Windows signing is a ripoff, $500/year you're getting nothing.
Your certificate is not trusted. You have to "get reputation for it" before Windows Defender would stop giving users warnings.
Also, renewing certificate is not a thing. Every time you have to get a new one, with same story of "reputation" again.<p>[1] <a href="https://www.digicert.com/order/order-1.php" rel="nofollow">https://www.digicert.com/order/order-1.php</a>
I created a huge rant on code signing certificates here:<p><a href="https://www.youtube.com/watch?v=mwuk0E-tfeg" rel="nofollow">https://www.youtube.com/watch?v=mwuk0E-tfeg</a><p>It's a nightmare. Complete scam.<p>I needed this for Polar: <a href="https://getpolarized.io/" rel="nofollow">https://getpolarized.io/</a><p>Mind you... it's Open Source but I still want my users to be able to download it without warnings.<p>No joke - it took me 2 weeks to get the CSC with about 4 hours per day working on just this CSC issue.<p>It's just a labyrinth of insanity from not having a listing on D&B to them insisting I pay $2k to expedite it.<p>I still don't have one from Apple because it requires a D&B number so I had to get a personal cert from them.<p>I went with a cheap one for Windows BUT it gives errors on install for like the first 1k downloads until Windows says it's legit.<p>It's a complete scam.<p>BTW.. if you get in the MS App Store you don't have to worry about a CSC so that's good I guess.
I remember the good old days when people were actually trusted to do their own research before downloading a potentially dangerous exe.<p>Now all we have are app store and certificate rackets. Im looking at Google and Apple too. Shame on the industry for accepting 30% revenue share on their services. The idea of an app store is great but not when it excludes other legitimate ways of installing software on device.<p>These practices are anticompetitive and monopolistic.<p>Good for Notepad++. I couldnt agree more with its sentiment.
What <i>really</i> pisses me off is code signing for drivers. To install an unsigned driver in 64-bit Windows 10, you need to reboot your computer into a special menu that can only be navigated with a USB keyboard (which I have to lug out of the closet, since I normally use Bluetooth). That in itself wouldn't be so bad, except the setting persists <i>only until the next reboot!</i> †<p>This is all in stark contrast to macOS's System Integrity Protection, which I can turn off once to never be bothered again.<p>I understand why Microsoft would enforce higher standards on drivers which can touch the kernel. But, the same fundamental problem applies: it isn't reasonable for non-profit, open source developers—many of whom <i>I</i> consider perfectly trustworthy—to pay hundreds of dollars for a certificate! Let me make the final decision about who I trust. It's my machine—I even built it myself!<p>The primary place I run into this problem is with drivers to support weird video game controllers.<p>---<p>† You can enable a "testsigning" mode via the command line which persists across reboots, but this only seems to work for certain drivers. If anyone can explain why it <i>sometimes</i> works, I'd appreciate it, as my research has never turned up anything.
I've been slowly improving my open source Windows chess program Tarrasch <a href="http://triplehappy.com" rel="nofollow">http://triplehappy.com</a> for nearly 10 years. One of my improvement plans has been to put on my big boy pants, and spend the money and time needed to sign the program. I thought it was a big part of the program graduating and becoming a serious software citizen. After reading the comments here I am reconsidering and might save myself the pain. Thanks Hacker News!
I'm going through a "renewal" right now... The archaic maze of validation is also getting on my nerves. It's been three weeks now that I'm waiting for a phone call to validate my phone number. This article is making it so tempting to cancel my order.<p>The plethora of support emails is what motivated me to get one in the first place. I used to get accused of giving users a "virus" and getting into infinite loops on why they should trust me. I'm sure I was wasting more than $100/year of my time responding to these emails, so I just gave in and got one.<p>Now, I don't know what to do.
Why not use something like certum[1]? It's $69/year (cheaper if you already have a smartcard), but the CN ends up with something like "Open source developer, [full name]". It's not "notepad++" like the author wants, but it's still better than nothing.<p>[1] <a href="https://en.sklep.certum.pl/data-safety/code-signing-certificates/open-source-code-signing-984.html" rel="nofollow">https://en.sklep.certum.pl/data-safety/code-signing-certific...</a><p>edit: updated price
In case anyone reads this far down:<p><a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate" rel="nofollow">https://docs.microsoft.com/en-us/windows-hardware/drivers/da...</a><p>Follow the steps under “Buy a DigiCert EV code signing certificate“.<p>You’re welcome. ;)
Interesting that they will check the hashes of dependencies at runtime. But then I start to wonder - why dynamic linking if the library can't be replaced?
