Until fairly recently most of our audience has tended to early adopters and, as a result, largely technical. This meant that we’ve been able to get away without code signing the software. We simply posted a message on the site explaining what to do in the event that they hit the “Unknown Publisher” warning message. Now that we are seeing a wider audience downloading and using Skore we decided it was time to do what every good developer should do and start signing our applications properly. So how difficult can it be?
Our first concern was cost, it had to be as cheap as possible, even if that meant a little more of a technical headache, we could deal with that to keep costs down. I spent a lot of time trawling Google and reading blogs. Some of the mainstream providers offered certificates that covered both Windows and Mac but these were around the $500 mark for a year. I’d also read at least one article that suggested I could only get a Mac certificate from Apple. I was worried I’d end up forking out for something that didn’t work anyway.
After a whole heap more research this is what we found. Due to recent changes in the Gatekeeper app in OSX only Apple issued certificates will be recognised, however these are available to you by signing up to the relevant developer program for under $100 per year. The cheapest Certificate Authority we found for Windows Authenticode certificates is Ksoftware from comodo at $95 for a year.
So it’s just a case of getting out the credit card? No. Part of what you’re paying for is the validation service, the act of proving who you, or your company are. As we needed to get our certificates from two different providers it meant two different validation processes that were both slightly different.
For both you start by filing an application for which you must provide various pieces of information related to the company. For Apple you need to provide a DUNS number. I’d never heard of this before but the process was pretty painless, I applied for one at Dun & Bradstreet and it arrived via email a few minutes later.
In both cases they went to the extent of checking our company details against the registering authority and contacting us via telephone to confirm. This means that your company address and phone number need to match up and be in the public domain. In the United Kingdom your company needs to be registered at Companies House.
Ksoftware also checked our website and came back to me to query why the registrant details of the domain did not match the company details. Of course we bought the domain before we setup the company. This took a few hours to get changed and updated. They also wanted to see our business listed in one of the many online directories with address and phone number. Again this wasn’t difficult to setup but meant further delay as I had to wait until my ticket was picked up again.
Once you’ve been approved, picking up the certificates differed on the different platforms and by browser. On the Mac it was pretty easy, simply launch Xcode and go to accounts, in there you’ll see your certificate and you can export it.
At Ksoftware it was a bit more tricky, they send a link via email to collect your certificate but it must be the exact same browser as you used to order it in the first place. I used Chrome and as a result the certificate was stored in the keychain on my Mac. Once I had located it there I could easily export it.
However, I realised some of the information in the certificate was incorrect so I contacted Ksoftware and they re-issued another. This time I used Firefox and the process was different. The certificate was stored within the preferences section of FF but was easy to export once I found it.
As a result we’re now able to distribute our software properly signed. All in all it took about 10 days from when we decided to go ahead until we had a signed build of each app.