Insights From an Indie Developer Regarding Code-Signing for Windows
2022-03-23 Filed in: Development
Code signing indicates to an end user where / who an executable binary came from and that it has not been modified along the way. That's what it is, that's what it does, that's what it's for.
Both Apple and Microsoft have built systems on top of this concept to encourage developers to code sign their software. While at a glance these systems seem optional, the unspoken reality is that commercially available software needs to be code signed.
Will an app still launch if it is not code signed? On Windows, yes. The user will be presented with unknown publisher warnings, but the executable can still be launched. To mitigate this, code sign the executable with a Micirosoft Authenticode signature.
My most recent experience purchasing a certificate went smoothly, however the reseller seems to have earned themselves a poor reputation in the time since so I have removed references to them from this blog post.
Be sure your business details there are up to date with D&B or the process will incur significant delays. I've heard reports of delays ranging from weeks to months. I can personally confirm first hand that for a client the process took several months.
What's the difference between these two types of certificates? Technically, the amount of identity validation. The issuer is supposed to take extra steps to validate the identity requesting an EV certificate. Additionally, software signed with an EV certificate is granted instant SmartScreen score. This means the end user won't see the "Smart Screen protected this PC." blue dialog. When SmartScreen steps in, the user has to click "More Info" and then "Run Anyway."
Which certificate is best for you will depend a lot on what your needs are. If your business is suffering because of SmartScreen warnings, it may be a good business decision to get an EV certificate. If you're like me, just making Windows apps because you happen to be able to, I'm okay with my personal "Tim Parnell" click run anyway certificate.
[2022-03-26] Sectigo may not be using D&B for business validation anymore. I cannot confirm this because of the experience my client just had (finally resolved December 2021).
[2022-09-08] The CA/Browser Forum has voted upon changes to certificate delivery such that certificates will no longer be delivered as files as of November 15, 2022. Because of this I have removed references to my code signing tool from this blog post. Additionally, the reseller mentioned in this blog post has earned themselves a poor reputation recently and so I have removed my links to them.
Both Apple and Microsoft have built systems on top of this concept to encourage developers to code sign their software. While at a glance these systems seem optional, the unspoken reality is that commercially available software needs to be code signed.
Will an app still launch if it is not code signed? On Windows, yes. The user will be presented with unknown publisher warnings, but the executable can still be launched. To mitigate this, code sign the executable with a Micirosoft Authenticode signature.
Purchasing a Code Signing Certificate
Purchasing a Micirosoft Authenticode signing certificate can be done directly from a certificate authority or from a reseller. Resellers can offer significant discounts, and I personally just had to switch to a reseller when the vendor I selected ended their developer friendly pricing program.My most recent experience purchasing a certificate went smoothly, however the reseller seems to have earned themselves a poor reputation in the time since so I have removed references to them from this blog post.
The Process of Verifying Your Identity
To get a certificate issued to a business name the issuer will verify the business registration through D&B. Oddly this seems to be the rule amongst issuers. Government records don't seem to always satisfy, but a D&B registration will.Be sure your business details there are up to date with D&B or the process will incur significant delays. I've heard reports of delays ranging from weeks to months. I can personally confirm first hand that for a client the process took several months.
Extended Validation (EV) vs. Organization Validation (OV)
There are two types or "levels" of Authenticode certificates. It's comparable to the days where more expensive SSL certificates would bless your website with "the extra secure green bar." An Extended Validation (or EV) certificate requires extra verification steps and is only issued to a registered business. An Organization Validation (OV) certificate is easier to acquire and can be issued to an individual.What's the difference between these two types of certificates? Technically, the amount of identity validation. The issuer is supposed to take extra steps to validate the identity requesting an EV certificate. Additionally, software signed with an EV certificate is granted instant SmartScreen score. This means the end user won't see the "Smart Screen protected this PC." blue dialog. When SmartScreen steps in, the user has to click "More Info" and then "Run Anyway."
Which certificate is best for you will depend a lot on what your needs are. If your business is suffering because of SmartScreen warnings, it may be a good business decision to get an EV certificate. If you're like me, just making Windows apps because you happen to be able to, I'm okay with my personal "Tim Parnell" click run anyway certificate.
Code Signing Your Software
Once you have a Microsoft Authenticode signing certificate it's actually much easier to code sign on Windows than it is for macOS. What files need to be signed is the topic of many discussions. I am always interested in hearing additional information about this topic. From what I've discovered, only executables that the user will launch need to be signed. In other words, the installer.exe and the main MyApp.exe need to be signed.Updates
I hope this clears some things up. If I am mistaken about anything please don't hesitate to reach out to me! My email address is support@strawberrysw.com[2022-03-26] Sectigo may not be using D&B for business validation anymore. I cannot confirm this because of the experience my client just had (finally resolved December 2021).
[2022-09-08] The CA/Browser Forum has voted upon changes to certificate delivery such that certificates will no longer be delivered as files as of November 15, 2022. Because of this I have removed references to my code signing tool from this blog post. Additionally, the reseller mentioned in this blog post has earned themselves a poor reputation recently and so I have removed my links to them.