can create a self-certified certificate. That is, you make a certificate and require yourself to be set as a thrusted certificate authority for your own certificates.

    This works, but it requires that your customers will trust you enough that they actually do allow (and go through the manual process off) allowing your CA certificate. If you're a small bussiness and you have face-to-face communications with your customers, and you have only a limited/manageable amount of customers, this shouldn't be all that much of an issue.

    If you have thousands pf customers from all over the world, self signed certificates while they still work, are considerably less obvious for your customers to use.
    The whole point of the root CA's, is to have a chain of third parties that through trusted mutual identification will have proof that you are indeed who you claim to be.
    The process of certifying yourself with a CA is a process that requires manual labour, administrative costs, and the CA needs to maintain your certificate and may need to allow you to expire/invalidate the certificate if need be. All this requires real life people to be payed, and resources in the form of computers, servers, internet connections etc that need to be payed, so yes, certification does come with a cost to cover all that.

    Unless you have a specific need to, you don't need a certificate directly signed by thawte, or verisign, or... you could get a certificate at a local cheaper CA, the only requirement is that that CA has a chain back to one of the windows Root CA's.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  





Click Here to Expand Forum to Full Width

Featured