So my situation:
I built an Sideloaded UWP app with Visual Studio. Visual Studio can create an .pfx certificate that is temporary for 1 year. After that you have to recreate another certificate. The year for my certificate is almost over. Now I was thinking of buying such a certificate with more than 1 year of a lifetime.
Now my problem is that I absolutly don´t understand what I actually have to look for. When searching for certificates I find all kinds of SSL Certificates. Do I need SSL certificates for my case? Because it seems this is some web related certificate. Then there are EV OV DV, S/MIME Email Certificates and everything just does not seem right.
Code Signing OV is the closest I could find.
There also are alot of other different Code Signing certificates. Some list details like: "Authenticode, Office VBA, Java, Adobe Air, Mac / OSX, Android"
Some other just list the detail "Multiplatform" on like 5 different offers that all look the same and when you look into the description those informations are probably important: "32- und 64-Bit-Files like .exe, .cab, .dll, .ocx, .msi, .xpi, .xap and Kernel-Software" + "SHA-1".
Then there are CodeSignings like this "Microsoft Authenticode (Multi-Purpose)" with "SHA-2"
And this are just a few examples. There are alot offers and I understand neither of them. Just give me a working .pfx file.
Anyway
I was hoping that someone could help me understand on what I should be looking for if I want to have a certificate for my Sideloaded UWP app similar to the certificate that Visual Studio can create.
You need a code signing certificate which can be bought from digicert for example. Please refer to the their support page for more information about how it works.
If you need a public certificate, you'll find a special offer on this link.
Related
I have developed an application and want to publish to the microsoft store. I have tried using advanced installer but unless I pay $500 I cannot publish it i think using the trial version? I have also tried using MSIX Package (Windows) but then I need to digitally sign it, and then I can't add logos and etc. I also do not know how to get a certificate and convert it to .pfx format for this to work.
Honestly, this process has just made me want to stop, which is unfortunate. So I am trying to find a service or someone that I can pay to package my .exe app to an MSIX, signed and everything so that I can just upload it to the store on my account..but I cannot find anything on google.
Does anyone know of a service, or even a better application that has better guides for MSIX packaging and signing? Advanced Installer is pretty extensive, but their guides are based on MSI, not MSIX. Not worth paying $500 for when they are not even current with Microsoft Stores required format.
FYI - to get a useful answer around here it helps if you place specific questions (i.e. split your question into multiple ones, like: Do I need to digitally sign an application for the MS Store?; how do I add logos...?)
Back to your problem. I work on the Advanced Installer and I will try to give you some advice to help clear a part of your problems.
First of all, to publish an application in the Microsoft Store you don't need a certificate. As explained in our guide, in your Store developer account you will find a package identity assigned to your application, here is an example:
The value that starts with CN=... must be copied and pasted into your Advanced Installer project, on the Package Information page, under the ID field. Make sure Digital Signing is disabled in your project. (You need to digitally sign the MSIX only when you deploy it outside the MS Store)
This identity will allow the MS team to certify you as the owner of the application. Once Microsoft approves your application submission, the MSIX package you upload will be signed with a Microsoft digital certificate. All MSIX packages uploaded in the store are signed by Microsoft.
I don't know how complex your application is, but most apps can be packaged with the free Advanced Installer Express edition. Have you tried that? The commercial editions include additional features, but you might not need them.
MSIX Hero is pretty great and is open source. Assuming your application is just a directory of files containing one or more EXEs just click "pack directory to MSIX"
Then select the folder containing your application files and the EXEs you want to create shortcuts for in the start menu. It will pull a lot of the package metadata from the metadata in the EXEs.
If you are publishing to the Windows store you don't need to sign the package.
If you do want to sign it for distribution outside the store the options for that are pretty easy to use as well. The only issue is you will need a code signing certificate, which is ~$300 a year.
I am looking for a certifier for my Windows app, and I am wondering which certificate type I should choose for the application of my startup. I saw that there are mainly two types - so-called OV and EV certificates. A quick summary from SSL.com (for code-signing a desktop application)
An EV code signing certificate offers an immediate reputation with Microsoft SmartScreen, so your users will never have to click through a SmartScreen warning in Windows.
With an OV certificate, SmartScreen reputation must be built organically, as users download and install your files. SmartScreen warnings may occur until enough software proves sufficiently popular with Windows users for SmartScreen to view it as “well known.”
I understand the differences, and most articles refer to them in the use-case of Web SSL certificates. But would you recommend an EV certificate for a desktop application from a startup? Or is it not worth the money? Any help is highly appreciated!
The real answer here is that you need to be able to cover the cost of the cert, only you know whether you will make enough money from your app for it. The increase in downloads between the two is unlikely to be very big.
Taking SSL.com as an example, OV certificates are offered for 2 years at $232 but EV is $598. If you think that the fairly small percentage increase in downloads will cover this then go for it. It will look more professional that way. After all, $366 to a popular app is peanuts. But if you think your app will not be popular or won't make money, don't waste your cash.
Executables and DLL's can be digitally signed. It suggests trust to the user.
However, my research upon this topic is slowly leading nowhere. I think I need a complete step-by-step idiot's guide on how to digitally sign binaries, directly upon compilation. What I mean is: Click on "Build" and retrieve a signed executable. I really don't want to manually sign everything myself.
