Since Microsoft got religion around security, and especially since SP2 developers have been faced with the Unknown Publisher problem. Any application that has not been signed with a digital certificate from a trusted CA (Certificate Authority) displays a message that the publisher is Unknown with a more forceful warning than in previous versions of Windows. This presents a problem for the smaller developer in that a code signing certificate from Verisign costs $400/yr or more. Since most software is downloaded from the Internet, the Unknown Publisher message might make the user think the software is spyware, and should not be trusted by the recipient. Even worse is that a company wide policy may prohibit the installation of the software no matter what the user thinks. The red shield as shown in the photo below is the same one used in the Control Panels Security Center, which indicates a serious security risk, IMHO they should of used a different symbol.
Just to keep Microsoft honest in all of this I checked on downloads from MSDN, and couldnâ€™t find one that had not been code signed. So at least they are playing by their own rules, of course $400 for Microsoft isnâ€™t even beer money. What started me looking at code signing again is that not only is Windows XP checking publishersâ€™ signatures so are major application providers such as Intuit for the QuickBooks product line. Would you appreciate an unsigned and un-trusted application accessing your accounting data?
Well after doing some research I found that other Certificate Authorities provide code signing certificates. Just like the prices have dropped in SSL certificates from such providers as Godaddy, other certificates are recognized by Microsoft XP. The one I settled on was from www.instantssl.com which is produced by the Comodo group, this certificate cost me $99/yr, Â¼ the price of a Verisign code signing certificate. The process of getting a certificate is that you have to prove who you are, depending on whether you are representing a company or a person, different documents are needed. This has since been automated for SSL certificates for web servers, but it only took me 4 hours to get the certificate issued well within the 2 days promised. They also have documentation on how the code signing process works and how to use it with Microsoft’s SDKs. Once you get the certificate you can use it to code sign all of the applications that you produce for any Windows Operating Systems. Well the question you may be asking did it work as well as a Verisign certificate, the answer is a resounding yes as shown below.
Again even this isn’t totally reassuring in that the shield is now yellow, but it is better than red, if the publisher is trusted no message may be shown at all. Some caveats are that Microsoft requires a Verisign certificate in order for you to go through any Microsoft certification testing. The reason for this is that Verisign also does Microsoftâ€™s testing, so for $300 more I would buy one if this becomes an issue, you are allowed to have multiple code signing certificates. On the other hand $99 can at least get you familiar with how to use code signing, and may increase your downloads. Once you install the certificate on your computer you will not get any message, so it is a good idea to test your application on another computer. Click here for a complete list of Microsoft trusted root CAs, please feel free to post your anonymous comments below.