How is everyone else doing this?
We were previously signing our code using EVCS + hardware token (Yubikey) via SSL.com but have recently had alot of issues. It now appears as though this is no longer supported: https://www.ssl.com/blogs/new-minimum-rsa-key-size-for-code-signing-certificates/
As an interim solution we are using their eSigner solution but have found it very expensive, not transparent and with dubious billing practices.
What is the current best practice for signing ClickOnce deployment using Visual Studio? How is everyone else signing their applications? Is there a better alternative?
In the problem I'm having, many people now use sha384 code signing certificates.
However, if you use it before vs2022, it seems that there will be some problems, see this case for details.
For ev code signing maybe you can try this article.
Related
I am looking for a certifier for my Windows app, and I am wondering which certificate type I should choose for the application of my startup. I saw that there are mainly two types - so-called OV and EV certificates. A quick summary from SSL.com (for code-signing a desktop application)
An EV code signing certificate offers an immediate reputation with Microsoft SmartScreen, so your users will never have to click through a SmartScreen warning in Windows.
With an OV certificate, SmartScreen reputation must be built organically, as users download and install your files. SmartScreen warnings may occur until enough software proves sufficiently popular with Windows users for SmartScreen to view it as “well known.”
I understand the differences, and most articles refer to them in the use-case of Web SSL certificates. But would you recommend an EV certificate for a desktop application from a startup? Or is it not worth the money? Any help is highly appreciated!
The real answer here is that you need to be able to cover the cost of the cert, only you know whether you will make enough money from your app for it. The increase in downloads between the two is unlikely to be very big.
Taking SSL.com as an example, OV certificates are offered for 2 years at $232 but EV is $598. If you think that the fairly small percentage increase in downloads will cover this then go for it. It will look more professional that way. After all, $366 to a popular app is peanuts. But if you think your app will not be popular or won't make money, don't waste your cash.
We have a code signing setup using HSM over network. On mac we were using tokend previously but with macOS 10.15 tokend is disabled and we need to move to Cryptotokenkit. Is there any possible suggestion/solution available in which we can fetch the token from network based HSM instead of smartcard?
We had to deal with this and it was a pain. I was tasked to take a look at what would be involved in migrating from tokend to CTK and it looked like a very tough task. We eventually got it working with third party software. There were a couple products we looked at but we ended up selecting GaraSign. At the time they were the only one who had macOS signing working but I believe some of their competitors now have it too.
I'm trying to create a custom CSP(cryptographic service provider) and I'm kinda stuck at signing the csp dll. In the cspdk(cspdk) it is said, that I should use cspsign.exe to produce the signature file that can be included into the dll as a resource. But there's no such a file in cspdk or anywhere in windows.
So I began to google and found some posts that before 2013 people were sending their dll's to microsoft and got it signed in return. And after 2013 you are supposed to use microsoft authenticode and purchase code signing cert for it.
I'm in a development stage so there will be many many builds, so may be there is some simple way to get thing working.
So the question is how this process looks like in 2019?
UPDATE:
I found out that cspsign was a test utility for Windows 2000, so the cspdk is a little bit out of date. The question remains actual ..
Those sdks are so old, with newer versions nowhere to be found, and documentation so sparse. The only reference I found on a somewhat recent process is hidden in here, halfway through the page: Authenticode signing of CSPs
Note Starting with Windows 8, it is no longer a requirement that CSPs must be signed.
So, CSPs no longer need to be signed.
So my situation:
I built an Sideloaded UWP app with Visual Studio. Visual Studio can create an .pfx certificate that is temporary for 1 year. After that you have to recreate another certificate. The year for my certificate is almost over. Now I was thinking of buying such a certificate with more than 1 year of a lifetime.
Now my problem is that I absolutly don´t understand what I actually have to look for. When searching for certificates I find all kinds of SSL Certificates. Do I need SSL certificates for my case? Because it seems this is some web related certificate. Then there are EV OV DV, S/MIME Email Certificates and everything just does not seem right.
Code Signing OV is the closest I could find.
There also are alot of other different Code Signing certificates. Some list details like: "Authenticode, Office VBA, Java, Adobe Air, Mac / OSX, Android"
Some other just list the detail "Multiplatform" on like 5 different offers that all look the same and when you look into the description those informations are probably important: "32- und 64-Bit-Files like .exe, .cab, .dll, .ocx, .msi, .xpi, .xap and Kernel-Software" + "SHA-1".
Then there are CodeSignings like this "Microsoft Authenticode (Multi-Purpose)" with "SHA-2"
And this are just a few examples. There are alot offers and I understand neither of them. Just give me a working .pfx file.
Anyway
I was hoping that someone could help me understand on what I should be looking for if I want to have a certificate for my Sideloaded UWP app similar to the certificate that Visual Studio can create.
You need a code signing certificate which can be bought from digicert for example. Please refer to the their support page for more information about how it works.
If you need a public certificate, you'll find a special offer on this link.
... or am I doing something wrong? (Yep. I was. Feel free to skip to the Update section.) I've read a couple of quickstart posts and was ready to dive into the "amazingly new language", so I visited https://developer.apple.com/swift/resources/ in order to get my hands on some nifty tutorials and what did I get? I downloaded a Lister XCode project, opened it, switched build target to My Mac, started the build and... all I got was a couple of windows telling me to become a developer for 99 bucks.
I'm pretty new to all this locked-in-itself Mac/OS X/whatever ecosystem and, coming here from mostly free and painful Linux, I find these little things really repulsive, so I hope that this problem is really in my head and I can run exemplary code without paying $99.
If this is an off-topic question, please point me in the right direction (except for the case when you think I should crawl into some dark corner and cry about how hard thing in real life are).
Update. This issue seems to have a happy ending. As some of you mentioned in the comment section and in your answers, I should've disable the code signing feature for the project in order to build and run it. The confusion was all mine when I did disable the signing procedure for the sub-projects that interested me (ListerOSX and its dependencies), but as it turned out, in order to successfully compile and launch the project, one also should disable signing for all the sub-projects (targets, whatever). E.g. if you are launching ListerOSX, make sure you've disabled signing for Lister Watch app etc.
Seeing as this was at least a bit subtle for me, of whom you might say 'Mac development newbie', I'd still ask you not to close the question but rather leave it open: should anyone else stumble into the same problem, my story might actually help.
Recent versions of Mac OS X will not allow software to run unless it is signed by a developer, or the user is technically savvy enough to bypass gatekeeper (which is not very hard. Just right click on the app and select "open", and then the unsigned software will run).
This is an attempt by Apple to block malware distribution. If malware is not signed, then users who are likely to fall for malware will not know how to make it run. If malware is signed, then Apple can can pass the signature (and associated contact details) to the FBI who will try to organise a lengthy jail term.
What this means for you, as a developer, is you need to either get a certificate or accept that your software will only run with gatekeeper turned off.
The normal mac developer program is $99/year and includes a whole bunch of stuff that makes it well worth the price. However there is a free "Developer ID" membership level that only gives you the ability to sign your apps.
So, you've got three options:
sign up for a free developer account and sign with that
sign up for a paid account
don't sign your code and accept that it will not pass gatekeeper. just disable code signing in your "release" builds. It's already disabled by default in "debug" builds.
Disable code signing via on all targets in the project settings. Code signing with an official Apple certificate requires a paid account. You can still sign your code to identify yourself as the author, but it will not pass Gatekeeper automatically and you will not be able to sign directly from Xcode.