Good for them! Certificates are a bad business today. The only reason I'd get one is because things like letsencrypt exist;<p>Orthogonally, I also think that $99 App Store fees are a terrible waste of money. You should get charged only when submitting to an app store for review.<p>There are plenty of root certificates that came installed on my computer, and I don't even trust them. Why would these CAs charge so much for so little value?
At the end of the day, Notepad++ can't get a "Notepad++" cert because "Notepad++" is not a Legal Entity (i.e. a corporation or living person). At least from a policy perspective, Microsoft will only consider Legal Entities to be valid code signatories.<p>Yes, this <i>is</i> stupid and outdated, I agree - I personally think that Keybase issuing code signing certificates and being able to verify that the person who signed this also owns this GitHub and that Twitter account would still be super valuable.
These kind of code-signing certificates should be free for free and open source projects.<p>D Language community recently [1][2] bought a certificate reluctantly to satisfy Windows defender, virus scan warning, etc. Sadly we are stuck with this immoral blackmails.<p>[1] <a href="https://forum.dlang.org/post/sclqnbggytmyetwrxppb@forum.dlang.org" rel="nofollow">https://forum.dlang.org/post/sclqnbggytmyetwrxppb@forum.dlan...</a><p>[2]<a href="https://dlang.org/changelog/2.082.0.html#signed_windows_binaries" rel="nofollow">https://dlang.org/changelog/2.082.0.html#signed_windows_bina...</a>
Beside the fact that code signing is a racket, <a href="https://codesigncert.com/" rel="nofollow">https://codesigncert.com/</a> gets you a Comodo cert for $75.
This is slightly off-topic, but do indie game developers publishing on Steam have to jump through this hoop to support Windows? Are all Windows games on Steam signed?
I'm startled that there's no mention of app whitelisting yet.<p>Code signing reduces ops overhead and latency in environments that are using app whitelisting.<p>If the code is signed, then the signing certificate can be trusted <i>once</i>. All upgrades and patches that are signed with that certificate can be <i>automatically</i> whitelisted, with no intervention from teams managing the whitelisting.<p>But if the code <i>isn't</i> signed, then if even a single byte changes in the executable, it must be re-whitelisted - usually manually.<p>The more signed apps there are, the easier it is for companies to start using application whitelisting, the fewer people are needed to maintain it, and the faster patches to those applications can be deployed. Making it easier for companies to move to whitelisting increases security for the ecosystem in the aggregate.
Anyone have any source that cites it's sources for the profit margins on code signing rackets. I imagine for mobile the margins are especially high since phone o/s design makes it much easier to put less effort into audits. I bet the profits margins in both mobile and standard are absolutely monsterous. By the principals of business I assume they put in the least amount of effort possible while still putting in enough to protect themselves from blame
> I realize that code signing certificate is just an overpriced masturbating toy of FOSS authors.<p>I'm not sure what the author means by this.
Does this mean that some users won't be allowed to install Notepad++ because it's not signed? I know some corporate environments have restrictions on downloaded installers.<p>Off topic, but I have to say that whenever I need to open <i>hundreds</i> of files at once and perform regex operations-- this editor rocks that task like no other. Kudos to Notepad++
You can buy a Windows code signing certificate from DigiCert for $74/yr (EV certs are $104/yr) by going through this link - <a href="https://www.digicert.com/friends/sysdev/" rel="nofollow">https://www.digicert.com/friends/sysdev/</a> - much easier to swallow than the standard $499!
Companies using Carbon Black Protection (Bit9) or similar application whitelisting systems use signing certificates to help approve software. Once I approve the "Simon Tatham" certificate for my company, anyone can download the latest version of PuTTY and run it without issue. I wish the trend was for more software to be signed.
I am in a similar situation myself with Portable-VirtualBox. Does anyone know where one can get a reasonably priced code signing certificate?<p>Preferably one that does not require a USB dongle. Did order one from Comodo, but was not able to get the USB dongle to work.
other than Microsofts signed software, the fact it is signed doesn't really mean much to me as I have no idea what anything should be signed with. What I tend to trust is that I know specifically where I went to get a piece of software. It is easier for me to tell what an official site is rather than an official signature
Feels like there's an opportunity for some kind organization to help open-source developers out with this. It shouldn't be this hard for someone trying to give away good work to the world. I used Notepad++ for a long time, and still might if I spent any time in Windows.
It seems the author is very focused on signing with x509.<p>I'm wondering if they are aware of free alternatives like signify or pgp that would work just as well (minus the windows UAC thing). Right now there are only checksums but no way to verify they are from the author and are distributed on the same server as the binary, so the only security layer is https.