Visual Studio has a "Signing" tab in project properties, so I guess I have to look there. It seems like I need a .pfx file for that. But where exactly do I get one that contains my name and how do I use it correctly?
Also, does this cost money? - Per binary / only once / not at all?
Example of a signed binary:
I have always signed my dlls and applications manually. To make your signature last even after code sign certificate expires you need to add a timestamp to the signature.
To sign a dll/exe you need to buy the codesign certificate but there are CAs (i.e. if you are open source developer) where you can get it for free. One of them is Cetrum CA (which I am currently using). Take a look here. The process of obtaining it is a torture, but the certificate itself is OK. (it doesn't work with all browsers - use FF, single signon needs to be done on every page and mails are in Polish language.)
Timestamp can be obtained for free (i.e. from the link in Hanselmans blog or you can find a list of free RFC 3161 compliant timestamp authorities here)
Due to mysteries preventing me from using a certificate issued by thawte from code signing a DMG file, and the need for some expediency, I'm going to try to convince my boss to get us a development license with apple. If nothing else, there is at least product support...? Anyways:
I gather that the developer's license is $100/year. Beyond that, what does it cost to have them issue a certificate for code signing?
Your $100.00 developer account will let you create as many certificates as you need for one or multiple apps. For IOS you typically create provisioning licenses for development, so that your test users can try your app before apple approves it. This isn't needed on the Mac however. You should be able to just build your app and deploy it however you like without Apple being involved.
You don't say in your post, but I'm assuming that you are planning to sell the application through the Mac App Store? If you are planning to use the App Store, or Mac App Store, when you are ready to publish your app, you create another signing certificate, used only when you submit for review. If you are self publishing, be aware that the certificates Apple issues typically have short expiration dates, and you may have to re-sign your distribution bundle in a few months.
I hope this was helpful.
I had a hard time finding anything concrete on Apple websites, but looking bellow on the sites I found, it sure seems you have to pay Apple to get your app signed, even if it won't go in the Mac App Store. I didn't thought you need to pay for that. It sucks for open source apps. :/
http://www.realsoftwareblog.com/2012/08/code-signing-real-studio-apps-on.html
Unfortunately, to sign your apps you need a developer certificate from
Apple. And the only way to get a Developer Certificate is to sign up
for the Mac Developer Program, which costs $100 a year. However, the
certificate you get is good for 5 years, so it looks like you do not
need to pay the $100 fee each year unless you also want to distribute
apps in the Mac App Store.
http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/
Sign up for Apple Developer Connection ($99 per year). Doesn’t matter if you already paid through the nose for a Windows authenticode
certificate. Gatekeeper only accepts Apple certificates, so you have
no choice. On the plus side, you do get other benefits, including
downloading new OS upgrades for free.
http://www.cocoabuilder.com/archive/cocoa/315419-how-to-get-mac-codesign-certificate.html
You need to buy it from a certificate authority, like Thawte or
Verisign (or one of the myriad resellers) and they will all be happy
to sell you one at prices that range from around $80 to around
$500/yr. Alternatively, you can get a certificate from Apple as part
of the OS X Developer Program, which will cost you the extra $100/yr
but also includes beta access to OS X system software.
...
Prior to Mountain Lion, the only advantage of buying a cert from a
known authority is for the firewall system preference "Automatically
allow signed software to receive incoming connections" (which by the
way is a really stupid preference, IMO). The disadvantage of such
certs is that they usually expire relatively quickly, in one or two
years.
Mountain Lion changes the game a bit. It eliminates a lot of the
advantage of 3rd party cert authorities, because only Apple's cert
will allow your app to run, so if you're not going to get a cert from
Apple (I don't think I can discuss the terms here), you might as well
self-sign.
Actually the cheapest for 1 year is $200 but it get it also at $500 from Symantec :)
https://www.sslshopper.com/apple-code-signing-certificates.html
I am currently looking for a "Windows 7 compatible" certification, and to get it, you need to implement code signing. Now I look for a cheap certificate, and I found some cheap alternatives to Verisign certificates in Stack Overflow question Cheapest Java code signing certificate? (not self-signed).
I found comments somewhere on the Internet that Microsoft only accepts certificates. Is this true, or can I go with the Comodo certificate?
It's not obvious, but on that same site for the logo, there's a link for getting a certificate at a significant discount. I seem to recall it was US$100 instead of US$500? And that's from Verisign. I took a client of mine through it and getting the certificate was the easy part of the process :-)
Update: this page http://msdn.microsoft.com/en-us/windows/ff718579.aspx makes it clearer:
Submissions for the Compatible with Windows 7 Software Logo Program will only be accepted through Winqual. To establish a Winqual account for your company (a prerequisite for creating user accounts), you must establish your company’s identity using a VeriSign Certificate. There are two VeriSign certificates supported by Winqual for creating company accounts...
Basically you must have a Verisign certificate of some kind, but it doesn't need to be a code signing one. You can use a US$99 one just to prove you are you, and then buy your code signing one from anyone in the PDF you can download from http://support.microsoft.com/kb/931125 (it appears to include Comodo). Or you can buy your code signing from Verisign and cover both bases. This is also where you can find the link to the US$99 first year offer.